At first glance, the United States dodged a bullet amid the REvil Ransomware attack against Kaseya VSA and MSPs that run the RMM (remote monitoring and management) software.
President Biden believes the attack caused minimal damage to U.S. businesses. In many ways he has a point: Electric grids didn't go dark. Airports didn't close. Energy pipelines continued to flow. The casual American may have seen the Kaseya cyberattack story on the evening news before quickly moving on to other news of the day.
Still, there was fallout. The attack extended from Kaseya to roughly 50 MSPs. From there, the automated attack stretched out to roughly 1,500 downstream customers. Some reports suggest a million endpoints were impacted -- but that figure may involve the REvil gang seeking to pump up the story.
MSPs Flying Blind Without RMM Software
The bigger issue -- largely missed by the mainstream media -- involves perhaps 10,000 or more MSPs that went without RMM software for more than a week, while Kaseya engineers worked around the clock to patch SaaS- and on-premises versions of the software. We also don't know how many small businesses permanently lost data in the attack.
For those who missed the cyberattack timeline:
- Friday, July 2: The attack starts. Kaseya shuts down the SaaS version of VSA software, and urges MSPs to turn off on-premises servers that run the software. Many U.S.-based MSPs and cybersecurity pros were heading out the door for the July 4 holiday weekend... only to discover they'd be working instead of celebrating Independence Day.
- Tuesday, July 6: Kaseya attempts to restart the SaaS version of its VSA software, only to halt the process and double down on more security enhancements. CEO Fred Voccola apologizes for the delay, and vows the company will have VSA up and running again by Sunday, July 11.
- Sunday, July 11: Kaseya begins the SaaS version restore and also issues an on-premises VSA patch, along with specific guidance to help MSPs implement the patch. 60% of SaaS customers come back online, with the remaining 40% expected to be back online within hours.
- Monday, July 12: 100% of SaaS-based VSA customers are back online as of 3:30 a.m. ET. By midday or so, Kaseya takes down the SaaS service for unplanned maintenance. The overall SaaS service is fully up and running again by 3:30 p.m. ET or so.
What's the big deal with that timeline?
- Imagine airplanes flying without radar and air traffic controllers;
- doctors working without X-Ray and imaging systems; or
- first responders working without GPS.
That's the MSP market without RMM software for roughly 10 days.
Yes indeed, President Biden: Critical U.S. infrastructure was hit by the REvil Ransomware attack vs. Kaseya. In this case, the critical U.S. infrastructure is RMM software.
How Ransomware Threatens U.S. Small Business Economy: The Math
Let me be clear: I'm not knocking Kaseya. Instead, I'm reinforcing a larger issue that extends across Main Street U.S.A. The economic math looks something like this:
- There are at least 50,000 or so MSPs that run RMM software from Kaseya and rivals such as ConnectWise, Datto, N-able, NinjaRMM, Atera, SuperOps.ai, Syncro, Naverisk and others, ChannelE2E believes.
- Those 50,000 or so MSPs support anywhere from 500,000 to 5 million small and midsize businesses worldwide, using a conservative estimate of 10 to 100 end-customers per MSP.
- Those 500,000 to 5 million SMBs surely have tens of millions of PCs, servers, smartphones, cloud workloads, information technology (IT) and operational technology (OT) under MSP management.
Attack the RMM software market, and you've attacked the SMB heartbeat of America's economy -- along with regional economies worldwide.
Indeed, a cyberattack on a single MSP or MSSP could cause $80 billion in economic losses across hundreds of small businesses, a research report issued before the Kaseya attack asserted.
Perhaps that's why President Biden's executive order on cybersecurity -- issued in May 2021 -- specifically called out IT service provider security practices more than a dozen times.
MSP Judgment Day: Industry Insiders Saw It Coming
Rewind to June 2019. ChannelE2E warned readers that MSP Judgment Day was coming. While we love the MSP industry, we predicted the MSP sector could soon face a “crisis of credibility” if the market doesn’t take major steps to more effectively mitigate ransomware threats, attacks and fallout.
I do believe MSPs and their software providers take security more seriously in 2021 than they did in 2019. But our view on the market in 2021 remains unchanged from 2019, at which time we predicted:
- In a worst-case scenario, the MSP industry could be torn apart if ransomware-related lawsuits fly between end-customers, MSPs and their technology providers.
- In a best-cast scenario, MSPs and their technology providers emerge as Dark Knights that snuffed out ransomware long before attacks reached end-customer systems.
- Anywhere in-between leaves us with a crime-ridden Gotham that tarnishes the MSP industry as a whole.
The Case Is Made: Protecting RMM Software Is Critical to U.S. Economy
As I wrote in 2019: It's time for MSPs and their software providers to rise to the occasion. And as for the federal government, it's time to realize that RMM software is critical infrastructure. I suspect that means it's time for the federal government and the MSP industry to sit down with one another. And yes, it's time to discuss -- at a federal level -- how to regulate and protect MSPs, and the powerful software tools they run.
