Faced with a growing number of ransomware attacks in the US, companies and other entities must balance the ethics of engaging with cyber criminals and the economic impact of refusing to. Until the US government creates a clear policy framework for responding to this issue, hackers will continue to reap the benefits. The federal government should take steps toward making ransom payments illegal by providing the knowledge and resources needed to protect vulnerable systems.
In the past two months, ransomware attacks targeting companies in major US industries, oil and meat, resulted in ransom payments. Colonial Pipeline, which controls a 5,500-mile pipeline that helps fuel almost half of the East Coast, paid the equivalent of $4.4 million in Bitcoin to the Russian-linked hacker group DarkSide. Three weeks later it was JBS, the world’s largest meatpacker, being forced to empty its pockets to regain access to its networks — this time to the tune of $11 million.
Inversely, in March of 2018, the City of Atlanta refused to pay hackers roughly $51,000 in Bitcoin, as it was then valued, to recover stolen data. A few months later, the city was faced with a $17 million bill to rebuild its network. Similarly, and just over a year later, the City of Baltimore declined paying $76,000 in ransom after its network was infiltrated, a decision that ultimately cost the city $18 million to remedy.
The FBI’s current guidance on ransom payments illustrates just how muddied the waters have become: “USG [United States Government] does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers.” Basically, the government doesn’t want companies to do it, but understands they might have to.
As criminal hackers become more sophisticated, bolder, or simply luckier, the payoffs get bigger. Infiltrating the data systems of companies like Colonial Pipeline and JBS does not just cause a headache for the company itself, but also has a downstream impact on hundreds of thousands, if not millions, of people. Disrupting entire economic sectors means that these hackers have a better chance of a lucrative payday; companies understand the ransom payment is peanuts compared to the broader economic cost of halting operations. Additionally, a million-dollar check for something as simple as sending an email to the perfectly unsuspecting person makes the enterprise that much more appealing to hackers.
The problem is becoming so alarming, in fact, that the US government has elevated ransomware attack investigations to the same priority level as terrorism. Famously, the United States has made it clear that it does not negotiate with terrorists. The problem, then, is squaring this idea with the government’s permission of some ransom payments.
The question remains: how does the federal government respond to the growing threat and create policy that works? Outlawing ransom payments risks hackers targeting vulnerable industries like healthcare and energy, daring companies to abide by the law while putting lives in danger. Cyberattacks of the government’s own risks costly and perhaps unnecessary escalation with other countries. Doing nothing, of course, is not an option.
The US government’s best strategy is to take a systematic approach towards making ransom payments illegal in due time, but also navigating improved cybersecurity policies to ensure vulnerable targets are able to properly prepare themselves.
First, the US government should engage with company executives, local government leaders and small business owners on education and best practices to ensure the most effective counteractive measures to ransomware attacks are undertaken. This may include significant efforts to update network capabilities and security software, educate employees about common phishing scams, and backup data into the cloud. These and other simple measures are the first line of defense and immensely important.
Second, US cyber command should maintain an acute focus on knocking hacker groups off servers and dismantling their operating systems. Over 4,000 ransomware attacks occur daily, meaning there is ample opportunity to learn where attacks originate, how they are deployed and how they can be thwarted. Taking down larger and more capable cybercrime rings like DarkSide will have a significant impact on decreasing ransomware attacks.
Third, the government should allocate relief when necessary for situations in which a company, small business, or local government is still targeted despite precautions. From a fiscal standpoint, entities may prefer to pay less costly ransoms to recover data rather than rebuild networks from scratch. If the government wants to eliminate the possibility of hackers ever getting paid, it should be willing to provide monetary assistance. The government should incentivize the improvement of security systems and the non-payment of ransoms, while also providing a necessary safety net when precautions fail.
Finally, the government should place economic sanctions on countries such as Russia, which is known to turn a blind eye to cybercriminals who do not tamper with the country’s own networks, until they crackdown on the crime. The US and its allies should be forceful in its response to pressure Russia and others into joining the fight against ransomware attacks because diplomacy has thus far failed.
As these objectives are implemented, the US government can reconsider making ransom payments illegal because it will have further reduced the number of successful attacks. Right now, the government and private actors do not have the resources available to make the illegality of ransom payments a viable policy. However, this should be the end goal.
In the meantime, if you are reading this and have not enabled two-factor authentication or updated your security software since you bought your laptop (no, “remind me later” is not updating your security software), do it now. Remember best practices around phishing emails and pay attention to the cybersecurity training your employer may provide. Protection from ransomware is only as strong as the weakest link, and the individual employee will always be that link.