This story is from our latest edition of BBA Economic Digest, a weekly online publication for economic developers and business people. Subscribe here.
Ransomware attacks and cyber-espionage incidents reached record levels in 2021, resulting in American businesses and governmental agencies constantly having to play catch-up in the cybersphere. Business leaders and world leaders are now sounding the cyber alarm.
The JPMorgan International Council on Thursday urged the public and private sector to step up their cybersecurity efforts to combat an increasingly dangerous threat to the economy and national security.
The council, which includes JPMorgan CEO Jamie Dimon, Johnson & Johnson CEO Alex Gorsky, and former Secretary of State Condoleezza Rice, called for greater collaboration between the government and businesses, stepped-up intelligence sharing and tougher cybersecurity legislation.
"Cyber is the most dangerous weapon in the world -- politically, economically and militarily," former Defense Secretary Bob Gates, the vice-chairman of the JPMorgan International Council, said in the report.
Reframed as National Security
Traditionally, ransomware has been viewed as a criminal matter, but the Biden administration has reframed it as a top national and global security concern. Framing the issue as a national security priority has paved the way for an active government role.
New cyber positions have been created within the administration, such as the National Cyber Directorate that is tasked with advising the president. Mandatory cybersecurity standards have also been imposed on the pipeline industry to prevent another shutdown. With 85 percent of the country’s critical infrastructure owned by private companies, Washington has also advocated increased government-industry collaboration.
In June, the FBI director compared the current ransomware challenge to the threat of global terrorism in the wake of the 9/11 attacks. The US Department of Justice has also started prioritizing ransomware investigation in the same way it does terrorism.
2021 Began with a Bang
In January, the FBI, the National Security Agency and the Cybersecurity and Infrastructure Security Agency jointly suggested that Russia was responsible for an attack against Texas-based SolarWinds, whose software was used by everyone from the federal government to railroads, hospitals, and major tech companies.
Ransomware is big business and corporations have been the targets. The perpetrators encrypt a computer system until victims pay for tools to unlock their data, more attacks would follow. CNA Financial, the seventh-largest commercial insurer in the US, reported it had "sustained a sophisticated cybersecurity attack" on March 23, 2021 by a group called Phoenix/ CNA Financial eventually paid $40 million to get its data back.
On April 28, 2021, German chemical distributor Brenntag found itself the target of a cyberattack that stole 150GB of data that it threatened to leak if ransom demands weren't met. The company ended up paying $4.4 million to a criminal band called Darkside.
Then in May, ransomware attacks hit Colonial Pipeline, a major pipeline operator, and JBS USA Holdings, a big meat processor. Both companies forked over millions in ransom payments via bitcoin, a favorite cryptocurrency, after they found their systems locked up. But their operations were shut down long enough to drive up the prices of gasoline and meat. Again, officials blamed Russia for the attack.
In July, Kaseya announced a cyberattack from a criminal group called REvil, a cybercriminal outfit. Because Kaseya provides IT solutions to other companies, the domino effect ended up impacting about 1,500 organizations in multiple countries.
While it is unclear how many individual businesses paid up, Kaseya declined to pay the $70 million in bitcoin demanded.
Instead, the company turned to the FBI and the US Cybersecurity and Infrastructure Agency. On July 21, 2021, Kaseya obtained a universal decryptor key and distributed it to organizations impacted by the attack.
The Cost of It All According to a recent report from cybersecurity firm Sophos, the average cost of recovering from a ransomware attack has doubled, increasing from $761,106 in 2020 to $1.85 million in 2021. Chainanalysis found that ransomware attacks led to at least $350 million in ransom payments in 2020, a 311 percent increase compared to 2019.
However, it is difficult to estimate the full financial impact of these attacks because ransomeware is highly under-reported.
Suspected ransomware payments reported by banks and other financial institutions totaled $590 million for the first six months of this year, surpassing the $416 million in suspicious payments reported for all of 2020, according to an October report by the Department of the Treasury.
Data Breaches Galore Separate from ransomware attacks, it seems like there's a new data breach in the news every couple of weeks. Because we rely on digital technology daily, our personal information is at risk to some degree of hacks, scams and breaches.
Loopholes in institutions' servers and features, or flawed security protections, have allowed hackers -to steal information like credit card numbers, Social Security data, birthdates, email addresses, and more.
Data breaches publicly reported in the first nine months of 2021 exceeded the total for all of 2020, according to the Identity Theft Resource Center. Corporate victims included Neiman Marcus, LinkedIn, Facebook, Robinhood, GoDaddy, T-Mobile, California Pizza Kitchen, Electronic Arts, and McDonald’s.
Planned Parenthood Los Angeles confirmed that an October data breach exposed patient records, including names, dates of birth, addresses, insurance identification numbers and clinical data like diagnosis, treatment and prescription information.
A Possible Seismic Event The Cybersecurity and Infrastructure Security Agency on Friday issued an emergency directive ordering all federal civilian executive branch agencies to address a major security flaw in widely used logging software that could be exploited by cybercriminals.
The order requires the agencies to check whether software that accepts "data input from the internet" are affected by the Log4j vulnerability, which was discovered about a week ago.
Log4j 's a single piece of open-source code, but it is used so broadly and the flaw so fundamental that experts say the flaw leaves hundreds of millions of systems vulnerable to attack. The bug in Log4j allows cyberattackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack.
The head of the U.S. government's cybersecurity agency is calling it among the biggest threats she has seen in her career.
“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” said Cybersecurity and Infrastructure Security Agency Director Jen Easterly told industry leaders in a phone briefing last week.
Given the flawed code's prevalence, experts say that, for most large businesses and government agencies, it is not a question of whether they are affected, but rather how many different systems have been affected.
The consensus is that Log4j won't be a simple fix. The vulnerability is easy to exploit and is close to ubiquitous as a Java logging package can be. Determining where the library containing Log4j is actually used will be no easy task precisely because the software is utilized by millions of third-party enterprise applications, cloud services and manufacturers, including Apple, Twitter, and Tesla.
Dean Barber is the principal of BBA, a Dallas-based advisory firm, and publisher of BBA Economic Digest. For more information, go to barberadvisors.com