Since the large-scale ransomware hacks of the Colonial Oil Pipeline and North American branches of JBS Foods in 2021, federal agencies have doubled down on preventing future attacks on the nation’s critical infrastructures.
Leadership at the Cybersecurity and Infrastructure Security Agency, however, confirmed that ransomware hackers are not exclusively targeting large organizations and businesses, but smaller entities as well.
Speaking at a CyberShare event on Monday, CISA Executive Director Brandon Wales discussed the need for all companies and organizations to invest in the best cybersecurity practices as ransomware becomes a more pervasive and common threat.
“We have certainly seen a willingness for these ransomware operators to target critical infrastructure of various sizes,” Wales said. “And they’re looking…to target companies where they believe they’ll pay because they can disrupt their services, have an effect in operations, and that the companies will pay quickly in order to get their operations back up and running.
Wales added that, given the interconnectivity of most U.S. infrastructure, the interference in one smaller company could give malicious cyber actors a foothold in the nation’s larger critical service providers.
“They [smaller communication entities] should not assume that they’re…not in the crosshairs of a more sophisticated nation state,” he said.
Wales reiterated that the best way for companies to safeguard their networks from hackers is to patch all known vulnerabilities as soon as possible, noting that hundreds of new digital vulnerabilities are discovered daily.
He also added that using end-of-life software products that no longer receive critical updates does not adequately safeguard against malware. Other simple security steps, like changing passwords and using two-factor login authentication, are also important components of cybersecurity.
Another key protocol in preventing cyberattacks across all companies is incident reporting. He noted that the implementation of incident reporting requirements to federal agencies like CISA is a “top priority.”
Congress had successfully passed the Cyber Incident Reporting for Critical Infrastructure Act, which President Biden signed into law in March. Wales supported the law’s endeavor, but acknowledged the obligation of incident reporting can be challenging for some corporations with limited resources.
To alleviate this burden, CISA will soon be issuing a request for information to receive input on the details required for reporting.
“There’s going to be multiple opportunities, we want to hear from industry, understand their perspective,” Wales said.