Operation Fortify: A US Ransomware Plan

The US is currently being ravaged by ransomware.

Our schools are being disabled, our small businesses are being pilfered, our cities are being taken offline, and now our hospitals are being attacked as well.

I talk about the reasons here, but in short, we have long had a horrible state of security in our local governments, our small businesses, our schools, and our hospitals. But until recently, attackers were using less-advanced malware in an unorganized way.

Now they’ve not only started perfecting the tooling they’re using, but they’ve figured out how to monetize the entire operation. They’ve married the tech with the business side, and the combination has caused an epidemic.

The problem is that we’re figuratively out-staffed and out-gunned. In low-security environments, attack is infinitely easier than defense. These soft targets not only lack the defensive technology to protect themselves, they don’t even know what that tech is. And even if they did they wouldn’t have the people to do a basic security assessment, implement basic security practices, and to install and maintain some basic defensive technology.

So I have a proposal: Operation Fortify.

Free to attendees.

  • The Pentagon starts a new program called Operation Fortify, which allocates multiple billions to hardening our essential infrastructure of governments, schools, SMBs, and hospitals.

  • This is accomplished by activating millions of people into the US workforce via a new, standardized security course that takes people new to the industry or who are already working in it—and teaches them how to secure an organization.

These are the top 20 NCC and Optiv-type companies in the country.

  • Those people are then hired as supplemental staff to the US’s existing security services companies that do consulting like this already.

I know many of the best people in the industry for making this course content.

  • We create a free, instructor-lead, 2-week (virtual) security training course available to anyone in the US who wants to get into security (or move into this area). The course is trade-focused in that it teaches how to do very specific tasks that will help attendees lock down organizations.

  • Those tasks are: Security Fundamentals (Security+), Networking Basics, Sysadmin Basics, Security Assessment Basics (Nmap, OWASP Zap, etc.), Security Hardening Basics (Patching, Disabling Services, etc.), Ransomware Basics (Common Features, Common Variants, etc.), Endpoint Tool Basics (SentinelOne and Crowdstrike).

  • We then create a concise Fortify Hardening Methodology (FHM) that serves as an infographic and Top-10 list of items to be done for every entity in the country we want to protect.

Maybe add a Cyber to the name. People love some Cyber.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

  • After people go through the course and pass the exam, they become Fortify Certified. They are now part of the National Fortify Task Force, and are eligible for hire at these existing US security companies.

  • The Fortify Project then goes to SentinelOne and Crowdstrike, taps them on the shoulder, and says, “You’ve been drafted. We’re securing the entire country using your software. Here’s a lump sum, so make us a free version to be used in all these organization types.

  • We then divide up the country into regions and verticals. So we’ll have like Southwestern Hospitals, for example, and Northeastern Governments. Every government, school, hospital, and SMB in the country will be accounted for and entered into our National Attack Surface Map (NASM).

  • Then we execute.

    • Project Fortify deputizes all these security services companies to carry out the hardening procedures in the Fortify Hardening Methodology.

    • Fortify-certified people are added to the ranks of the branch of NCC/Optiv/Etc. company where they live as they graduate the course.

    • Each new recruit then gets virtually deployed (via Zoom, et al) to their assigned “customer” based on where they’re needed most in the NASM.

    • If you’re some random county government in upstate New York, for example, Julie will show up one day and say, “Hi, I’m with Project Fortify, and I’m here to help.” She’ll then proceed to follow the Fortify Hardening Methodology for that customer. Figuring out what they have, getting it patched, locking down credentials for key systems, getting the security software installed and configured, etc.

If your objection is that it’ll be a nightmare to put partially-trained people onsite doing work like this, I have two responses. First, you should have more faith in American industriousness. And second, we’re already living a nightmare. It’s actually pretty hard to go into one of these places and MESS UP their security.

If your objection is that this will be hard, or that it’ll cost a lot of money, well, yeah. The only thing that will cost more is doing what we’re doing now. And given the state of military budgets, what’s a few billion among friends?

To be clear, it’s not that I think this is a good idea. There are many challenges with it. I simply think it’s the best option we have.

It activates Americans. It puts them in play against a serious threat. And it simultaneously functions as an infrastructure enhancement project—kind of like Roads and Bridges—and a national training program that addresses the cybersecurity skills gap.

Notes

  1. We could also have a massive network of technical support, using people in infosec who already have jobs. So basically the Fortify Operatives? who are deployed onsite can ask questions about installations, configs, etc. For specific product support, the company itself can potentially offer help with a dedicated support line just for Fortify assistance.

  2. A major, positive side-effect will be that we’ll have trained somewhere between tens of thousands and a few million Americans with some basic security knowledge. Some significant percentage of them are likely to transition into careers in the field using that jumpstart.

  3. This is not the logo I recommend. It’s just a placeholder graphic from the internet that I added the Fortify project name to. But—even more than most projects—this definitely needs a great logo.

  4. The practical nature of the training is likely to help with both the effectiveness of the people onsite during Project Fortify, but also in their marketability afterward.