This week, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation unveiled a dossier of sorts about a group called BlackMatter, which the government said is a “possible rebrand” of the Russia-based DarkSide entity and has been active since July, wreaking havoc on networks that support the already stressed U.S. food and agriculture sector.
An explosion damages instantly; cyber-attacks chip away over time.
BlackMatter is a “ransomware as a service” group, meaning it offers specific services at particular price points to other criminal gangs, who pay for the BlackMatter team’s expertise in getting into systems and ransoming encrypted data.
In the past, private sector cyber defense firms, usually working with afflicted companies, have collected, analyzed and publicly shared threat information about specific ransomware and cyberattack groups. The government’s role had been largely limited to warnings issued after an intrusion about software vulnerabilities, alerts about critical patches to commonly used systems and solid advice about how to secure networks. Now, it seems, the government will share what it knows and has been able to collect, through open or clandestine means, about ransomware groups whose activity harms U.S. commerce, perhaps in real time. This decision means the U.S. is treating ransomware as a critical national security threat, even if U.S. government systems aren’t being targeted.
We know criminal gangs have commodified ransomware and hijack critical networks all the time, but because we don’t directly feel anything — not even higher costs associated with ransomware payments — it’s hard to use the morsels of attention we manage to wring out of our days to, well, really care. We don’t demand our employers protect us from ransomware the way they might from the threat posed by an active shooter. It’s not a physical threat; it’s, at most, an annoyance to most of us.
Conceptually, this is a bit off; people have died where ransomware attacks were involved. Industrial control systems — think of the machines that determine whether the water you drink is toxic — have been regular targets in 2021. But to most people, ransomware means your local Sinclair affiliate goes without graphics for a newscast or two.
The government’s new model communication strategy borrows a lot from the psychological architecture of the global war on terrorism.
After 9/11, many politicians drove policy by producing, commodifying and managing fear.
After 9/11, many politicians drove policy by producing, commodifying and managing fear, mixing sensible policy changes to protect Americans with massively detrimental ones, adding poison to our politics and damaging our national security for generations. Who benefited? The national security sector, which enjoyed record profits and proliferated its footprint all across America.
Many companies in the counterterrorism business are now in the counter-cyberattack business. They follow cues from the government about what to say about the threat, meaning any new cyber language calls for caution. Still, I think the government is moving in the right direction.
Although the threat posed by ransomware is often harder to personalize or localize than terrorism, it is far more pervasive, and its effect over time on global economic resilience could be quite destructive. An explosion damages instantly; cyberattacks chip away over time.
It might be the case that Americans, generally mistrustful of government and wearied by decades of war, meet stark warnings about cyberthreats with a shrug. So as new laws are written and eventually passed governing the mandatory reporting of cyber breaches, the regulation of cyber insurance, basic standards of cyber competency for small businesses and the like, we would be wise to avoid militaristic language and should be wary of rules that incentivize surveillance or privacy violations under the guise of security.
We certainly should not feel like we’re under constant attack, because that might paralyze us or allow politicians to act rashly, using our votes as cover. But we should expect more — from the government, in terms of sharing information; from our employers, who should spend money to assess and protect vulnerabilities on the networks we use; and from each other. Stop sending screenshots of passwords in e-mails or DMs, for goodness' sake!