Ransomware as Pain: heeding pain stimuli for survival
Ransomware is currently providing a pain stimulus to our country; the US has an opportunity to take action to avoid larger impacts. If the US responds poorly to that stimulus, the outcome will be fatal.
Congenital Insensitivity to Pain (CIP) is a rare condition where an individual has no sensation of pain. Instead of living blissful and pain-free lives, people with CIP receive significant physical injury as a result of being unable to respond to pain stimuli; the BBC even notes that "few individuals with the disorder reach adulthood." Pain is a blessing that exposes a harmful situation, and informs action to forestall further injury.
Ransomware is currently providing a pain stimulus to our country and exposing the harms of universally poor security posture; the US now has a critical opportunity to take action to avoid larger impacts. If that stimulus is not heeded, or the US responds poorly to that stimulus, the outcome will be fatal.
The blessing of ransomware is two-fold: it is loud and high-visibility, and it works very quickly. These are the qualities that make ransomware like pain, and it is this gift in ransomware—although hidden deep within the current pandemic—that can save the US and even give America a competitive edge against our adversaries.
Pain and Response:
As a thought experiment, if you were blessed with an able body and then were to be touched by a hot iron you would immediately sense the pain and move away from it. It would be silly to sit still and call for someone else to move the iron, and it would be sillier still to sit there and pop painkillers. However, that is the response to ransomware that Americans and American businesses have engaged in so far: either calling on the government to protect US companies through direct action to deter adversaries (imposing costs on them by attacking adversaries directly or by seeking to disrupt their payment models), or seeking to dull the impact of ransomware through risk-transferring strategies like cyber insurance.
These approaches do no lasting good in the face of rampant theft of intellectual property, norm-breaking espionage and disinformation campaigns, and growing risk from state-sponsored attacks like NotPetya. The rosiest forecast for such an approach is that it would successfully reduce the frequency and impact of ransomware attacks, while still leaving the US critically vulnerable to attacks that are not financially motivated.
The only long-term solution is to harden the US through establishing liability for building, deploying, and maintaining systems, and using legislation and investment to rapidly enhance the security of American technology.
The Need:
If the US does not respond by hardening our country through a whole-of-society approach we will face worse attacks in the future, and suffer immensely in the event of peer or near-peer conflict. America has not yet faced a near-peer adversary intent on overtly causing damage to the US, and under our current levels of vulnerability and shoddy security such an attack would be horrific.
Three cases from the past few years show the very inklings of the impact a determined adversary could cause:
- Impact to Critical Infrastructure: Earlier this year, an infection of DarkSide ransomware at Colonial Pipeline resulted in the pipeline (normally supplying 45% of East Coast fuel) being temporarily shut down;
- Depth of Intrusion: Also this year, the Solarwinds and Hafnium espionage campaigns—conducted by Russia and China respectively—exposed the efficacy with which an adversary can exceptionally deep access to private-sector networks as well as closely-guarded networks within the US Intelligence Community;
- Breadth of Destruction: Back in 2017 NotPetya wiper malware escaped its intended confines and spread across the globe before a reverse-engineer discovered its simple 'kill switch' and stopped the attack long before it caused as much damage as it could have.
There is a frightening commonality across each of these high-profile events: these events are the failures of our adversaries, not their successes. DarkSide's affiliate didn't intend to shut down the pipeline, that was a part of Colonial's incident response/containment process; the Chinese and Russians did not intend to be caught, and it is likely that both adversaries have even more significant campaigns that have not yet been detected; and NotPetya was able to cause so much harm despite not being designed to cause widespread impact, instead having been allegedly designed to stay just within Ukraine.
In the event of open conflict with a peer or near-peer adversary, the US can expect to face an attack that combines the impact to critical infrastructure of the Colonial ransomware event, the depth of intrusion of the Solarwinds and Hafnium intrusions, and the breadth of destruction of NotPetya. And that attack is likely to be executed more effectively than either of those three screw-ups. The damage that the US would experience as a result of such an attack is breathtaking.
Of course, the US would be able to respond similarly with damaging attacks, and that is where the US has an opportunity today to gain a competitive edge over our adversaries.
The Edge:
The US (and Western world) as a whole are suffering more under ransomware attacks than our adversaries are. As a result the US is experiencing this pain stimulus in a way that Russia and China do not, and if the US responds appropriately to the pain stimulus by focusing primarily on helping harden our country against hacking, then the US will be more prepared and resilient than our adversaries in the event of direct conflict.
We need to take concrete steps to improve American defenses across both public and private sector by forgoing our absurd reliance on 'defending forward,' (a strategy that is as blandly reassuring as it is operationally ineffective), and by applying tech industry some liability frameworks that are common across other verticals.
These steps will be expensive in the short-term—and must also incorporate offensive action to impose costs on adversaries—however, if the US does respond in this way, we will be more prepared and hardened than our adversaries in the event of direct conflict. This will save lives and tilt the playing field toward US victory.
Why 'Impose Costs' is an Incomplete Strategy:
Imposing costs on adversaries is excellent as part of a strategy, but an anti-ransomware strategy that relies solely or primarily on imposing costs is critically flawed. First, there is so much value that an adversary gets out of ransomware that the costs-imposed will have to be very high. Second, the spectrum of state responsibility is complex, and the requirement for response to be timely coupled with the fact that attribution in cyberspace is difficult, means that a cost-imposition strategy will certainly tread unwittingly upon state-integrated and state-executed attacks. As a result there is no way that an anti-ransomware campaign solely built on imposing costs can be effective without also having so large a scope and scale that it missteps at some point and sparks escalation with an adversary—undesirable under any circumstances, and very risky given our poor security posture in the US.
Instead, reducing the upside for criminals is best done primarily by practically improving defensive capabilities, rather than through hysterical and short-sighted policies like attacking cryptocurrency exchanges (the US has rightly excoriated North Korea for its attacks on SWIFT and other international financial tools, and pursuing a similar policy ourselves is self-defeating and a playground of unintended consequences).
I wish there was an easy button fix to this issue: that the US government could merely flex some military power and eliminate the risk, or that some stricter KYC/AML laws could make ransomware unprofitable. But in our current environment, with an ever-expanding galaxy of border-agnostic interconnected 'things' that just might have security as a single item in their quality assurance checklist (if they do QA at all!), there is no afterthought solution that can be slapped on to insecure products to provide a country-wide blanket of security.
Any policy that seeks to block the pain that the US is experiencing as a result of our widespread cyber vulnerabilities will cause grave harm. We should and must stop the pain, but we must do so by changing our security posture, not by merely removing the sensation of pain.