On Wednesday – just Wednesday – news stories emerged about an airplane maker, information technology giant and computer game company all having operations disrupted by ransomware. In the last year, such attacks have swept through every sector, affected schools, hospitals, critical infrastructure, transportation and governments.
Many argue that policymakers need to do something about the problem. But few solutions have been formally put onto the table. One explanation is that historically, ransomware was not seen as government’s problem any more than shoplifting: a crime against businesses that federal law enforcement saw as beyond its domain.
But that’s changing.
“What we’ve seen in the last several years is an erosion of that divide,” said John Dermody, an attorney with O’Melveny who previously served as deputy legal counsel to the National Security Council and in the general counsel’s office at the Department of Homeland Security.
“It is a very difficult issue to address because it’s not something the government would typically be involved in. But there is a recognition this is a serious problem, and the status quo is not sustainable.”
In the past, the government would not step in because ransomware was not a national security issue. In recent years, it has become exactly that. The disruption of critical infrastructure services could be devastating, regardless of the attacker’s motives.
And effects of ransomware in aggregate can be a problem on their own.
“The drain on economy is a national security issue, not just the threat to infrastructure,” said Dermody.
There are also times when the criminal organization launching the attack is itself the national security threat. In 2017, North Korea-linked hackers launched WannaCry, a fast-spreading wormable ransomware likely intended to generate revenue for a regime rocked by sanctions. Later that year, Russia-linked hackers launched NotPetya, file wiping malware disguised as ransomware that caused billions of dollars in damage globally. Common ransomware protections could have partially mitigated either event.
But despite a federal interest to slow the scourge of ransomware, identifying the proper approach proves a challenge. Offenders operate out of countries uninterested in investigating or extraditing cybercriminals. It is tough to operate on a standards basis, because criminals adapt. And imposing rules on businesses can sometimes result in penalizing the victims.
“The government has options, but none of them are easy or fast,” said Michael Daniel, former White House cybersecurity coordinator and current president and CEO of the Cyber Threat Alliance.
Daniel advocated for the newly minted White House national cyber director to quickly develop a broad ransomware plan to address the problem. A thorough solution, he said, will likely go beyond that one office.
“It’s like many things in cybersecurity,” Daniel said. “If you think about it as ‘can you eliminate the problem entirely’ the answer is no.”
Nor will all be pleased with the approach. As Dermody put it, “the medicine might not taste good.”
Among the most direct solutions to making ransomware less profitable is to make paying ransoms impossible.
The Treasury’s Office of Foreign Assets Control alerted companies last year that they may face enforcement actions if they pay ransoms to sanctions – that is, entities covered by the Specially Designated Nationals and Blocked Persons List.
One particularly unsubtle way to reduce the market for ransomware would be to expand this ban ad infinitum and legally ban payment of any ransom to anyone. This idea has been suggested by multiple groups and remains extremely controversial.
The move would be akin to Italy’s move to ban payment of ransoms after a scourge of mafia kidnappings in 1998. For better, it would make ransomware much less profitable. For worse, it would take options out of the hands of people being backed into a corner.
“We have two choices: Allow ransom, which guarantees ransomware will continue, or ban it, which guarantees it will stop,” said Brett Callow, a threat analyst at Emisoft who backs the concept.
But, he notes, it would be “naive” to think every company would go along with the ban.
“We’re going to end up criminalizing being a victim. They will still pay, but it will be illegal. It’s a little blunt to be a solution,” said Mike McNerney, chief operating officer of Resilience, which provides cyber insurance, and a former policy adviser to the Department of Defense.
Resilience and the Cyber Threat Alliance are two organizations in a multistakeholder ransomware task force organized by the Institute for Security and Technology started late last year.
Among the problems that get mentioned with that concept of criminalizing ransom payments: Banning a hospital or fire department from paying a ransom might end up killing people who require immediate services, and compliance could potentially be extremely low.
“It is easier for a government to say ‘do not negotiate with terrorists’ than for a small company to allow itself to go out of businesses,” said Torsten Staab, chief technology officer for cyber protection solutions at Raytheon.
A less abrasive way to interrupt payments could come at the cryptocurrency level. Ransomware operators rely on cryptocurrencies as a quick, anonymous way to transfer funds. But there may be ways to cut back on that anonymity.
Tom Kellerman, head of cybersecurity strategy for VM Ware Carbon Black, who has held several federal advisory roles in cybersecurity, suggests making cryptocurrency beholden to the same key rules banks have to follow.
For example, traceability of transaction to an actual person in all exchanges could be required, versus an anonymous routing number (this is a policy known as “Know Your Customer”). A second option would be to introduce a mechanism to seize unlawfully obtained funds.
“If the virtual currency market wants to be legitimate then they should be; but being legitimate is to know your customers,” said Kellerman.
Traceability received backing from Crowdstrike co-founder Dmitri Alperovitch, now head of the Silverado cybersecurity think tank, during testimony at a House Homeland Security hearing earlier this month.
“Criminals rely on cryptocurrency such as Bitcoin, to anonymously collect hundreds of millions of dollars in ransom payments,” he said. “Congress should evaluate how stronger [know your customer] requirements can be used to effectively stem ransomware threats and support Treasury Department action that achieves these objectives.”
Improving baseline cybersecurity
Blocking payments is not the only way to limit the market for ransomware. A second option would be to reduce the number of vulnerable organizations.
“One of the issues with ransomware is that, if you look at it from the victim’s side, there’s no consequences for not increasing standards,” said Raytheon’s Staab, who added that certification requirements could be added to business licensing.
But raising the standard for ransomware defense can be more complicated than it sounds. Part of the problem is technical. Staab notes the long held advice like keeping backups is less useful in a world where many ransomware operators are switching to a “double extortion” model, both encrypting files and threatening to post them online.
Part of the problem is political. Generally, the United States has shied away from enforcing legal standards for cybersecurity.
And part of the problem is logistical. With an unending supply of computer vulnerabilities and human targets to work with, baseline standards will always lag attackers.
Still, a lack of a baseline has made attacks much easier. Staab mentions training as a key minimal component for organizations.
One way to aviod issues with regulation would be to require general preparedness for an emergency. Daniel suggests that critical infrastructure should have a plan in case they are hit with ransomware.
A second would be to use the burgeoning cybersecurity insurance industry to propel minimal standards, the same way business insurance ties rates to physical insurance.
“I’d like to see the government take this up again to work with the insurance sector to create incentives for businesses to invest in cybersecurity,” mainly small and medium ones, said Kierston Todt, head of the small business preparedness advocates the Cyber Readiness Institute and a veteran of several advisory and legal roles in the government.
Todt said that cybersecurity insurance is prevalent among SMBs, despite in many cases offering a low return on investment. Insurance reinforcing security standards might increase that value. It’s a concept that the Department of Homeland Security was pursuing during the Obama administration.
McNerney at Resilience, said the situation would not be unlike insurance companies responding to the outbreak of kidnappings in Latin America, where education about security practices became a key component of the industry.
Ransomware is a global problem. Solving it may mean pulling on several of the U.S. government’s international policy levers.
And allies often want to help – an important factor given the global architecture of many ransomware campaigns. Efforts to take down global criminal operations routinely involve security vendors, the U.S., Interpol, Europol and foreign national police forces.
“A lot of it has to do with linkages,” said Daniel. “You link it to other things a country wants.”
Countries like Ukraine, where many cybercriminals originate, may be enticed by anything from arms sales to NATO status, for example. But a country like Russia, a frequent home to cybercriminals, is less likely to support efforts. And without Russian compliance, there is little chance of getting criminals off the streets.
“The joke at the NSC is that whatever the policy problem, sanctions are the answer,” said Dermody.
But sanctions aren’t the only way for U.S. policy to reach beyond its borders. Another would be to increase the use of U.S. Cyber Command as a way to disrupt cybercriminal operations; sources familiar with the military’s operations believe that may already may be in the works.
“I think where you’ll see new activity over the next few years is the use of CYBERCOM to throw sand in the gears of cybercriminals,” said Dermody.
Any solution to ransomware will involve multiple layers, starting from the smallest of businesses and expanding out to multilateral geopolitics. The point, say many of the people with an eye on the issue, is that there is a growing consensus something has to be done.
At the House Homeland Security meeting last week, Chris Krebs, former head of Homeland Security’s Cybersecurity and Infrastructure Security Agency, identified ransomware as the top threat to state, local and small businesses. Policy makers have begun to take notice.
“Until the last couple of years, ransomware was seen as a nuisance but not a national security threat,” said Daniel. “Now it’s more than just an economic burden.”