Changing The Ransomware Narrative: When The Cover Up Is Worse Than The Crime
5–8–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday May 8th, and today we’re going to look at some updates on a few stories we’ve touched on before that all carry a common theme, so let’s dig in.
Changing the Narrative; When The Coverup Is Worse Than The Crime
What we’re talking about today is how companies respond publicly - or don’t - when they have a cyber incident (like a breach, a ransomware incident, or anything else).
We learned this week that former Uber CISO Joe Sullivan is getting probation instead of jail time. A quick reminder for those who may have forgotten the details of this 2016 event that saw the exposure of 57 million Uber customers and drivers.
The charges aren’t for the hack, but rather for obstructing Federal Trade Commission proceedings and Sullivan’s concealment of the hack (a “misprision” charge). Facing 8 years in Federal prison, Sullivan is probably pretty happy to receive only 3 years of probation, but the judge noted a stern warning:
“If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison. When you go out and talk to your friends, to your CISOs [chief information security officers], you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.”
But was it so unusual? Concealing events, or misrepresenting them in a way that benefits the company happens constantly.
For example, in reference to another event we’ve discussed here, Western Digital being forced to acknowledge their March ransomware incident only because personal data of customers was stolen.
Still calling it a “network security incident,” the company has taken its store offline and sent an unknown number of customers data breach notifications that “customer names, billing and shipping addresses, email addresses, and telephone numbers” were all exposed.
They remain steadfast in their commitment of not acknowledging the ransomware incident, even as the ALPHV ransomware gang publicly taunts Western Digital by releasing “releasing screenshots of stolen emails, documents, and applications that showed they still had access to the company's network even after being detected. Why hold this hard line? I just don’t see the benefit.
Also this week, a medical clinic in Tennessee issued a press release noting the were "the victim of a sophisticated criminal cyber-attack” and had shut down their network and were struggling to provide services.
In truth, these attacks are not particularly sophisticated, but they are carried out largely by organized crime groups overseas. Why we don’t talk about - and treat - these groups like we do other terrorists, traffickers, and cartels is beyond me. The press release from the medical center is a step in the right direction - in acknowledging the criminal element and the fact that they’re the victim of an attack - but I still don’t think it goes far enough in reframing how we view this issue.
Until we change this narrative, the criminal gangs are going to operate with impunity and confidence. Why we seem so reluctant to change is beyond me. Boards and executive leadership have a real opportunity to help shape how we talk, think, and act on this issue, and private companies even more than public companies.
There’s a glimmer of hope with the Department of State’s $10M bounty on a Russian National - but it’s not for ransomware, but rather running a carding forum selling and trading stolen credit card numbers. We’ll only start to move the needle on this issue when we start talking about it in ways that don’t hide, obfuscate, or minimize the real impact to people and businesses. Until then, it’ll be business as usual for the criminals.
Fundraising
Solid week of new capital commitments last week - coming in at almost exactly $11.5B. Half of that was led by Bain Capital’s $6B for an Asia-focused buyout fund, which had targeted $5B. Coming in 20% over-committed has to be a good sign for but the buyout space and deal flow in Asia.
I think it’s safe to say that we’re seeing some momentum continue to build in the fundraising space, and can expect another strong week next week.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://qz.com/uber-former-cso-joe-sullivan-sentence-hack-coverup-case-1850407651
https://www.mmclinic.com/www/blog/viewpost/276/important-update