As President Biden meets today with private sector leaders to discuss ways to amp up cybersecurity efforts, a different new initiative should come front and center.
Last week, the U.S. Department of Homeland Security announced a new public-private partnership called the Joint Cyber Defense Collaborative (JCDC). The JCDC will align government with (mostly tech) company efforts to address key cybersecurity issues, the first of which is ransomware.
While the JCDC sounds like a great idea, it isn’t needed in this case. The government could easily stop most ransomware.
This administration gets high marks for recruiting talented cybersecurity leaders. Chris Inglis is the White House’s National Cyber Director and Jen Easterly is the Director of the Cybersecurity and Infrastructure Security Agency (CISA). Both are highly capable, but their talents are better focused elsewhere.
Ransomware is an economic attack that uses technical means. Treating it as a technical problem misses the point. There are technical controls that can help, of course, such as timely patching and frequent backups. Technical controls are just point-in-time solutions; as better defenses are deployed, attackers evolve. For example, when defenders improved backups, attackers evolved their methods by threatening to leak their victim’s sensitive data. This is called “co-evolution;” both attackers and defenders ratchet up their capabilities over time.
While attackers’ methods may evolve, their motives remain unchanged. In the case of ransomware, we are almost always talking about financial extortion. Anonymous payments via cryptocurrencies, such as Bitcoin, have emboldened attackers by making it harder to follow the money. But neither the absence of controls nor the payment schemes are the best place to fundamentally disrupt this system.
To really impact ransomware, we need to address the motivation behind it. If the government made it illegal to pay ransom with impactful penalties (e.g., making corporate officers personally liable), the attackers would have little interest in continuing. No public company with audited books would pay. No municipality, public hospital, public school, or nonprofit would pay. Nobody with audited financials would pay and risk going to jail. At that point, there would be no reason for attackers to do the work and demand payment — they can’t get paid.
There might be some individuals and small private companies who would pay and assume they wouldn’t be caught. Still, by making payments illegal we force the attackers to scale down to a less profitable segment of people without scrutinized books. We shrink the value of attacking.
A version of this law already exists. It’s illegal today to make a ransomware payment to an individual or country subject to Office of Foreign Assets Control sanctions. Practically speaking, this is hard to enforce because the anonymity of the payments hides their destination. We could either expand the regulation by saying that payers of ransomware have to explicitly know that they aren’t violating sanctions, or simply outlaw all payments.
Some may argue that this is penalizing victims. I disagree. Until such a law takes effect, the victims are allowed to pay increasingly large ransoms. Once the law takes effect, payments would stop.
Most laws exist to protect society from potentially harmful action of others. Those who pay ransom today encourage attackers to continue attacking others. Incenting someone to attack more victims creates harm to others. We’ve seen this play out as both the frequency of attacks and the size of payments demanded have grown exponentially.
There is absolutely a role for government to play in stopping ransomware, and it’s simple: legislate. Outlawing ransomware payments would remove the incentive to attack.