Former NSA director: U.S. needs a new approach to ransomware response

In advance of his appearance at HIMSS21, Admiral Michael S. Rogers, who also served as commander of the U.S. Cyber Command, says the government and private sector must work more closely and collaboratively.
By Mike Miliard
10:30 AM

Admiral Michael S. Rogers

Photo: HIMSS

The United States, along with much of the world, finds itself battling two pandemics: the COVID-19 crisis, of course, but also the cyber pandemic that has also proliferated across the globe.

In the healthcare industry, some hospitals have been hobbled for weeks at a time – and at least one patient has died – because of the scourge of ransomware.

The cyberattacks have become so frequent and commonplace that it's worth asking whether ransomware, like many suspect is happening with SARS-CoV-2, is already moving from pandemic to endemic status.

"Ransomware, I think, has become the greatest challenge for most organizations," said retired Admiral Michael S. Rogers, former director of the National Security Agency and the former commander of U.S. Cyber Command, in a recent interview with Healthcare IT News.

"Healthcare [is] an incredibly attractive target in the middle of a pandemic," said Rogers, who will be speaking next month at HIMSS21 in Las Vegas. "And criminals are aware. That's one reason why you've seen a massive uptick, particularly focused on healthcare, in the past 18 months from a ransomware activity perspective."

Indeed, since the early days of the pandemic – not counting the vanishingly small window when the prospect of a hacker "ceasefire" was dangled – the bad guys have been hard at work, targeting the World Health Organization and COVID-19 testing sites, academic research facilities and vaccine distribution supply chains.

Their targets have also included hospitals and health systems of all shapes and sizes. Meanwhile, the size of their ransom demands is climbing skyward.

"It's gotten worse," said Rogers, who served under Presidents Barack Obama and Donald Trump. Rogers served at NSA and U.S. Cyber Command concurrently for four years before retiring in 2018.

"For a couple of reasons. Number one, the criminal segment has become much more aggressive," he said. "Why? There's a lot of money. There's a lot of money for criminal groups to be made. I may not want to pay the ransom, but I can't afford interruption or degradation of my services or operating ability to help in the middle of a pandemic. I've got to keep going."

Number two? "In the last three years since I left, nation states' risk calculus has become even more aggressive. They are willing to take even greater risks."

That's not just with ransomware. Recent headlines have shown just how far foreign cyber crooks have been willing and able to intrude upon U.S.-based information networks – not just the DNC and the RNC, or Sony, but a wide array of federal agencies and private companies large and small.

Rogers points specifically to the SolarWinds and Microsoft Exchange server exploits, which stunned even seasoned cybersecurity professionals in their sheer size, scope and brazenness.

Meanwhile, ransomware seizures such as the Colonial Pipeline hack have helped bring the threat into sharp focus.

Finally, the president and Congress are paying attention, and federal security agencies seem willing to give as good as they get

"On the positive side, there is clearly a sense that we are not where we need to be, and that it's going in the wrong direction," said Rogers.

But he says he is frustrated that the cybersecurity problems are not only persisting, but worsening.

A big reason for that is the current state of incident prevention and response – especially when it comes to interrelation of the public and private sectors – "has failed to deliver for over a decade," said Rogers. "I only speak for myself. But my frustration is: Why do we keep doing the same things and expect a different result?"

Sure, there are valuable organizations such as H-ISAC, the Health Information Sharing and Analysis Center, which specializes in "crowdsourced" cybersecurity, and shares threat intelligence and other best practices for protection and risk mitigation. And yes, the CISA, FBI, HHS and other agencies are good about getting out alerts and warnings to the healthcare stakeholders that need to hear them.

But too often, "the government will do its thing, the private sector will do its thing," said Rogers. "As we see things we think might be of interest to the other, as we have the time, and as we have the inclination, we'll share those insights.

"Everyone is so busy, quite frankly. Most organizations don't have time to think about it. They are just trying to defend their own systems, their own intellectual property, their own data."

But to truly measure up against the scope of the cyber threat to healthcare and all industries, "I just think we've got to have a different model," he said.

"It's not about collaboration," Rogers explained. "It's about integration. We've got the government and the private sector. We've got to team together 24 hours a day, seven days a week."

He acknowledged, "You can't do this at scale across every business within the private sector. But can't we start with a few sectors where the risks to our economy, to the safety and wellbeing of our citizens, to the security of our nation? Let's pick a few areas, and do some test cases, and see if a different model might produce a different result."

There are some "great examples out there where we have applied a government and private-sector model and achieved some amazing results," said Rogers.

Aviation safety

For instance, he said, "We decided as a society that the potential loss of literally hundreds of people in an aviation accident represented such a risk that we needed to do something different," he said.

"So we created mechanisms: Every time there is an aviation accident, the federal government steps in. It partners with the airplane manufacturer, the airline that operated the aircraft, the union, et cetera. It pores over all the maintenance records. It pores over the production history of the aircraft. It looks at all the software and the hardware. It looks at how it was operated. It determines the cause of the crash.

"And then it goes a step further," he added. "It mandates that we're going to change maintenance. Sometimes we're going to change production. We're going to change the way we do software. We're going to change how the aircraft is operating.

"The net impact is we are flying more aircraft with more people than we ever have, and yet aviation safety has actually been very strong. While we have aviation accidents, they tend not to be recurring patterns, the same cause over and over."

Compare that with cybersecurity, where we've been seeing the same techniques used by the bad guys "working over and over and over," he said.

"We have got to get to a point where the pain of one leads to the benefit of the many," said Rogers. "And yet what is happening now? The pain of the one is not shared. We don't learn from it. And so it is repeated over and over and over again. We have got to change that dynamic."

Admiral Michael S. Rogers will offer more insights at HIMSS21 as a participant in the keynote panel discussion, "Healthcare Cybersecurity Resilience in the Face of Adversity." It’s scheduled for Tuesday, August 10, from 8:30-9:30 a.m. in Venetian, Palazzo Ballroom.

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS publication.

HIMSS21 Coverage

An inside look at the innovation, education, technology, networking and key events at the HIMSS21 Global Conference & Exhibition in Las Vegas.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.