The former US government cyber security chief has called for the military to target organised criminal gangs of hackers who launch ransomware attacks on companies and governments.
Chris Krebs, the ex-head of the US Cybersecurity and Infrastructure Security Agency, told the Financial Times the country needed to be more aggressive in hitting back against hackers who hold organisations to ransom by encrypting their data systems and demanding a fee to unfreeze them.
He suggested military cyber attackers could try to deter gangs using ransomware by publishing their private details, a tactic known as doxing. “You’ve got to go after the bad guys, and I’m not just talking about law enforcement,” Krebs said in an interview with the FT.
He added: “You actually deploy title ten employees [civilians employed by the military], like Cyber Command, and you deploy intelligence capabilities. You direct message them, saying, ‘We know who you are, stop or we’re going to come after you, using information warfare.’ You dox them. There are things you can do.”
Krebs’s comments run counter to orthodox thinking in the cyber security establishment. Experts tend to warn companies against “hacking back” at ransomware attackers, given that it can be difficult to establish which adversary they are dealing with or their capabilities.
Ransomware attacks have become increasingly prevalent in recent years as criminals have taken advantage of the widespread use of cryptocurrencies such as bitcoin to collect payment without being tracked. The shift to remote working during the pandemic has left businesses more vulnerable to attacks.
The practice has become more common in part due to the development of the “ransomware-as-a-service” market, where sophisticated hackers rent out their expertise to criminals without the requisite coding skills needed to launch an attack.
The number of attacks increased by about 40 per cent in the first three quarters of 2020 compared with the same period last year, from 142m cases to 200m, according to data from SonicWall, a data security company.
Meanwhile, the average ransom payout more than doubled from $84,000 in the final quarter of 2019 to nearly $234,000 in the third quarter of 2020, according to an analysis by Atlas VPN, a virtual private network service.
As head of the CISA, Krebs was in charge of monitoring online threats from foreign countries. He was fired by then president Donald Trump just before it emerged that suspected Russian hackers had infiltrated the systems of several companies and US government departments in one of the most widespread attacks in recent years.
Krebs is now helping deal with the fallout from that attack as a consultant to SolarWinds, the technology company whose software was compromised. But he told the FT such large-scale state-backed hacks are now less of a threat than widespread ransomware attacks carried out by private criminals.
“You’ve got to start with what really matters the most and then you work out from there,” he said. “So from that perspective . . . ransomware is the biggest threat.”
In recent years, US state and municipal governments have increasingly come under ransomware attack. Atlanta has been targeted, while Baltimore was attacked twice in the space of two years. “States are buying cyber insurance,” Krebs said. “How crazy is that?”
He added: “We have to have a broader set of tools to stop this stuff, because it is systematically undermining the state and local governments’ ability to provide services.”
While Krebs said he wanted to see the US government take more aggressive action against ransomware attackers, he added that companies also needed to tighten up their cyber security practices, especially given so many employees are now working from home.
“[Working from home] is introducing vulnerabilities, exposures, it changes the risk surface,” he said. “Can you push [software] updates? Can you refresh [security] certificates? The issue of home dirty Wi-Fi is a problem . . . The Russians, in the past, have compromised home routers.”
He added that technology companies themselves could also help fix the problem by making their own networks and services more secure.
“A lot of this could be solved by tech companies enforcing certain policies at the enterprise level,” he said, specifically mentioning making people confirm their identity on more than one device before logging in. “Default multi-factor authentication would do a whole bunch of good.”