As Americans become more aware of the rising threat of cybercrime and ransomware attacks that can cripple businesses and vital government agencies, FBI agents and experts from a branch of the Department of Homeland Security are working to safeguard Arkansans and help them in case of an attack.
One of the big mistakes business owners or government officials make when weighing the risk of a cyberattack is assuming they have nothing worth breaking into or stealing, said James Dawson, special agent in charge at the FBI’s Little Rock office. He warned that there is no such thing as a target too small for cyber-criminals.
“Every government, every business probably has something of interest to an adversary,” Dawson said.
And the threat is expanding. Nationwide, 2,474 people reported being the victims of ransomware attacks in 2020, up from 1,493 in 2018, according to data from the FBI’s Internet Crime Complaint Center. A more notable jump, however, was the change in losses reported from these attacks — from around $3.6 million in 2018 to more than $29 million in 2020.
Numbers for 2021 were not available.
Arkansans reported 21 ransomware attacks in 2020, up from 11 in 2018, representing a jump in losses from $10,500 to $150,000 in the same time period.
And those numbers reflect only those who report the attacks, warned Mark Kirby, who works as the Cybersecurity and Infrastructure Security Agency’s adviser for Arkansas.
“It could be a lot worse than what we see right now,” Kirby said.
The agency, known as CISA, was established in 2018 under the Department of Homeland Security’s oversight to bridge a gap in cybersecurity, especially when it came to working with local government and businesses, Kirby said.
The Cybersecurity and Infrastructure Security Agency offers free evaluations for businesses or government agencies wanting to know if their security meets protection standards, Kirby said, while FBI personnel handle cases where someone has already been compromised by a cyberattack.
However, Dawson and Special Agent Chris Carter, who works on cybercrime investigations in the state, stressed that it’s best to have a good defense to prevent attacks.
“Once it happens, it’s very limited what we can do,” Carter acknowledged.
The FBI urges that victims of ransomware attacks refuse to make payments in response to an attacker’s demands, Dawson said.
“Even if you do pay for it, chances are slim that they’ll restore [what was stolen] to you,” Dawson said.
In fact, there’s always the possibility that criminals will take the ransom money and then sell the stolen information anyway, and besides, Dawson thinks that making the payments encourages more bad actors, because they know there’s a reward to be gotten.
If a victim does make a payment before reporting the incident to the FBI, it is sometimes possible to quickly step in and cancel the payment, Carter said, meaning that swift reporting is crucial.
Reports of cybercrime can be made on the Internet Crime Complaint Center website at www.ic3.gov.
Sometimes criminals attempt to breach a business’s security just to see if they can, and once they’re in, they have the freedom to attack that system or try to use it as a foothold to jump to another system that might be the primary target, Dawson said.
“[It] can essentially be a hook and ladder operation to get from one business to another that is a target,” Dawson said.
Because of the increasing risk of cyber infiltration and ransom attacks and the limited chance of restoring access to stolen data, the best chance is to make sure vulnerable systems are hardened enough to endure an attack.
This involves not only digital defenses like firewalls but also personnel training, such as ensuring that employees know not to click on suspicious links in scam emails or texts.
One of the services the Cybersecurity and Infrastructure Security Agency offers is a program that sends test emails to participating groups that are modeled after phishing emails that cyber-criminals might use, Kirby said.
There are no actual consequences to clicking the links in these messages, which can vary in type from highly suspect spam to more official-looking emails that might fool the unwary, but it gives the business or agency an idea of where their weak spots are, allowing them to consider additional training.
The levels of cyber-protection available vary based on the size of the business or agency, Kirby said, and participants in Cybersecurity and Infrastructure Security Agency programs can get an idea of how they compare in security with other groups of their size.
Businesses and government agencies should know that Cybersecurity and Infrastructure Security Agency personnel are interested in gauging company’s security, not looking at what they have to protect, Kirby said.
“We’re not asking to see your data, we’re asking you a set of questions,” Kirby said.
Kirby compared the inspections to having a locksmith or other expert rigorously testing an office building to see if they can break in and steal valuables. The Cybersecurity and Infrastructure Security Agency does the same thing, only in the virtual space.
Although they could not specifically identify who they are working with, Kirby and Carter said they have formed a good relationship with groups in the state and think that most businesses and official agencies are taking cybersecurity seriously.
One thing that can be hard to pinpoint is where a cyber-criminal is working from, Dawson said, but the FBI has a pretty good idea of where to look.
“There’s no shortage of domestic individuals involved in cybercrime,” Dawson said, but their investigations tend to point to foreign actors — either hackers working directly for countries like China, Russia, Iran or North Korea, or individuals or gangs of hackers working in the employ of those countries.
China, in particular, is of concern to the FBI at this time, Dawson said, with the country consistently using stolen innovations from America to better their economy or, more frequently, national defense.
“What [China] cannot innovate, it takes,” Dawson said. “They consistently steal these things and put themselves at the head of the line on the back of Americans.”
When it comes to basic steps to increase cybersecurity, Dawson recommended what he called “good cyber hygiene,” such as using two factor authentication for crucial data, ensuring their network uses good digital security measures that are well maintained and even keeping sensitive data stored offline so it’s not as vulnerable to attack.
Dawson also stressed that the Cybersecurity and Infrastructure Security Agency is someone’s “best bet” for advice on prevention and strengthening their security.
Arkansans looking to get in touch with Kirby about cyber-protection can reach him through www.cisa.gov/region-6, he said.