Regulation and Ransomware: Fix the *Right* Problem
Any ransomware solutions dictated to industry that fail to primarily address the business side will be ineffective at best, and are most likely to be costly, ineffective, and burn political capital with industry and voters.
Travelex, CNA Financial, Colonial Pipeline, JBS Meatpacking, Sol Oriens, Fujifilm, ransomware attacks have victimized many companies in high-profile attacks. Ransomware attacks have become so common that BleepingComputer runs a "This Week in Ransomware" article every Friday that lists the major ransomware attacks of the week, and according to RecordedFuture the US experiences an average of one ransomware attack every 7 hours.
Ransomware is a growing problem, and yet it has already grown to be a national problem. To address this issue, Congress is looking at writing regulations to promote cybersecurity within critical infrastructure sectors. Tim Starks from CyberScoop reported on this earlier this week:
As Congress and the Executive Branch look at applying fixes to the problem, it is critical that we fix the right problem. Depending on who you are, you likely see ransomware as a specific kind of problem:
To the government, ransomware is a national security problem.
To the infosec practitioner, ransomware is a technical problem.
To the target company, though ransomware is a business problem.
None of these views are actually incorrect and everyone should apply solutions within their spheres—government should apply natsec solutions and infosec industry should apply technical solutions—but when the government is seeking to apply solutions for industry here, it must approach the problem as a business problem.
Currently, companies are unwilling to make investment and operations decisions that will lead to lower rates or impacts of ransomware (more on this in a moment). And while I'm pleased that an adversary was deprived of their ill-gotten gains and that a victim was made (nearly) whole again, when the FBI regains the ransom payment the takeaway is that it is the government's job to permit shield businesses from the accompanying costs of operating in a risky manner.
Any ransomware solutions dictated to industry that fail to primarily address the business side will be ineffective at best, and are most likely to be costly, ineffective, and burn political capital with industry and voters.
Here are my recommended solutions:
1. Ban insurance payouts covering ransom payments.
Companies would still be free to make their own business decisions, but would no longer be permitted to hedge against ransom payments.
This will be unpopular, and the former head of the UK's National Cyber Security Center (NCSC) Ciaran Martin has said that he doesn't think banning insurance payments will necessarily solve the problem. However, this is such a fairly light-touch regulatory step, and strikes so directly at the profitability of ransomware, that it is worth implementing.
Obviously, if ransomware is a profitable business (it is: reporting on ransomware profit margins ranges from 75% to 99% compared to a ~20% for Google, and year-over-year growth in the ransomware industry demonstrates the financial success of ransomware), it is going to continue to grow.
I first heard this recommendation to ban insurance payouts from Frank Bajak, where he notes that the UK introduced a similar measure in a law in 2014/2015 that (among other and flawed security laws) banned insurance payouts to cover ransoms from terrorist kidnappings. Supporting Bajak's recommendation, a previous study looking at US and UK responses to terrorist kidnappings notes that refusing to negotiate/pay ransoms does decrease the rate of kidnappings.
2. Require SICI to have effective (consistent, offline, and tested) backups, regularly (annually?) test their restoration/recovery procedure, and report their outcomes to CISA. This requirement should be supported by government funding and SME support from CISA, and be enforced by fines.
'SICI' is defined on page 97 of the Cyberspace Solarium Commission Report as "entities responsible for systems and assets that underpin national critical functions." The Commission suggested that SICI should both receive significant support from the US Government, as well as "shoulder additional security requirements consistent with their unique status and importance."
To support this effort the government could provide financial and SME support to SICI through CISA, and be enforced via fines for non-compliance. Execution could follow the model of NERC CIP enforcement and compliance. CIP isn't a perfect solution within the Bulk Electric System, but it is probably the best model for SICI as a whole, crossing the 16 critical infrastructure sectors.
Now, I know that 'have good backups' is a technical solution where I have called for business solutions, but the key part here is the enforcement scheme. Industry has demonstrated that—left to its own devices—it won't invest sufficiently in resilience, and fines for noncompliance (coupled with financial and SME support to enable compliance) can help shift that business decision.
3. Require some SICI entities to have plans in place in order to be able to manually operate their critical functions in an emergency.
This would apply only within Operational Technology (OT) environments. Part of Norsk Hydro's successful response when they fell victim to ransomware in 2018 was their ability to manually operate their plants. When Maersk was hit with NotPetya, they were able to limp along manually (until they restored from an miraculous/accidental backup).
It is a good thing for businesses to be profitable. Government regulation should not exist to curtail profit, but it does have an appropriate role in ensuring that the single-minded pursuit of short-term profit doesn't result in unsafe operations. "Running out of fuel as the plane tires touch the ground is not smart."
4. Pass a law require organizations to report to CISA all ransom payments with a total cost exceeding $100k.
This provides the government with a better picture of the scale of ransomware. Additionally, by collecting the method of payment, as well as any cryptocurrency addresses to which funds are sent, the government can attempt to trace payments, or target addresses/wallets.
Moving away from talking about critical infrastructure in the private sector, there are some anti-ransomware tactics that the government should own: applying significant pressure to Russia, and directing Cyber Mission Forces to go after some of the more prolific ransomware groups to burn their infrastructure, expose/indict their operators, and drain their wallets (this can be supported by targeting information derived from recommendation 4 above, and funds reclaimed could go to support recommendation 2).
My final and more tentative recommendation would be to apply some regulations to business that provide cybersecurity services (or even just software providers in general). Electrical engineers and contractors working on homes have liability if they perform shoddy work that damages or facilitates damage to that home, but cybersecurity (and other software) companies rush products to ship without liability. Permitting liability for such companies would dampen the shocking growth of that industry, but would also result in more-effective security products.
Here are some counterarguments:
"Industry knows what to do, they just need some help"
Earlier in this article I said that companies are unwilling to make investment and operations decisions that will lead to lower rates or impacts of ransomware, here is some supporting data for that claim:
Cybereason recently put out a report based on a survey of 1,263 cybersecurity professionals, conducted by Censuswide. The report notes that 81% of respondents are "highly or very concerned about the risk of ransomware attacks," but only 73% "have a specific plan or policy in place to effectively manage a ransomware attack."
That aligns with the recent senate testimony of Colonial Pipeline CEO Joseph Blount, where (at 1:10:17 in the video in the link) Sen Maggie Hassan asked Blount if Colonial had "a plan for cybersecurity response that included ransomware" and Blount responded that they did not.
The Cybereason report demonstrates that a good chuck of industry is failing to take basic steps, with 27% lacking a specific plan or policy to effectively manage ransomware, and at least 8% of respondents lacked a specific plan while also being "highly or very concerned."
Industry needs help less than it needs an incentive to push it into action. And financial incentives are the readiest spur for industry.
"Industry lacks the tools to respond effectively (and government should help out by developing new standards)"
This is a bit more compelling, but is also incorrect. When Norsk Hydro was hit by ransomware in 2019 it responded effectively. Industry has the right tools, they just don't make business sense at this time. By creating financial incentives/disincentives the government can shift business decisions, effectively and (relatively) speedily causing companies to apply best practices.
The government has NIST (the National Institute of Standards and Technology), and NIST has already produced SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) and 800-82 (Guide to Industrial Control Systems Security). But the government has not effectively translated those documents into applicable standards.
NERC CIP (North American Energy Reliability Corporation Critical Infrastructure Protection) requires security practices within the Bulk Electric System (BES) in the US, and is a better model for standards.
Overall, though, maybe the government could generate the right standards for each/all of the 16 sectors of critical infrastructure, but it would not be an efficient use of time and effort here—especially since ransomware is a critical problem today and we don't have years to wait while the government develops a new standard.
"Government should stick to national security-type solutions, and not interfere in business"
This one kind of makes sense, but ignores that the role of the government is to govern. And that includes domestic and economic elements, not just running the DoD and State Department. There is a host of government agencies (FTC, FCC, OSHA, FDA) designed to 'interfere in business.'
Government needs to avoid overreach in applying regulations, but regulation is not intrinsically overreach. And given industry's failings here, regulation is required.
Photo by Blogging Guide on Unsplash