DOJ Treating Ransomware As Terrorism Brings It ‘Out Of The Darkness’: MSPs

‘This helps bring it out from the darkness, it puts a greater light on it. It’s not new news. We’ve been dealing with this for years. Ransomware is a billion-plus dollar industry, and it didn’t just happen overnight,’ says Solutions Granted CEO Michael Crean.

The U.S. Department of Justice is reportedly seeking to elevate investigations of ransomware attacks to a similar level as terrorism after a series of high-profile cyber breaches, including the Colonial Pipeline attack. MSPs think it’s a first great first step, but more needs to be done.

“Anytime you can bring awareness to any situation, especially a situation where people are being taken advantage of, it’s always going to be a good thing. This is a step in the right direction,” said Michael Crean, president and CEO of Solutions Granted, a Woodbridge, Va.-based MSSP. “This helps bring it out from the darkness, it puts a greater light on it. It’s not new news. We’ve been dealing with this for years. Ransomware is a billion-plus dollar industry, and it didn’t just happen overnight.”

His hope is that with the government raising ransomware investigations to a similar priority as terrorism, businesses will take a closer look at how they’re securing their own IT infrastructure. “If we do a better job of doing some of the basics ourselves in our own businesses, than we kind of create our own defense mechanism and it makes it harder for them to take advantage of us,” Crean said.

[Related: 10 Emerging Cybersecuirty Trends To Watch In 2021]

The DOJ recently sent internal guidance to U.S. attorneys’ offices nationwide stating that any information on ransomware investigations should be centrally coordinated with a task force that was recently created in Washington, D.C., according to a Reuters report.

“It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain,“ John Carlin, principle associate deputy attorney general at the DOJ, told Reuters. “We’ve used this model around terrorism before but never with ransomware.”

CRN has reached out to the DOJ for comment.

John Marler, president and CEO of Houston-based solution provider Set Solutions, said that while the DOJ is “waking up and signaling that they want to get on top of this now,” several steps need to be taken, like accountability and cybersecurity compliances.

There are a lot of compliance frameworks already in play, he said, but it will come down to how effective they actually are.

“You can have a checkbox and say, ‘We are compliant to the letter of the law,’ or you can use compliance to actually go effect change in your environment,” Marler said. “I find that there’s still a lot of customers who tick the box and say, ‘We are compliant,’ without actually using the policies and the standards in place today to effect change.”

And that framework may have to come from the U.S. federal government level, he added.

“Until the federal government gets involved and continues to beat the drum and go, ‘These are attacks. This is a breach of our internet,’ — you’re going to see this continue,” he said. “There is a lack of awareness of the severity of the issue at hand.”

Going forward, he said the federal government needs a cybersecurity doctrine or federal mandate, explaining modern cyber warfare and what companies need to do to prevent it. And if a framework is put into play, Crean would like to see equality across the board.

“I want to see it good for all,” he said. “If our tax dollars are going to pay for this initiative, we’ve got these investigators and if we’re calling it terrorism … let’s just make sure that there is enough that goes around for everybody.”

FBI Director Christopher Wray said in a recent New York Times article that ransomware threats are comparable to the global threats seen in the days after the terrorist attacks on Sept. 11, 2001.

“There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” Wray told the Times. “There’s a shared responsibility, not just across government agencies but across the private sector and even the average American.”

Kevin McDonald, CISO at Alvaka Networks, an Irvine, Calif.-based solution provider, said treating cyberattacks as terrorism will by no means stop it, comparing it to the ongoing drug war. But if ransomware attacks are treated as terrorism, “it will have an immense impact on the number and the severity of the cases.”

“That is a huge step in that there are resources, tools, staff, money, international interagency possibilities now that would not have been possible had they not made that determination,” McDonald said. “Anytime the government makes it harder for these criminal actors to do what they’re doing, it benefits everyone.”

Both Marler and Crean said there needs to be consequences as well, for both the hacker and the company being hacked.

“Everybody’s upset about the inconvenience of the Colonial breach, but what are the consequences?” Marler said. “That’s where I think we’re headed as far as the federal government goes. Just like there would be consequences if you started using asbestos in construction today, there should be consequences for negligence around cybersecurity.”

Crean said the question that needs to be asked, “How do we hold ourselves accountable for the things that we should be doing?”

“I call it the unnecessary falling asleep at the wheel,” he said. “If they really just pay attention and read and listen and trust our MSPs, there’s some really easy ways to defend against this. The Colonial Pipeline just really reinforced that element.”