The ransomware attack unfolding on 2 July 2021 against Kaseya Ltd, a Miami-based software producer, was the world’s largest to date. As an indiscriminate supply chain attack, this case brings into sharper focus the extent of the harm inflicted by ransomware to society as a whole. The attack was disruptive for everyone using Kaseya services directly or indirectly, including nurseries, schools, pharmacies and supermarkets in 17 countries. Corrupting software supply chains with ransomware that is deployed automatically to millions of devices is also devastating for our collective trust in ICT capabilities and resilience when critical infrastructure is under attack. We have a shared responsibility to take the norms on responsibilities for curbing cybercrime to the next level and enforce them as a first step towards accountability. Three sets of measures are within reach to change the status quo:
- Collecting relevant data to assess and understand the societal impact of attacks;
- Increasing transparency around data and responsible disclosure of vulnerabilities;
- Linking technical analysis to normative and legal instruments to promote change of behaviour and foster accountability.
The attack against Kaseya combined a trusted means of deploying automatic software — via a managed service provider — with a near-impossible-to-defend-against attack vector. The cyberattack exploited a zero-day vulnerability in Kaseya’s Virtual System Administrator (VSA) software, which is a remote monitoring and management software package. This impacted customers with on-premises deployments of VSA. In a matter of minutes, it caused harm on an unprecedented scale, hitting around 1,500 companies and thousands of victims around the world, from businesses and municipalities in the United States to Australian organizations. In Sweden, a large food retailer was forced to close 800 shops over the weekend, while the State Railway and a pharmaceutical chain also suffered disruptions. Eleven schools and more than 100 nurseries fell victim to this attack in New Zealand. In a year in which attacks against critical infrastructure have been on the rise, a new threshold of collective vulnerability has been reached with the Kaseya supply chain attack. When communities are hit, the large-scale repercussions of cybercrime go beyond financial loss and quantifiable metrics. Real-life disruptions to everyday life – be it access to food and vital supplies or school closures -, in direct violation of fundamental rights, are intangible forms of harm with long-lasting effects on all of us.
Indicative of the increased sophistication of the threat and of cybercrime innovation practices, the attack on Kaseya had a widespread and indiscriminate impact on direct clients (large and small companies running their operations), and also on users outside of its direct control, as providers of essential services made use of Kaseya’s VSA services via third party sellers. The group taking credit for the attack, the Russia-based REvil, asked for a ransom of USD 70 million from Kaseya and asked individual targets to pay smaller ransoms to unlock their systems. It took the main target, Kaseya, 19 days to obtain a general decryptor key to unlock victims’ data, meaning that, for three weeks, many services were provided with limited availability. In addition to the disruption, such attacks lead to a loss of trust in the basic ICT capabilities we collectively rely on. The attack on Kaseya instantiated that twice: first, many managed service providers and downstream customers had to freeze their services for a few days or even weeks; second, during the patching phase, a phishing campaign targeted users of the Kaseya software with a fake security update that delivered a malicious payload.
What the red lines are in cyberspace currently remains subject to political negotiations. At the Biden-Putin high-level summit in Geneva on 16 June 2021, the American and Russian Presidents agreed that critical infrastructure should be off limits to cyber-attacks. While the focus on this issue in bilateral talks is welcome on a diplomatic level, the framing of this as a national security issue obscures the real-life consequences of ransomware on society as a whole. In the absence of a human-centric approach, we risk perpetuating the idea that ransomware is yet another cyber incident. For the victims of such attacks, no remedy is in sight if the intangible harm they suffered is not adequately recognized, beyond the economic impact of cybercrime. Recourse can only come from the recognition that all relevant stakeholders have responsibilities towards keeping cyberspace secure. To change the status quo, we need to turn internationally agreed norms of responsible behavior into effective means to achieve accountability.
The protection of supply chain and critical infrastructure: what needs to change
Norms for keeping cyberspace secure are continuously discussed in the United Nations and other international fora. In light of large-scale attacks such as the one on Kaseya, it is time to “walk the talk” and operationalize and enforce these norms. The Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security (OEWG), issued in March 2021, reaffirms that states have a responsibility to take reasonable steps to ensure the integrity of supply chains and respond to growing concerns about the significant and far-reaching negative impacts of malicious use of technology on peace, security and human rights.
When we shed light on the societal impact of ransomware cases affecting critical infrastructure and supply chains, the need for action is clear. To keep cyberspace secure, both states and companies need to act now. So how do these norms, agreed by consensus in 2015 and endorsed in 2021 by the OEWG and the UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace, apply to the Kaseya ransomware attack? And how do these norms fit into an effective response to cybercrime?
UNGGE Norm 13 (i) addresses directly the state responsibility to ensure the integrity of the supply chain, while placing positive obligations on public authorities to prevent the spread of malicious ICT tools and techniques and the use of backdoors or hidden vulnerabilities.
- The compromise of Kaseya’s VSA services happened through a zero-day exploit. The impact of the compromise could have been mitigated with a combination of legal and operational measures tailored to the threat landscape. Together, such measures can incentivize shoring up defenses based on individual needs of organizations. States should be doing more at the national level to secure the supply chain, such as by legally imposing requirements for companies to maintain the highest security standards and address vulnerabilities.
- Many countries – including the US, the UK, Australia and the Netherlands – have started implementing Vulnerability Equities policies for coordinated vulnerability disclosure to vendors and internal government disclosure processes. These measures ensure oversight over the ways in which the government protects the public and the critical infrastructure, while balancing access and interference in the work of various governmental agencies without causing further harm. While Kaseya was informed by the Dutch Institute for Vulnerability Disclosure about vulnerabilities in its VSA product, the patching was underway at the time of the attack.
- In many other cyberattacks, malicious actors have taken advantage of vulnerabilities in hardware and software products known to governments. In these circumstances, governments have balanced the potential societal impact when purchasing, stockpiling, and using zero-days exploits. The large-scale impact of zero-day exploits and the extent of the harm on the society need to become key considerations in the equities process design.
Turning to protection, UNGGE Norm 13 (g) focuses on obligations for critical infrastructure at the domestic level.
- When it comes to measures taken to designate essential services as critical infrastructure, there is huge variation among countries as to whether schools or pharmacies should benefit from special protection like other national critical sectors. It therefore becomes important to implement this norm in ways that enable protection against attacks with indiscriminate effect to be extended to all essential services.
- More effective protection can be put in place if the logic of societal impact and human centric security is applied in assessing what constitutes critical infrastructure. A recent example of this is election infrastructure, which did not fit the criteria to be designated critical infrastructure until the societal impact of its disruption was taken into account. It is crucial that governments ensure, in the contracting and execution phase of collaboration, rather than post facto, that security practices in the supply chain of essential services providers are contributing to resilience.
For victims, the unavailability of services and the ransom demands themselves have real-life consequences. At the moment, we lack data to investigate the true extent of the societal disruption that the attack on Kaseya brought about. The CyberPeace Institute has documented the physical, psychological and societal impact of ransomware on the healthcare sector, showing that both the short and the long-term effects of cyberattacks need to be taken into account. When it comes to supply chain attacks, the entirety of the harm inflicted is more difficult to grasp. We owe it to the victims to put existing norms to work in order to offer remedies and to prevent cases like this one from occurring in the future.
The repercussions of the Kaseya attack may no longer be in the media spotlight, but they continue. To provide recourse to the victims, a number of structural changes are needed for the cybersecurity ecosystem. Here are three recommendations which could be implemented to ensure that such attacks can be adequately understood and prevented.
- Collecting relevant data to understand the societal impact of attacks. The indicators of harm in the case of ransomware attacks need to extend beyond quantifiable and economic loss data, in order to include society-wide consequences for an adequate assessment of the impact on victims. Many stakeholders, including civil society organizations, can contribute by setting up a consistent procedure for reporting and collecting comparable data around the societal impact of cyberattacks. Policy-makers can then use an evidence-led approach to design better policies and implement norms that speak to realities on the ground.
- Increasing transparency around data and responsible disclosure of vulnerabilities. There is a need to increase transparency around the data sources available to relevant stakeholders and work towards strengthened responsible disclosure, in an effort to increase collective security. Security research and vulnerability disclosure can both be improved by adopting good practices and removing legal, policy and technical obstacles.
- Linking technical analysis to normative and legal instruments to foster accountability. The extensive technical analysis that is done in the aftermath of cyberattacks needs to feed into a larger process of accountability and information sharing, so that better assistance measures can be put in place. Once the technical investigation is over, internationally-agreed norms of responsible behavior and existing laws have to be invoked and applied in all ransomware cases.