Just go after all of them
Not just state actors but the criminals as well.
"Hello Hereford GCHQ here."
The UK's Government Communications Headquarters (GCHQ) boss Sir Jeremy Fleming has outlined a plan to pursue criminal actors who deploy ransomware as well as the state actors that are aware of their efforts. Speaking remotely to The Cipher Brief Annual Threat Conference on Monday, Fleming discussed the increasing threat of …
Well, at least Mein Herr Fleming has realised the enigmatic conundrum to be heroically addressed, although whether such can/will ever be acceptably resolved to the specific satisfaction of whom he professes to represent with his remarks on the chance for "like-minded Western liberal nations to make sure that the technologies on which we all rely encompass our values, are secured by design, have been subject to the standards and regulations that we approve of, because we think that they do promote our prosperity and our values." is the gazillion dollar question always to be left sensibly unanswered ...... and especially so whenever/should any such nations be heavily invested in ensuring perverse continuity of previously outrageously advantageous self-serving abuse/systemic misuse.
Defending the indefensible and inequitable always results in one being recognised, sooner or later inevitably, as the enemy and foe to be vanquished and disenfranchised ........ and to imagine that it cannot be recognised by advancing smarter systems administrators/trusted agents from within such abusive operations, and they will continue to accept and support it rather than aspire and/or conspire to defeat it, is a peerless 0day vulnerability for exploitation and export against which there is no effective defence/attack vector?
And such is only natural and thus fully to be expected and enthusiastically encouraged rather than feared and opposed ‽ .
So the ransomware has been around for at least two decades.
The aspect that is not talked about is that corporations skimp on security, they are into ticking the boxes rather than actually improving security.
Now they are expecting to be bailed out by the tax payer.
It's like leaving your house open and then asking Police to keep an eye on it, because it is being constantly burglarised.
Its the problem with two similar languages -- here in the US you here words like "burgularize" and you'll get blank looks if you mention the word "housebreaking". (Pop quzi time -- do any readers know the difference between housebreaking and burgulary?)
Roll with it. We all watch too many American TV shows so we should know the lingo.
Never has been rocket science. The big problem is a combination of complacency and convenience.
It's so convenient to allow SMB and remote desktop across the firewall, let everyone browse with unfettered scripting, run a flat network with AD as the only segregation mechanism (or in the case of Equifax, leave a file of clear text server credentials on the network) that nobody stops to think about the possible consequences.
On several assignments I've had to fight to make them put documents such as pen test reports and firewall rule listings in a secure area. Mostly they've just been 'somewhere' on sharepoint.
And whoever thought this a good idea for Presumed Secure and Secret Intelligence Services paid to ensure National Security? ....... https://www.theguardian.com/uk-news/2021/oct/26/amazon-web-services-aws-contract-data-mi5-mi6-gchq
Good for GCHQ. Fleming is spot-on, this is a great Step One. But we need more. GCHQ can influence the government by publicly spotlighting the goal posts Boris is so good at missing - a calculated and revolutionary sea change from the obsessive secrecy of the First Age of Sigint.
But industry doesn't give a toss about their customer's data security. What they do care about is their insurance premiums. So Step Two must be to pass laws requiring adequate security, along with Third Party insurance, on the information superhighway, just as vehicles must be safe by design, and insured, on the asphalt superhighways. Then watch the insurance premiums do the rest for you. Simples!
In the end, for all countries, including Five Eyes, Russia, and China (and all the lesser players), the starting point is that our state actors are good and other state actors are bad.
I predict that nothing will come of this, other than bigger budget requests for GCHQ and the other actors.
"We know that if you do fairly basic cyber security ... then you're going to protect yourselves
But even basic cyber security costs money, and until the bosses & bean-counters understand the need to finance IT properly then nothing will change. Make it a criminal offence to pay a ransomware demand, outlaw insurance policies that offer that, and make the case for proper IT funding instead. Maybe even outsource less and keep security in-house?
Ok, dreaming over. Back on your heads.
Biting the hand that feeds IT © 1998–2022