This year’s Colonial Pipeline breach thrust cyber ransom from an esoteric concern of technologists and victims to a household issue. Governments had no clear playbook while gas shortages locked up the eastern United States and now recognize the need for a more thoughtful role.
As the policy community gets its arms around how government can help, we wanted to share an industry perspective on one proposal floated by thinkers outside the cybersecurity space: we believe ransomware payment bans are bad policy.
Payment bans are predicated on two basic assumptions: 1) the policy will cause victims to stop paying, and 2) fewer payments will force threat actors to cease ransom operations. Unfortunately, we do not believe either of these assumptions are correct.
Victims will continue to pay
Bans are effective instruments when the penalty outweighs the banned activity. This is simply not the case for most ransomware victims. No victim wants to pay threat actors, and virtually all victim firms explore every practicable alternative. Many choose instead to laboriously reconstruct data from paper records, or to engage armies of response consultants and forensic recovery specialists -- some simply rebuild from the ground up. Ransom payers have typically exhausted every other alternative, and no government penalty will change the calculous for victims with no other option to keep their doors open.
Threat actors will continue ransom operations
We do not believe that firms will see a significant drop in cyber ransom even if penalties effectively reduce payments. Ransomware is booming because the return on effort far outpaces most other cybercrime - it's just too easy. At best, threat actors will push ransom further down the attack chain, deploying ransomware after other monetization techniques are complete to squeeze the last bit of value out of victims. At worst, threat actors will chase historic profit by scaling up attack volume and making the process more painful for victims.
Disruptive policies always introduce unintended consequences and policy leaders are aware that ransom payment bans are no exception. Deputy national security advisor Anne Neuberger highlights that payment bans would “have to really be approached with a lot of careful thought, thinking second and third-order effects” and that bans would be “one of the toughest” policy considerations. We think one key consideration is the impact to incentives for all parties involved.
Payment bans would create perverse incentives for victims
Bans will create a strong incentive to violate data breach notification obligations, leaving victims vulnerable to continued attacks, as well as business partners and consumers. Consequently, bans create room for black and gray markets for breach response services.
Payment bans would create perverse incentives for threat actors
Any ban would require exceptions for sectors where lives are on the line, like healthcare and critical infrastructure. But those exceptions would turn our most sensitive sectors into the most reliable and profitable targets for threat actors. Attackers would look for scalable ways to keep conversion ratios high, pushing them to more extreme default behavior.
Payment bans would create perverse incentives in government
Government attention is a finite resource, and penalties significant enough to change firm behavior will attract law enforcement attention better spent elsewhere. Penalties heavy enough may even incentivize prosecutors and regulators to harass victims instead of pursuing nefarious actors.
While we believe punitive measures against victims cause more harm than good, we are encouraged by the policy community’s thoughtful engagement on ransomware and cybercrime. Many policy opportunities are worth exploring and the Institute for Security and Technology’s Ransomware Task Force (RTF) brought together experts from US and international law enforcement, civil society, practitioners in the private sector, and academia to identify practical options for policymakers. The RTF assembled 48 policy recommendations, including diplomatic pressure on safe haven nations, disrupting threat actor infrastructure, incentivizing cyber mitigations, and supporting ransomware victims. Tellingly, the RTF’s coalition expressly excludes ransomware payment bans from its recommendations. Click here to read the full report.
James Gimbi brings ten years of breach response, cybersecurity strategy, and public interest technology experience to MOXFIVE. He investigated state sponsored and criminal cyber attacks across defense, finance, healthcare, and government and advanced bipartisan privacy and technology initiatives as a policy advisor in the US Senate. James's blended expertise helps corporate and federal leaders reduce cyber risk and tackle complex threats.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our Technical Advisors serve as an Incident Coordinator to clearly define the incident, the action plan to be executed, and manage the incident response efforts.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.Learn More