Congress Calls for Proactive Policies to Combat Security Breaches

The internet looks very small to an attacker, but massive to a defender. And a persistent reality of the 21st century’s connected economy is that many digital doors are left open for bad actors and cyber adversaries to walk through as they see fit. 

Just take, for example, Monday’s (April 15) news that a ransomware group has reportedly published several files on the dark web that were stolen during February’s cyberattack on UnitedHealth Group’s Change Healthcare.

The professionalization of the criminal ecosystem has lowered the barriers to entry for types of cybercrime, including ransomware-as-a-service, which have propelled enterprise cybersecurity from something perhaps previously considered merely an IT issue to a serious threat with far-ranging operational and financial risk for organizations of all sizes. 

In 2023 alone, ransomware attacks hit a record high with over $1 billion extorted from victim organizations, and in March, UnitedHealth paid $22 million in cryptocurrency to the criminals responsible for attacking Change Healthcare’s systems in order recover compromised data. 

Per United Health’s first quarter 2024 financial results announced on Tuesday (April 16), the cyberattack on Change Healthcare cost United Health $872 million, with executives projecting a total loss of up to $1.6 billion. 

Tuesday the House Financial Services Subcommittee on National Security, Illicit Finance, and International Financial Institutions, led by Subcommittee Vice Chair Young Kim, R-Calif., held a hearing titled “Held for Ransom: How Ransomware Endangers Our Financial System.”

The congressional hearing, which was designed to provide policymakers with essential information on the anatomy of a ransomware attack, as well as help establish proactive federal policies and guidelines for cyber resilience across the public and private sectors, noted that professional and legal services, technology, manufacturing, healthcare, and financial services businesses are the most targeted by bad actors. 

Read more: Third-Party Vendors Emerge as Data Security Threat

Cyberthreat Is Not Going Away

“The United States, and the world, is quickly learning that no matter how prepared a company may be, or thinks it may be, the threat actors carrying out ransomware attacks have proven that no organization is safe from an attempt to infiltrate their systems. … All the cybersecurity preparedness in the world cannot deter an employee from inadvertently providing identification credentials to a cybercriminal,” Kim said in her opening remarks. 

And entities of all sizes, public and private, have historically struggled to understand and manage their digital infrastructure, including phones, laptops, servers and applications that have been exposed to the internet, leaving them vulnerable to cyber adversaries. 

That’s because threat actors are, and have always been, opportunistic in their approaches — attacking healthcare systems, financial institutions, and other organizations indiscriminately, searching for an opening. 

Compounding matters is the evolution in the attack vectors used by cybercriminals for their initial compromise. Per the hearing’s witness testimony, and as revealed across PYMNTS Intelligence, cybercriminals now have artificial intelligence (AI) methods to combine both legitimate and fraudulent data to evade know-your-customer (KYC) and anti-money laundering (AML) authentication from account origination through credit, lending, payments, and trading activities. 

“AI enables [cybercriminals] to move laterally with increased speed and identify an organization’s critical assets for exfiltration and extortion. Bad actors can now execute numerous attacks simultaneously against one company, leveraging multiple vulnerabilities,” Daniel Sergile, senior consulting director of Unit 42, the threat intelligence and incident response division of Palo Alto Networks, told lawmakers during Tuesday’s hearing. 

Insiders have repeatedly told PYMNTS that technologies like AI could supercharge the capabilities of bad actors by providing turnkey and scalable cyber tools.

See also: Cybercriminals Are Invading Corporate Inboxes: What Small Businesses Can Do

Incentives for Cyber Hygiene

Despite their use by bad actors, AI and automation are also crucially transformative for enterprise defenders, enabling organizations not only to recover more quickly, but also ingest and analyze security data to harden their networks against future attacks. 

Still, while IT teams are often able to withstand attacks, many organizations struggle to restart operations after being targeted by cybercriminals. 

And ongoing cybercrime trends are particularly troubling for smaller businesses, which are often unable to adequately invest in cybersecurity. Per the congressional hearing, 40% of the most significant attacks in the financial sector were the result of an exploited vulnerability, such as software that could have been patched but may not have been due to resource constraints. 

According to Kim’s opening statements, four widely recognized stages of cyber incident response are: 1) preparation and prevention, 2) detection and analysis, 3) containment and eradication, and 4) recovery.

While there is no silver bullet in cybersecurity, there are still steps that enterprises can take to reduce the risk of falling victim to an attack, more effectively contain an attack, and increase cybersecurity resilience. 

According to testimony from Palo Alto Network’s Sergile, businesses need to maintain a response plan for cyber incidents; ensure visibility of attack surfaces; leverage AI and automation to modernize security and reduce the burden on overworked analysts; implement zero-trust network architecture; and use a cloud security program and platform that offers cloud-native security.

Technique-based protections mapped to the MITRE ATT&CK Framework can help defenses evolve in response to adversarial tactics, he added. 

Ultimately, the hearing witnesses told lawmaker that their vision for a more secure digital future was a simple one: enabling organizations to have real-time visibility across their networks, and the ability to prevent, detect and respond to cyberattacks quickly and effectively with automated capabilities.