Multiple outlets are reporting (link to Guardian story) that the Babuk ransomware gang holding Washington DC Police Dept. data – including personnel records – has said it will release that data unless the department increases the price it is willing to pay. The Department had offered $100,000 US.
<p>No one starts with the intent to create an insecure system. Increasing connectivity, increasing amounts of information captured and stored, and little to no budget for increased cybersecurity or cyber education have all created an environment that is favoring bad and opportunistic actors.</p> <p> </p> <p>For too long, organizations have relied on physical proximity and threat of prosecution for security. But we’re now in a time when, digitally speaking, there are no boundaries, and attackers don’t particularly fear an organization’s or a country’s prosecutorial ability. There is a saying that most security systems, processes and procedures are there to “keep honest people honest”. Think Snow White and the seven dwarfs, what did they do? They locked the door and hung the key on the hook next to the door. That is no different than relying on securing obvious interaction points, contractually trusting your vendors security practices, and blindly believing that all your employees, partners and vendors are as security savvy as your best security personnel.</p> <p> </p> <p>Ransomware gangs have caught on to this naïve approach and are happy to exploit it. By hiding behind the anonymous nature of digital interaction, they are emboldened even to attack law enforcement, e.g. D.C. Police, Dade City Florida Police, etc. This is to erode public confidence and trust in the system. If law enforcement cannot protect its own information and systems, what confidence does one have in its ability to protect me or find evidence for prosecution of a cybercrime against me. </p> <p> </p> <p>We have seen an increase in successful cyberattacks lately. With our aging infrastructure, both the energy and healthcare sectors are prime targets for easy picking. With ever greater reliance on remote systems, remote services, digital first approaches, we are entering a state of perfect storm.</p> <p> </p> <p>How do we fix this? Start by realizing that a lack of cyber security hygiene is one of the biggest causes of successful cybercrime, exacerbated by the shortage of highly skilled cybersecurity talent. Also, it’s time to embrace more risk- and compliance-focused approaches that follow a zero-trust model.</p>
<p>Just when you thought it couldn’t get worse, this ransomware attack happens. At a time when discriminatory policing is fueling riots across the nation, we cannot afford to have the disciplinary files of police officers shared publicly. The societal pressures are too great and the impact may literally be life threatening. It’s likely too late for the Washington DC Police department, but cryptocurrency that enables ransomware crime should be shut down or highly regulated to prevent criminals from extorting organizations and governments.</p>