Ransomware Hacker Skills Now As Good or Better Than Countries, Expert Says

Following the attack on the Colonial Pipeline last month and the data breach at Solar Winds that started late last year, Cybersecurity is gaining more attention nationally.

Industry leaders met Thursday in a panel hosted by CISO Street, an online community and information resource for cybersecurity professionals, on lessons learned from the recent cybersecurity attacks.

Panelists said these attacks signal a new era in online security, one which requires new legislation and a new level of corporate cooperation for an adequate response.

"It's a moment of reckoning for our industry," Vasu Jakkal, Corporate Vice President for Microsoft Security, said. "(Solar Winds) was one of the most complex attacks we've seen, and that continues."

Jonathan Yaron, Chief Executive Officer at Accellion, a secure file sharing company, said hacking organizations have become increasingly motivated to discover weak points in different software programs.

Some of them can offer a talented hacker $5 million for a single data hack. Yaron said the information gained from that hack can generate as much as $400 million in ransom from the institutions that were hacked.

"They are as sophisticated as the most sophisticated developers and people," Yaron said. "Basically now, the hackers are equal in capabilities, in some cases even better, than what used to be only countries."

Jakkal said the cybersecurity industry faces a funding shortage, and cannot keep up with the demand for product. With the onset of the pandemic, many companies were forced to further digitize their structure. This led to an onset of new digital mediums and interfaces.

During this time of change, companies became more vulnerable to attacks. In Europe alone, cyberattacks doubled during the pandemic year. As the hacking business has grown in profitability, cybersecurity has fallen behind.

Despite its capacity to hire a workforce with the skills to combat hackers, the United States also faces obstacles to addressing these crimes through legal channels. The U.S. is the only highly developed country in the world without a comprehensive data protection law.

Cybersecurity laws differ greatly by business sector, and there exists no law of general application except for restrictions on "unfair" trade practices. When it comes to transparency around data breaches, this lack of legal infrastructure creates issues.

Lisa Sotto, chair of global privacy & cybersecurity practice at the law firm Hunton Andrews Kurth LLP, said companies view breaches as a source of embarrassment, and may stay quiet about the attack. She said a breach of security can carry the implication that a company did not take appropriate measures regarding its security. This can lead to short term dips in stock value and harm reputation.

Sotto stressed that no company or industry is immune to a cyber-attack. She said that regardless of the sophistication of the protection system, any company can become a victim. Reporting a breach allows for quicker action to be taken and helps protect other companies. While stock price may temporarily dip, history shows the dip to be a short-term phenomenon, and any harm to the company image is typically temporary.

She called for industries to cooperate to fight ransomware attacks.

"This is a team sport, and the way you fight asymmetric battles is by coming together as a village, as a team," Jakkal said. "The shaming, and the 'it's so hard for companies to disclose,' I think that's a cultural thing, so we have to change that."

Instead of shaming companies that suffered an attack, Jakkal said they should be celebrated for coming forward. She noted the sophistication of attackers allows any entity to become a target. Responding with speed diminishes the impact of the breach.

Sotto said companies often fear law enforcement looking into their systems, forcing them to share information, and involving the Federal Trade Commission. When it comes to investigating breaches, she said in her experience law enforcement does not tap into systems, and encourages the shielding of customer information.

And while a formal barrier does not exist between law enforcement and regulators, communication between the two generally remains limited.

"We've come a very very long way from the early and mid 2000s when we just didn't really have the governmental infrastructure," Sotto said. "But now, it's really developed, and it seems to me that until very recently we were fighting yesterday's battle. We really need to think about tomorrow's battle and how we can stay one step ahead of bad actors."