‘Integrity Above All’ is the mantra needed for the ransomware era
As ransomware continues to be one of the best low-risk, high-return business models in existence, an approach to security that puts integrity above all should become the credo for everyone in cyber.
OPINION By ANDREW BOCHMAN
Late novelist David Foster Wallace probably doesn’t get mentioned much in cybersecurity articles. Maybe he should be. Consider his “This is Water'' 2005 graduation talk at Kenyon College. Its key themes were awareness of and compassion for others, with the title referencing, from an aquarium fish’s perspective, the substance that is everywhere around it. Everyone working in cybersecurity should listen to this speech, as many remain blissfully blinded. We’re aware of the sharks, but somehow confident they will seek other prey in the immersive digital realm in which we all dwell. Those sharks are the always-hungry ransomware criminals.
For those who’ve had the luxury of focusing on other digital threats, ransomware has been on a tear of late, with payment sizes rising by a factor of five in the past year. Frequency has been increasing as well, coupled with the fact that roughly 80% of the organizations that paid a ransom were attacked again shortly afterward. As cybersecurity company Fortinet stated, “There is no good news about ransomware statistics.” And for those who’ve been diligent and careful with their backup procedures: “Even if a company can restore data from backups, leaked data from a company that refuses to pay ransom may appear on database websites operated by threat actors.”
Ransomware has been hitting companies and governments for decades, but it really took off with the advent of Bitcoin. Ransomware group Gameover ZeuS delivered the first attack demanding cryptocurrency payment in 2013, and it has remained the preferred method of collection ever since.
Consider the ransomware attack on — and response from — one of the most important pipelines in the US. In May 2021, a Colonial Pipeline employee was surprised by a pop-up message on their screen from the cybercrime gang DarkSide. The company swung into immediate, decisive action.
What Colonial did was exceptional — even before it grappled with the question of payment or nonpayment. While some of its key IT systems were frozen, within an hour it elected to entirely halt the flow of the liquid fuels that a major part of the US South and Eastern Seaboard depend on — gas for cars, diesel for trucks, jet fuel for planes and much more. Though employees remain unable to comment on the event, it is abundantly clear that the company, and in particular its leadership, had prepared for this eventuality.
Part of the rationale for halting the shipment of their products was that they couldn’t say with confidence which product types were headed to which customers and how much they were charging for them. But in talks with individuals close to the action, the other factor was that they didn’t know if attackers had gained control of their operational systems — the digital systems that control pumps, motors and compressors that create the pressure that moves fuel across hundreds and thousands of miles to its final destination. If those systems had been accessed and mis-operated by a malicious adversary, they could be driven to destruction. Were that to have happened, we’d still be living with aftershocks. Think about that.
When an industrial company — and in particular a critical infrastructure company — harbors serious concerns that its operational technology networks and systems are compromised, they need to quickly cease operations. This is a decision that will — and should — involve the entire C-suite. Companies need to consider shifting their thinking and their priorities toward long-term viability over the status quo — short-term optimization. This should hold true in the energy sector and all of critical manufacturing.
But more than three years after the Colonial Pipeline attack, we remain far from any kind of “shift in consciousness.” I recently attended one of the foremost OT cybersecurity conferences in the world. And just by happenstance, I found myself sipping coffee before the proceedings with a young man whose badge revealed he was a cyber lead from a different US pipeline company. I introduced myself and asked whether his company was ready for ransomware and whether it had learned or implemented lessons from Colonial Pipeline.
The answer I got was shocking. He flat out said no, that he and his team were all running as fast as they could just to keep things going, cybersecurity-wise, and that there was no time for discretionary activities such as preparing for ransomware, let alone planning for or practicing response.
As ransomware continues to be one of the best low-risk, high-return business models in existence, an approach to security that puts integrity above all should become the mantra for every security team working in operational technology and any other sector for that matter. Every time ransomware strikes — and it will continue to strike — what appears to only involve information technology teams will invariably concern operational technology, too. And that means the stakes aren't just whether or not to shell out $1, $3 or $5 million for a hopefully rapid return to business as usual, the actual stakes may be much higher, all the way up to the viability of the victim company itself.
Ransomware shouldn’t pollute the digital waters we all swim in — and maybe someday it won’t. But pretending or hoping otherwise is to ignore reality and put everyone — companies and their customers — in grave peril.
Andrew Bochman is a speaker, writer and adviser for the US Department of Energy’s Idaho National Laboratory on cybersecurity, climate and other critical infrastructure risks. His second book, “Defending Civilization: Notes from the Front Lines,” is scheduled for publication in May 2025.