On 7 May 2021, Colonial Pipeline, the largest petroleum pipeline in the US, was shut down following a cyber attack. It remained closed for five days, causing panic buying, fuel shortages and national security soul-searching. For cybersecurity experts, the most surprising element of this episode was that a key part of US infrastructure was not brought down by the actions of a hostile state (at least directly), but by a small group of cyber-criminals deploying a devastating form of online extortion software: ransomware.
After gaining access to a company or individual’s system, the attacker will make files inaccessible in some way. At the lower end of the scale, the malicious programme may simply lock the computer, an easily fixable situation for an IT professional and no great problem for a large company. But when deployed by more sophisticated attackers, the software will encrypt the victim’s files so effectively that recovering them without the decryption key is virtually impossible.
The Colonial Pipeline ransomware attack was just one of several high-profile events that have struck ostensibly secure organisations over recent months. May 2021 also saw a ransomware attack on meat processor JBS Foods, a $53bn company that is deemed vital to US food security. The attack, which led to closure of some of the company’s facilities, was reportedly ended after an $11m ransom was paid.
While the scale and severity of recent attacks has surprised many, the growing popularity of ransomware comes as no surprise to specialists in the field.
‘My first response to the upsurge in ransomware attacks lately was that we analysts have been warning about this for over a decade, and we all predicted this was going to happen’, says David Fidler, senior fellow for cybersecurity and global health at the Council on Foreign Relations.
‘Now it’s here we have another round of gnashing of teeth, but opportunities to mitigate the danger have been missed time and time again over the intervening years.’
Fortunately, even for those who may have missed the early warning signs, hope is not lost. GC speaks to some of the leading counsel and cyber experts to find out what the rise of ransomware means for business, and what lawyers can do to help prepare their defences.
The unlocked door
The rise in attacks affecting everything from water and energy utilities to fuel distribution systems is a sign of things to come. From a cybersecurity perspective, the truly frightening aspect of these attacks is that, once systems have been compromised, there is little IT professionals can do to regain control. Bhavani Thuraisingham, Founders Chair Professor of Computer Science and the Executive Director of the Cyber Security Institute at The University of Texas at Dallas, comments:
‘When the malware enters the system, it has access to almost everything, and in a ransomware attack [hackers] will encrypt everything and demand a payment in exchange for the key to unlock the files. As of today, AES 256 encryption cannot realistically be broken with modern computing methods. Unfortunately, this means that if the attack progresses to this stage, you have really no access to anything in the system unless you get the key to decrypt the data’.
Richard Forno, senior lecturer in the University of Maryland, Baltimore County Department of Computer Science and Electrical Engineering, puts it even more succinctly: ‘If you haven’t been conducting cybersecurity best practices and a sophisticated attack takes hold of your systems, you’re screwed’.
As a result, victims of high-profile ransomware attacks have been left with little option but to pay up. In the case of Colonial Pipeline, hackers demanded a ransom payment of $4.4m in the form of bitcoin, which they promptly received in exchange for codes to unlock the company’s systems.
More troublingly, the lines of attack hackers are exploiting are not easy to defend against. For example, phishing attacks in which members of staff are fooled into downloading malicious software by seemingly genuine emails are becoming increasingly effective. This, says Forno, is increasingly dangerous given the rise of social media as a means of validating an unknown person’s identity.
‘Using artificial intelligence and machine learning, you can identify, develop and even create fake personas that are very detailed. This can allow you to make a phishing email that is much more convincing to the target, particularly if
you’re targeting a particular individual, such as the CEO of a company.
What’s more, even those who follow every reasonable security protocol and measure can, unwittingly, become a victim of the more sophisticated hacks. Increasingly, [malicious] software is being downloaded through perfectly legitimate websites via ad networks. [If a hacker] is able to compromise a content or software distribution network, malware could be injected into this such that users of a legitimate website would then be downloading malware through the network.’
React and respond – preparing for times of crisis
As the realities of new digital attack vectors and how to respond to them become increasingly evident for major corporates and their counsel, leading private practice practitioners from the WSG network share their insights and advice to help businesses prepare for the worst.
‘Ransom attacks, including larger supply chain-type attacks, continue to lead the headlines and pose a sophisticated threat to a business’s ability to operate or recover, now more than ever,’ says Batya Forsyth, partner at Hanson Bridgett and co-leader of the firm’s privacy, cybersecurity and information governance practice.
With cyberattacks increasing in frequency, severity and variety, the need for general counsel and their teams to be prepared to react and respond accordingly has fast become a business imperative, irrespective of company size or sector.
‘A response plan should set the expectations high for the organisation,’ says John Babione, a partner at Dinsmore & Shohl LLP.
‘Responding effectively to security incidents and potential data breaches should be emphasised as critical to the success, and in some cases survival, of the organisation.’
Exactly what a response plan looks like will be different for every organisation, with individual risk factors and tolerances both likely to heavily influence the final plan and procedures. However, the experts we spoke to agree on several common elements that featured in successful response plans.
‘A good security response plan sets forth a process that is easy to understand at all team levels – from general staff to general counsel – and functions well across a variety of attack scenarios,’ says Forsyth.
‘Most importantly, the plan must explain how the plan gets triggered, who makes that decision, who needs to know about that decision and the first next step for the team.’
Getting buy-in from the wider organisation and ensuring that everyone understands their individual roles in times of crisis were also seen as essential parts of successfully managing a response, with time often a critical but limited commodity in any attack scenario.
‘The plan should enlist all affected personnel as partners in a team effort in which everyone knows their daily efforts and diligence on the front line are valuable and needed,’ says Babione.
This engagement though, shouldn’t be limited to times of crisis says Babione, who instead advocates for an always-on approach to monitoring for threats and being prepared to respond – an approach that emphasises mitigation as much as it does preparedness.
‘To do this, the day-to-day IT environment, applications and tools must support and encourage employees to be watchdogs, looking for trouble and reporting it up the chain of command,’ he explains.
‘This engagement of the workforce and management as the hands and feet of the response plan turn the plan from a piece of paper into what it needs to be – the means by which the organisation can respond quickly to incidents to prevent them from turning into a data breach or other harmful cyberattack.’
This type of attack, say the cybersecurity experts interviewed for this report, has already been detected on some of the world’s largest website, often with little or no awareness among their users.
Adds Thuraisingham: ‘Ransomware spares no one. It could attack an 80-year-old great grandmother, a major financial company or even critical infrastructure. With that said, the more pain the attacker causes, the more publicity they get and the more money they can extort; sectors that allow them to cause maximum damage may therefore be more vulnerable. These will include major hospitals, government organisations and, especially, financial companies.’
Of course, cyber experts are aware that ransomware attacks are now big news, and that reporting biases undoubtedly skew toward them. Even so, says David Fidler, senior fellow for cybersecurity and global health at the Council on Foreign Relations, the underlying reality is that such incidents are on the rise. In fact, says Fidler, the true extent of the problem has probably been under-reported.
‘There has been an increase in ransomware attacks, and that increase has been felt across the entire corporate sector in North America and beyond. Beyond this, there is a large number of institutions – typically hospitals or
other bodies that hold large volumes of data – that have been victims of ransomware attacks without the public or media ever becoming aware of it. So the problem is growing and the scale of the problem is perhaps larger than one would imagine.’
The GCs who came in from the cold
From the perspective of the US government, ransomware is a clear and present danger. The increase in the size, sophistication and public awareness of these attacks, as well as their ability to damage critical infrastructure, puts general counsel on the fault line of what, for some organisations, will be the most important challenge of the coming months.
‘The connection between criminal ransomware attacks and how the United States government perceives our adversaries as providing havens for cyber criminals is key’, says Fiddler.
The government has already accused Russia and China of tacitly allowing cyber criminals targeting US companies to operate free of constraints. We’re seeing movement toward more offensive actions on the part of the US government aimed at cyber-criminal organisations based in potentially hostile territories because, clearly, our defences are not effective in preventing these attacks.
If the government does move in that direction, that is a much more dangerous context for businesses to be in, because we do not know cyber-criminal groups are going to respond. They could become even more sophisticated and try to test how much further we’re willing to escalate’.
The thought that corporations might unwittingly get caught in this cat-and-mouse game of testing and defending critical infrastructure is no longer an abstract item on the risk agenda. Even smaller companies that are not deemed essential parts of the US economy now face the prospect of becoming collateral damage in the tit-for-tat exchanges brought on by the escalation of opportunities for cyber attacks and the escalation of deterrence by punishment.
‘For GCs, understanding the potential threat is key’, adds Fidler. ‘Understanding what the threats are from this potential escalation on the part of the government may help persuade the C-suite of the need to make more investments in their own cyber defence.’
Of course, only a minority of companies will fall victim to the most serious of incidents, but indirectly almost every single organisation will end up paying the price, whether through increased demands on security and compliance or changes to their relationships with customers and commercial partners.
Insurance has long been one of the major tools used by corporates to mitigate their exposure to cyber risk, but as the number of cyber-related insurance pay-outs topping seven figures grows, policies are being hastily rewritten.
‘[Last year] was an unprecedented year for ransomware attacks and the payment of related insurance claims’, notes Lavonne Hopkins, senior managing legal director for security, resilience and digital at Dell. ‘As a result, the cybersecurity insurance market is hardening as insurers revaluate how to keep their cyber insurance offers profitable.
I have observed that insurers are focusing more on evaluating organisational cybersecurity maturity and preparedness when making coverage decisions and determining premiums and deductibles. We can only expect this trend to increase. Organisations should start to prepare for a future that potentially excludes ransomware coverage from cyber liability policies and requires self-insurance models.’
A worrying thought. And even those who can find suitable policies should not be complacent against the threat, says Thuraisingham.
‘Certain insurers are now offering specific products that cover the threat of ransomware attacks but relying on this can be extremely risky. To activate the coverage a company must first lose its data in a ransomware attack; only then will the insurer release funds to pay the ransom.
This is obviously not ideal, as the protection offered does not typically compensate for the reputational damage or staff costs associated with the incident. I would advise taking all the preventive measures you can before relying on insurance.’
The price of this sort of ‘kidnap insurance’ coverage is also likely to increase markedly as insurers keep a watchful eye on cybersecurity developments. A report issued recently by Hiscox, an Anglo-Bermudan insurance provider that specialises in niche categories of risk, noted insurers faced a 50% year-on-year increase in pay-outs for cyber-related policies, with ransomware attacks accounting for the biggest contributor to this growth.
Outsmarting the hackers
Even the most generous insurance policy can only be triggered once a cyber attack has taken place, by which time financial compensation alone may not be enough to repair the damage. For general counsel, the only real way to defend against risk is to go on the attack.
David Mace Roberts, general counsel of transport information systems provider Electronic Transaction Consultants (ETC), has been working to keep one step ahead of cyber attackers for many years. For Roberts, the most notable feature of a good cyber risk plan is that it looks unlike anything else on the market.
‘A lot of companies will pull up a one-size-fits-all cyber response plan, but that’s really not good enough. A bespoke cyber response plan needs to be custom crafted for both you and your industry.
Thuraisingham echoes Roberts’ comments. ‘Just as with health concerns, the best method is prevention. Protect all your systems, data and processes so that the attackers cannot gain access in the first place. Perhaps most important, companies that do not mandate backups and do not have extremely stringent security policies are most in danger. Do continuous backups of data and processes. I cannot emphasise proper backup procedures enough’.
Indeed, as Richard Forno notes, none of these measures are difficult to implement, but business has tended to ignore expert advice for too long.
‘The problem I see is that a lot of companies and governments of all sizes fail to do basic cybersecurity best practices, things that we in the industry and academia have been urging people to do for 20, 30, 40 years. This can be things as simple as having a really strong password or using multiple forms of authentication for critical or sensitive systems’.
The most important aspect of effective defence against a ransomware attack, however, comes with employee training. Human error is overwhelmingly likely to be the biggest weakness in a cybersecurity defence package, as well as the first thing a criminal group will look to exploit. To guard against this, says Roberts, the only option is to train relentlessly, ‘If you only train once a year then training loses its impact and offers minimal protection.’
Lavonne Hopkins of Dell agrees. ‘Unfortunately, ransomware most frequently originates from human error, and over half of ransomware victims suffer repeat attacks. Training and education are critical to ensure a comprehensive cyber preparedness strategy and prevent these ransomware attacks. Organisations should mandate cybersecurity training, including phishing training, for all employees and contractor. Employees are the first line of defence and need to be equipped with the knowledge to help prevent an attack’.
Before any of the above can take place, senior management needs to take the risk to business from cyber attack seriously. As Thuraisingham notes, it is all too common to encounter business leaders who consider cyber strategy as a matter for IT professionals.
‘When you’ve hired the best risk analysts and cyber teams money can buy it is very easy to conclude that you’ve done everything you can. This is fundamentally wrong. Businesses will always be vulnerable to these attacks, so there needs to be a constant awareness of just how serious the consequences can be.’
Unfortunately, awareness of cyber risk as among the c-suite seems to remain limited. Our survey of over 200 general and corporate counsel in North America revealed that while legal teams felt there was a very high risk of cybersecurity breaches to their organisations, fewer than half were actively involved in shaping cybersecurity risk planning.
For many organisations, it may come back to haunt them. As Roberts concludes, ‘If you are a senior member of a public company, you’d do well to look at the SEC, the NYSE and NASDAQ who are all really pushing cybersecurity. Do you want this on the front page of the Wall Street Journal or the Washington Post? Do you want to have to answer to the boards, or to the securities regulators? If not, then taking the risk seriously now is the best defence.’