ArgumentsAre We Making Cyber Ransoms Worse?

Published 30 October 2019

Nobody intends to become a hostage. Rather than facing a masked gunman or mafioso hinting at misfortune, these days trouble begins with an email. The link may not work, or there may be a cryptic ransom note demanding an exorbitant payment in cryptocurrency. A frantic phone call from the IT department will follow. It is the call every business leader fears: Your computer system has been breached and data has been stolen or locked up with encryption that cannot be broken. This scenario is not far-fetched. It is not even uncommon.

Nobody intends to become a hostage. Rather than facing a masked gunman or mafioso hinting at misfortune, these days trouble begins with an email. The link may not work, or there may be a cryptic ransom note demanding an exorbitant payment in cryptocurrency. A frantic phone call from the IT department will follow.

It is the call every business leader fears: Your computer system has been breached and data has been stolen or locked up with encryption that cannot be broken. William G. Rich writes in War on the Rocks that “Whether it was an employee clicking a link or the computer system not having the latest security patches installed, it doesn’t matter, it is too late. The business cannot function and its reputation with clients, peers, and maybe even regulators is at risk.”

He adds:

This scenario is not far-fetched. It is not even uncommon. In September, the U.S. Department of the Treasury sanctioned the North Korean hacking groups known to cybersecurity researchers as “Lazarus Group,” “Bluenoroff,” and “Andariel.” The move confirmed North Korea’s industrial-scale use of ransomware and cyber-enabled theft to generate massive revenues. Although Pyongyang has pioneered hacking as an income generator, criminal hacking groups are quietly threatening governments and private-sector targets. Nearly two dozen counties in Texas and the cities of Baltimore and Atlanta have been extorted in the last year.

The industry of so-called ransomware attacks — the theft or hostile encryption of data by hackers combined with a ransom demand to reverse the attack — is booming. Rogue states like North Korea and criminal hacking groups are making money off the practice, undermining U.S. interests and the integrity of the global financial system. The growth of ransomware attacks is being driven by complacent cybersecurity measures, easily-available hacking software, and those called on to respond to such attacks — a coterie of lawyers, consultants, and insurers incentivized to quickly and quietly pay ransoms.

In addition to the efforts underway to encourage better cybersecurity preparedness, Congress, the executive branch, and regulators need to spell out what a proper response to a ransomware attack should look like for both the public and private sector. The response should take into account the liabilities and incentives of victims, responders, and insurers. Every business that values its data needs to, at a minimum, keep their software up to date, back up critical data, practice restoring it, and have a response plan in place. Many businesses will need to do much more.