Last month US Government officials announced a major new assault on cybercriminals, particularly those looking to rip businesses off with ransomware attacks.
The move, announced by a senior Biden White House official, includes a range of options designed to both halt attacks, and support law enforcement officials in their efforts to bring those responsible for the attacks to justice.
The cross-government plan – which is aligned with similar moves by officials in other countries – could also see US Government cyber experts go on the attack themselves against criminal gangs, as well as options to ramp up data sharing to build extra resilience into the system.
It comes after a wave of recent ransomware attacks that have struck at the heart of American business operations. These have included high profile attacks like the Colonial Pipeline incident, which caused fuel chaos along the US East Coast, and the JBS incident, which paralysed the world’s largest meat processing company.
Forming the new taskforce, US Government officials are hoping to stem the tide of ransomware attacks, and in doing so, close off a modern business vulnerability that when exploited, can wreak havoc on the US economy.
Amongst the levers being looked at to stymie organised cybercriminal activities, there is a reward fund of $10m in place, for information that leads to the arrest of those responsible.
However one controversial area being looked at includes the question of whether to make the payment of ransoms illegal.
The idea behind the suggestion is simple – ransomware, by its very name, is designed to extort money from victims, by forcing them to payout a sum in return for unlocking their data.
Typically, as in the Colonial Pipeline case, the victims then pay that ransom in the form of cryptocurrency – a decentralised form of money that can be significantly harder for authorities to track and trace. In the Colonial Pipeline attack, the ransom paid was rumoured to be around $4.4m.
Paying out ransoms at the moment is not illegal. Yet many agencies urge victims not to pay out, because of a legitimate concern that doing so only goes to encourage more criminal attacks, as in essence, their modus operandi has been proved correct.
But for DataStream Insurance CEO Andy Anderson, any forced ban on paying ransoms can only come once the mechanisms for stopping ransomware are already in place and proven.
He says: “It is hugely positive that the US Government is taking proactive and determined action against the wave of cyber criminality currently impacting SMBs across the US and especially the scourge of ransomware.”
“It is especially encouraging to hear White House plans for greater data-sharing on defence strategies to tackle ransomware – something we at DataStream have also been calling for.”
“Yet there is one element of their plan that I am concerned about, and that’s making ransom payments illegal.”
Part of the problem with this, Anderson explains, is that you can end up in a position where you actually punish the victims more than just the ransomware.
He added: “It sounds great in principle. But the reality of banning people from paying ransomware means you put those businesses in a horrible position. You might force business owners to break the law to save their business."
Instead DataStream believes the approach should be a mix of tactics.“The thing is, what drives ransom payments – especially for SMB customers – is really the question around, what is their “next best option”. If that next best option is effectively going bankrupt, then a big ransom payment is their best option.”
Firstly, as the Government is doing, to forge wider partnerships to enable greater sharing of threat protection data, as well as working to push harder on the choke points we know criminals need to flourish. These include things like payment flows – making it harder for criminals to convert Bitcoin into a fiat or centralised currency.
Secondly, though, for businesses that support SMBs – like MSPs and VARs, and of course insurance providers like DataStream – to work more closely with them with a focus on building resilience.
Anderson adds: “It’s about the transition from security to resilience.”
Security is about stopping attacks, resilience is about recovering from them when they happen. Trying to stop attacks is important, but a portion of time and investment has to also go into the tools and processes that are used when they actually do succeed.”
Often even a small investment in these “post boom” things, and good backups, clearly defined and tested incident response plans, and cyber insurance would all fall into this “post boom” category, can drastically change the potential outcome of a ransomware attack.
Anderson continues “To make this a little more concrete , if as a business you have a way of continuing to operate in the face of an attack – through redundancy in your systems or additional systems that can be fired up, coupled with robust backup data processes, then you limit the criminals’ ability to impact day to day operations and inflict immediate financial pain on the business.”
Less pain means less reason to pay a ransom .”
“For us, this is the key thing – and definitely, this is an area we are hoping the Government focuses on – because the more resilient we can make US SMBs against ransomware, the less this becomes a problem for everyone in the country.”
For more information on building resilience into your business operations, book a call with one of our experts today.