A day after the world鈥檚 largest meatpacking company, JBS, confirmed that it paid the equivalent of $11 million in ransom to hackers who broke into its computer system, two federal officials spoke with 草莓传媒 about what companies, private people and the government can and should be doing to prevent and deal with the next attack.
Eric Goldstein, the executive assistant director for cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, told 草莓传媒 on Thursday: 鈥淭his is a national-level risk that can affect every organization in America, public or private, big and small across sectors.鈥
He didn鈥檛 directly answer a question about whether the government could require a minimum standard of cyberdefense, but said that his agency鈥檚 website, , 鈥渉as resources that all companies can use to secure their own networks against these risks.鈥
Even so, attacks will happen, and Goldstein said the key to surviving them was not just to harden systems against attacks, but to 鈥渇ocus on the resilience of our critical functions 鈥 fuel, food, banking, telecommunications 鈥 the things that you and I rely on for our everyday lives.鈥
鈥淎ll organizations, even as they invest in cybersecurity, should also look to make sure that the services they provide can be less dependent upon IP networks and systems,鈥 Goldstein said. 鈥淪o that if a cyber intrusion or a ransomware attack does occur, the services they provide will still be available to the American people and the business’s customers.鈥
Three ways to fight back
Sen. Mark Warner, the chairman of the Senate Intelligence Committee, pointed out that the JBS payment comes on the heels of the Colonial Pipeline hack that put half the country into a gasoline panic, as well as attacks on a ferry system in New England and 鈥渢he whole Irish health care system about three weeks ago.鈥
He laid out three ways the government can fight back.
鈥淥ne, we need to have a mandatory reporting requirement. These companies don’t even have to tell the government when they are attacked, so that we can actually bring law enforcement and our other tools to the table.鈥
鈥淪econd, we really do need to create some level of international standards. So that when we see these attacks come from criminal gangs, for example, out of Russia, if they are attacking critical infrastructure, whether it’s here or Europe or elsewhere, we can have a united world response.鈥
鈥淎nd three, we really need to start a 鈥 debate about whether there should even be payments of ransomware. 鈥 Even if you pay, there should be more transparency in the payments.鈥
Warner said there was 鈥渂road bipartisan consensus鈥 on his committee for legislation mandating the reporting of these attacks.
He encouraged President Joe Biden to 鈥減ut this on the table鈥 when he meets with President Vladimir Putin of Russia, where many of the biggest hackers are based.
Should they pay the ransom?
Both officials discouraged the practice of paying ransom.
鈥淥ur guidance is to strongly discourage the payment of ransom,鈥 Goldstein said. 鈥淭he more ransoms that get paid, the more attacks we will see.鈥 He added that there鈥檚 no guarantee that paying ransom will actually get a company鈥檚 data back.
Warner acknowledged it鈥檚 not that simple: 鈥淥f course, you start with the premise that, hey, folks shouldn’t pay this ransom. But if it’s a hospital, and there’s a chance that people may die if you don’t do something in the short term, it’s not as easy a discussion as you initially think.鈥
鈥淏ut even if you pay,鈥 he added, 鈥渢here ought to be transparency on the payments. And maybe that means we shouldn’t be using crypto right now.鈥
