Governments should forbid organizations and individuals from paying ransomware gangs stop the escalating number of attacks, a cybersecurity panel has heard.
But they also were told policymakers can’t issue such a ban without first being ready to deal with the possible ramifications including the disruption of essential services by a determined attacker.
“If we do it tomorrow we all could be in trouble,” Ari Schwartz, managing director of cybersecurity services and policy at Venable told the webinar run by the Institute for Security and Technology on Wednesday.
The goal of policymakers should be to eventually ban ransomware payments, he said, warning that unless there is government action, ransomware is “only going to spiral downward.”
But, he cautioned, a ban on payments itself won’t stop some attackers. so governments have to be ready to help people. For example, he pointed out, when the U.S. Colonial Pipeline temporarily shut down in May after a ransomware attack, there were lines at gasoline stations.
One possible solution is, in the short term, granting payment exemptions to certain critical infrastructure providers, he said. But that raises the risk attackers will go after those targets.
Costs vs benefits
Panelists admitted that weighing the costs and benefits of paying or not paying is tough. According to news reports, Colonial paid US$4.4 million in ransom even though it claimed the attack didn’t affect pipeline operations. The U.S. Justice Department recovered US$2.3 million of it. In May, Ireland’s Health Service Executive refused to pay a ransom after an attack that caused it to temporarily shut all IT services to hospitals across the country. But it estimated it could cost the government the equivalent of tens of millions of dollars to rebuild the IT infrastructure. Speakers also acknowledged that in some cases it may be less expensive to pay a ransom and get data back than to not pay — assuming the crooks are honest. On the other hand, it may still cost a huge amount to rebuild IT systems anyway. And some small organizations may have no choice but to pay or they’ll close.
All of these factors have to be considered by policymakers, speakers said.
Public must be educated
Jen Ellis, vice-president of community and public affairs at Rapid7, said the public has to be educated on the possible impact of a payment ban. Earlier this year, when a ransomware attack on Ireland’s Health Services Executive meant hospital appointments had to be temporarily canceled, the parent of a child who needed cancer treatments told her that he’d re-mortgage his house if it would help pay the demanded ransom.
“How do we message people like that with banning ransom payments?” Ellis asked. “We have to think about how this will impact people like that and if they’re going to understand the dynamics of the situation. So not only do we have to figure out the transition path, we also have to think about how to bring people with us … and communicate in a much more empathetic way.”
There are some organizations that have to pay ransoms, she added, or risk going out of business.
Ellis was a co-chair of the institute’s Ransomware Task Force and noted one of its recommendations was that governments should establish Cyber Response and Recovery Funds to support ransomware victims.
It also demanded governments mandate that organizations report ransom payments to help understand the scale of ransomware, and to require organizations to consider alternatives before making payments.
Panelist Josephine Wolff, associate professor of cybersecurity policy at Tufts University in Massachusetts, admitted she is more impatient with what she sees as government inactivity on ransomware.
“Where I see a real failing is not on part of individual victims who are doing what any of us probably would do [and paying], but on the part of the policymakers who are letting that happen.” Instead they are “just sitting back and saying ‘I guess this is the cybercrime ecosystem right now and there’s nothing we can do’… In my most emotional moments I find that [attitude] really heartbreaking.”
Wolff added that she understands victim organizations worry about getting their businesses running, “but seems to me that it [ransomware] has been going on for so long and grown to be a problem of such magnitude that its astonishing to me how little willingness there is to think about the future.”
To start, she said, governments should forbid insurance companies from paying ransomware gangs, and stop making ransomware payments a tax deduction.
Wolff said it’s “shocking” how few victim organizations pay apparently without asking the NoMoreRansom.org service if it has decryption keys for the type of ransomware they’ve been hit with. The site is a service of Europol and a number of cybersecurity providers like McAfee and Kaspersky. Wolff wondered why no U.S. government or law enforcement agency supports the site.
Among their recommendations, Ellis said organizations need more help implementing cyber attack prevention “in a real pragmatic way,” while Schwartz called on governments to enforce transparency regulations over cryptocurrency transactions.
“This is a public policy issue, it’s not just a technical thing for the computer nerds to deal with,” concluded moderator Michel Daniel of the Cyber Threat Alliance, “and we should be having these debates. These are decisions for policy for society as a whole.”