Did you take a side of ransomware with your 4th of July barbeque? For 1,500 companies worldwide, the dish was unfortunately impossible to pass up. On July 2, U.S. software provider Kaseya  was hit with a ransomware attack from Russian cybercriminal gang REvil. The attack quickly spread as Kaseya’s virtual administration system software was used by several companies known as managed service providers (MSP). For years, cybersecurity experts have recommended that small and midsized businesses utilize MSPs to protect against data breaches. But the recent hack has many second-guessing the recommendation.
MSPs provide a valuable service to businesses across the globe, most of which lack the IT knowledge or the budget to manage networks on their own. Choosing a cyber-savvy MSP is a classic asymmetric information problem for most business leaders, many of whom don’t even realize  the likelihood of their company being targeted.
The unfortunate reality is that MSPs are attractive targets for cyber criminals because they provide hackers easy access to a broad range of systems and clients, so security is paramount. While many small and midsize businesses found their systems paralyzed over the fourth of July weekend, the alternative – leaving cybersecurity in the hands of small businesses – could just as easily have led to a similar (or worse) outcome. Moving back to the old system of having all small businesses run their own networks is not the answer.
One possible solution to fortify the security of MSPs could be implementing the Cyberspace Solarium Commission’s recommendation for cloud providers to create security certification labels . Labels tied to the standards provided by the National Institute of Standards and Technology  could serve as grades for each MSP’s cyber hygiene, providing publicly accessible information with clear guidance to the average consumer. While labels wouldn’t protect against all zero-day threats, they would serve as a significant step in the right direction. But there are more imperative steps to take, namely the creation of better cybersecurity metrics.
The first order of business must be to identify and quantify risk and vulnerabilities across the ecosystem. Many have tried, like the Cybersecurity and Infrastructure Security Agency’s (CISA’s) National Risk Management Center (NRMC) , the National Security Agency (NSA)  and any number of private cybersecurity companies. But as proven by the proliferation of successful ransomware attacks, the United States is still groping around in the dark. Reputational harm disincentivizes companies from reporting incidents, and voluntary reporting programs have generated only a trickle of information . Passing a national data breach notification law  would help provide a full threat picture to our nation’s network defenders, public and private.
But gathering more information is only the first step. Breaches are only one part of the problem. We also need better metrics for assessing the overall health and security of America’s cyber infrastructure. We have no generally agreed upon metrics for network hygiene and no widely used, auditable and transparent measures of enterprise security.
Our second priority must be creating a venue for defining, analyzing and disseminating data about ransomware attacks in usable metrics. To accomplish this, the Biden administration should create a Bureau of Cyber Statistics. While the details regarding the agency’s structure  and mandate  still need to be ironed out, the demand for this type of information is evident. For example, Federal Reserve policies for financial stimulus and unemployment payment decisions are made based on data collected and analyzed by the Bureau of Labor Statistics. Cybersecurity needs a similar data set collector, and it has to reside in an agency that has the authority to ensure that companies comply.
MSPs play an important role, and small and midsize businesses should continue to utilize them. But as Elon Musk once noted : “If you’re trying to create a company, it’s like baking a cake. You have to have all the ingredients in the right proportion.” Thanks to the Kaseya hack, many MSPs are discovering that they don’t have the correct proportion of security in their “cake.”
But it’s not too late. If we want to keep Labor Day from looking like the 4th of July, we just have to ensure that the move to managed services includes cybersecurity.
- “Kaseya”: https://www.wsj.com/articles/kaseya-ransomware-attack-11625593654
- “don’t even realize”: https://www.keepersecurity.com/blog/2019/07/24/cyber-mindset-exposed-keeper-unveils-its-2019-smb-cyberthreat-study/
- “security certification labels”: https://www.solarium.gov/report
- “National Institute of Standards and Technology”: https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/msp-ic-project-description-draft.pdf
- “National Risk Management Center (NRMC)”: https://www.securitymagazine.com/articles/94353-cisa-launches-new-effort-to-develop-actionable-metrics-to-quantify-cyber-risk
- “National Security Agency (NSA)”: https://www.cyberscoop.com/nsa-cybersecurity-directorate-wendy-noble-billington-cybersecurity/
- “a trickle of information”: https://federalnewsnetwork.com/reporters-notebook-jason-miller/2020/10/cisas-still-overcoming-challenges-5-years-after-cybersecurity-information-sharing-act-became-law/
- “national data breach notification law”: https://www.rstreet.org/2021/04/06/national-data-breach-notification/
- “structure”: https://www.lawfareblog.com/considerations-structure-bureau-cyber-statistics
- “mandate”: https://www.lawfareblog.com/conceptualizing-mandate-bureau-cyber-statistics
- “noted”: https://twitter.com/elonmusknewsorg/status/919918352570691584?lang=en