The United States’ first National Cyber Director Chris Inglis and National Security Agency Cybersecurity Director Rob Joyce encouraged the private sector to work with the government to fight ransomware and share cyber-incident insights at AT&T’s Security Conference this week. 

“There has been a significant uptick in ransomware over the last year and a half, two years,” Inglis said. “It's been a long time in the making.”

The surge in ransomware is a systemic issue, he said. “It's the weakness in the resilience and robustness of our systems, it's the cryptocurrency that makes it easy to acquire and hide ill-gotten games, it’s the fact that we often don't have a shared defense.”

To address these problems, he recommended organizations check the U.S. Cybersecurity and Infrastructure Security Agency's “one-stop ransomware resources” website for guidance and government assistance. 

However, Inglis also noted that ransomware attacks have diminished in scope and severity over the past few months. “I think it's too soon to tell whether or not that's a permanent condition,” he said. “Clearly, it's a hard time to be a transgressor in ransomware, and therefore you might expect they'd lay low, but we need to make it such that they are deterred and stay laying low.” 

Joyce echoed that counter-ransomware efforts have seen some success, and as a result “attackers have had to change their methodology, adapt and evolve.” But, he warned, “this is going to be an effort without an end. It's going to have to be continuous improvement, attention, and rigor.”

Inglis and Joyce both suggested organizations take basic steps to make the system more secure. Inglis mentioned that the Biden administration issued an executive order in May that set security standards for federal-government supply chains that include zero-trust and multi-factor authentication strategies.

Just using multi-factor authentication would likely eliminate at least half of all successful attacks, Inglis said. Multi-factor authentication is “a very hard bar for transgressors to get over,” he added “We've made it really easy for them at this point in time.”

On top of the individual defense efforts, both federal cybersecurity officials reiterated the importance of government and the private-sector partnerships, so “we can co-discover and co-mitigate threats on the fly,” Inglis said.

The government is trying to figure out how to build trust that private organizations so that they are willing to share information when they get hacked, Joyce added. And he expects to see breach-notification laws in the near future, “because face it, these attacks are coming at scale.” 

He believes that the notifications will allow the government to see the types of campaigns that are out there and infrastructure that would be used to exploit, and better inform other potential victims. “There's pretty strong consensus, there needs to be some breach notification laws,” he added.

Inglis also supports legislation to require cybersecurity incident reporting. This will help the government provide resources to help organizations after an attacks, and “double down on how do we prevent these in the future,” he said.

“On the government side, we’ve got to get better and faster at taking the things we know from our classified channels and making them into usable, actionable information,” Joyce added. “Especially building that partnership with the backbone providers, the service providers, and the cloud providers, who can protect people at scale.”