The federal government appears to be exploring options for assessing individual organizations or entire vertical sectors for vulnerability to potential ransomware attacks.
"They proactively reached out to us — I'll just say that — specifically thinking about the ransomware threat, and understanding how our data can potentially help," said Dave Stapleton, chief information security officer at CyberGRX, in an interview with SC Media at Black Hat.
CyberGRX offers what Stapleton describes as a two-sided exchange for assessing risk. Organizations can use the assessments to evaluate the security of their own supply chain, and the third-party suppliers can themselves use the assessments to improve their risk profile or to promote themselves to current and potential customers. The more assessments that CyberGRX performs on suppliers (what Stapleton describes as "personas") the more rich the individual assessments become, as organizations and the suppliers themselves can see where they fall within the broader library. Total number of profiles currently in the CyberGRX library is roughly 8,500.
The specific functionality that Stapleton believes is of greatest interest to government is the ability to establish threat profiles: assessing suppliers risk to a particular mode of attack — like ransomware, for example.
"Included in that sort of filtering might be anything in our security profiles that we build that's related to offline backups or recovery exercises or now, because of extortionware, IDP and that sort of thing, because it's too late if they access all your data — toothpaste is out of the tube," he said. "That's what the government is interested in, I believe, because as our exchange keeps growing exponentially over time, government can gather insights and start initiatives."
Stapleton said the feds may recognize, for example, "'for whatever reason, health care is really bad at this. And so we need to engage the health care industry so we can start an initiative for the funding with actual data to back up that focus.'"
Such a concept for government is very familiar to Stapleton, who did similar work while at federal agencies himself, helping to implement the Federal Risk and Authorization Management Program. FedRamp is the federal government's standardized approach to assess security of the cloud offerings — where authorization lands vendors in a marketplace that agencies can use to shop for solutions.
Should government pursue a similar route for assessing risk to ransomware or any other category of malicious attack, whether in partnership with CyberGRX or not, Stapleton predicts a phased approach, similar to the one taken with FedRamp: Start with self attestation of some kind, then independent validation and — based on inherent risk for that particular type of third party — additional levels of authorizations.
"The application is clear," Stapleton said. "The trick is always going to be, how do you establish assurance and confidence? There's a lot of companies that produce a significant amount of fairly sensitive information. I don't know if [all will want] to give that information to the federal government, which hasn't always been good stewards."
