Calls to ban cyber ransom payments are missing the point — Robert Hannigan
The Colonial Pipeline attack has brought a welcome media and political focus on ransomware. Similar recent incidents affecting the Irish healthcare system, schools in the UK, or hospitals in Germany have done the same job in Europe. But anyone working in the cyber industry knows this is not new: they will have observed a quiet tidal wave of these attacks on all continents and affecting businesses of all sizes over the past two years. But for the pandemic, the sheer scale of losses — estimated very conservatively at US$20billion last year — would probably have caught the attention of governments earlier.
In reaching for a response, policy makers recognise that they need to disrupt the cyber criminal business model which is low risk, low cost and high return for the attackers. This is particularly true of the Darkside ransomware-as-a-service model.
There is little governments can do about ‘low risk’ until the nation states harbouring these criminal groups take their law enforcement responsibilities seriously. That is unlikely in the foreseeable future, but worth pursuing, as President Biden has promised to do. In the meantime, the US Ransomware Task Force’s proposal to tighten regulation of bitcoin and other crypto currencies, and share information from victims, offers something really practical as a tool for law enforcement investigation.
Policy commentators have therefore focused on ‘high return’ and suggested that criminalising ransom payments would cause the ransomware business to dry up. While everyone agrees that funnelling billions of dollars into crime is a bad thing (and most agree that paying terrorists or sanctioned states should be unlawful), crudely banning all payments is likely to damage victims more than attackers. Most companies choose to pay because they cannot afford the business interruption and may face collapse if they don’t cooperate.
In my experience companies are not relaxed about paying ransoms and do not see it as a simple ‘cost of doing business’. If they have cyber insurance which covers ransom payments, the decision may be easier, but not much. It may be that the insurance industry will take the first step by withdrawing cover for ransoms — AXA in France has already announced this decision — and that trend will help increase the problems for attackers. But companies will still face the choice of going out of business or paying up.
Advocates of banning payments argue that this damage to businesses is a price worth paying. But that is easy for a regulator, government or law enforcement official to say because they are not the ones faced with collapse.
The answer must involve focusing this regulatory energy and governmental desire to do something on the ‘low cost’ part of the ransomware business model. Attacks are ‘low cost’ to criminals because they are easy and meet inadequate resistance.
The main reason why this criminal business model works is that defences are poor, both within companies and across supply chains. Fixing it is not rocket science — we know a lot about these attacks and how they are delivered. Poor IT hygiene, poor password management and authentication, spear phishing or business email compromise etc — the list is not new and wearily familiar.
The simple truth is that most ransomware attacks are preventable. Businesses with a sophisticated managed security service, with MDR (managed detection and response) working at network speed, rarely suffer these attacks. Even when they do, intrusions are contained and the damage is limited.
What governments therefore need to do — and President Biden’s Executive Order moves the US in this direction — is start to mandate and regulate better cyber security. The UK and Europe have been reluctant to do this beyond some large critical infrastructure sectors. But unless cyber defence is improved across the economy and the public sector, and governments agree to play a larger role in helping that happen, it would be unreasonable and counter-productive to ban payments of ransoms. Prioritising the punishment of victims over improving cyber defence misses the point.