A debate is raging about how organizations should respond to ransomware attacks, particularly if victims should pay, or just rely on cyber insurance. The recent Biden administration executive order on cybersecurity and other proposed bills that limit or ban ransom payments and mandate reporting of ransomware attacks put pressure on enterprises to update their strategies and prepare for change.
But Anne Neuberger, deputy national security adviser for cyber and emerging technology, said during a wide-ranging interview with the Silverado Policy Accelerator that banning ransomware payments would be a "difficult policy position." So, should businesses make their own decision on ransomware or take cues from eventual federal legislation?
Until recently, I was subscribed to the "never pay the ransom" school of thought — partly informed by being a DC native, my proximity to the Department of Justice, and the prevailing attitudes within my professional groups. My stance was also motivated by my professional responsibility of managing vulnerabilities associated with ransomware attacks. I could not control the threat actors or their motivations, but I could control my organizational vulnerability to their ransomware arsenal by rearchitecting our security.
My position took a U-turn when a ransomware attack impacted a family member and small business owner in 2019. The business had an office staff of seven people, and the executive secretary fell victim to a phishing email. The company worked with its outsourced IT administrator to recover the data while the ransomware author offered to fix its problem for $4,000. The small business had an annual revenue of just over $2 million and relied completely on customer appointment data and files that were encrypted and held captive. The IT contractor worked over two days but that didn't yield data recovery or restoration.
I was then asked to examine the environment for a second opinion. I found myself amid a moral conundrum: Would I acquiesce to what was, at that time, my firm belief against ransomware payments? I validated the contractor's assessment that data recovery and reconstitution were not possible due to a lack of a recent backup. I weighed the business impact of not being able to service customers on Monday morning with scheduled appointments and decided it made more financial sense to pay. I prepped my family member in the negotiation for the ransom demand, which he and his business partner facilitated, and reported the incident to the Internet Crime Complaint Center (IC3). We received evidence that the data decryption was successful on a sample, made the cryptocurrency payment, and reported the incident to local authorities.
Living through that experience of assisting a small business with a ransomware attack changed my perspective. The arguments proposed today are often geared toward big business. What about the existential threat of ransomware attacks to small and midsize businesses, where cybersecurity spend is a fraction of what it should be? Unfortunately, we can't expect to see an increase in down-market CISO jobs becoming available. Administering fines to improve security posture also won't work, as many companies will instead under-report vulnerabilities rather than expose themselves to financial and reputational loss.
Either way, paying a ransom is a tough call. While I am still not a complete advocate of giving cybercriminals what they want, there are conditions where it may make sense. I believe there is a middle ground, especially when cooperating can result in information sharing — a key tenet of the recently released federal cybersecurity executive order. If a ransom is paid, the company responsible should disclose the criteria that led to the decision. The firsthand account of dealing with cybercriminals would help a company's shareholders, customers, other stakeholders, and the government to evaluate whether the right decision was made. This would empower a variety of responses, both negative and positive.
There is also the notion of criminalizing all ransomware payments to undermine the motivation to attack companies in the first place. The belief being the perceived benefit of attacks would plummet to near zero. There is a real argument to be made that paying digital ransoms could aid and abet terrorism and certainly does so for cybercrime.
Other reactive measures are being considered, from the outrageous (outlawing cryptocurrency) to various risk transference scenarios focusing on cyber liability or kidnapping and ransom insurance policies, and even making it solely a law enforcement decision on a case-by-case basis. I believe we need to focus on what we can control, which brings me full circle. We can control our vulnerability and our ransomware resilience. We can control our attack surface and our visibility into our business environments to prevent compromise, lateral movement, and data loss. This might require transformational change in our applications, networks, and security postures, but it is something we can control collectively within our organizations. As Dr. John Lilly, the American neuroscientist, once said, "our only security is our ability to change."