Exploring the Viability of a Ransomware Payment Ban
The digital age has brought about numerous advantages, but with it, a nefarious byproduct has emerged: ransomware. This form of cyber extortion has become a significant threat, particularly to the public sector, leading to a heated debate on whether implementing a national ban on paying ransomware demands could be an effective solution. The recent discussion, moderated by the Institute for Security and Technology (IST), sheds light on the complexity of this issue, suggesting that a definitive prohibition might still be beyond our reach.
Notably, the U.S. appeared to take a tentative step closer to such a ban when, in November, it aligned with the International Counter Ransomware Initiative’s stance that federal agencies should refrain from complying with ransom demands. However, this policy does not apply to state or local governments or the private sector, highlighting the fragmented approach to addressing ransomware.
The debate centers on a paradox: while paying ransoms can fund cybercriminals’ future attacks, critical entities like hospitals sometimes cannot afford the downtime and may choose to pay to restore operations quickly. Rob Knake, a cybersecurity expert and former deputy national cyber director, underscores this dilemma, noting the potential for ransomware criminals to exploit payment bans by targeting vulnerable institutions like hospitals even more aggressively.
Another challenge is that even if victims refuse to pay, cybercriminals can still profit by selling stolen data, as pointed out by Allan Liska, a seasoned intelligence analyst. This complication underscores the necessity of a more comprehensive approach to combat ransomware, not just focusing on payment bans but also on enhancing defensive capabilities across the board.
Sezaneh Seymour of Coalition emphasizes the vital role of basic cybersecurity hygiene, which many sectors are currently neglecting. Addressing this foundational issue is crucial for any anti-ransomware strategy to be effective. Panelists propose various measures to fortify defenses, such as enabling hospitals to seek reimbursement for cybersecurity investments analogous to how they claim healthcare treatment costs under Medicare and Medicaid.
However, discouraging ransom payments across all sectors remains a formidable challenge. The government has limited leverage over private companies’ cybersecurity practices, but experts suggest several strategies. These include making government contracts conditional on the vendor’s commitment not to pay ransoms and requiring detailed reporting from companies on their ransomware payment decisions to potentially expose them to public scrutiny or legal liabilities.
Bill Siegel, CEO of Coveware, suggests that significant legal penalties for companies with lax cybersecurity measures might drive change. Yet, he acknowledges that, faced with existential threats from ransomware, some companies might opt to pay ransoms clandestinely, possibly funneling money to other illicit actors.
One proposal for implementing a payment ban includes introducing penalties for non-compliance, gradually intensified to encourage the bolstering of cyber defenses over time. An intriguing suggestion is treating entities that cyber-attack hospitals as terrorists, aiming to deter cybercriminals directly.
As the U.S. grapples with estimating the full extent of its ransomware problem, IST’s Chief Strategy Officer Megan Stifel cautions against rushing into a payment ban without the insights that could be gained from more comprehensive reporting, soon to be enhanced by new legislation like the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
In conclusion, while the idea of a ransomware payment ban is appealing as a means to cut off funding for cybercriminals, the complexities and potential unintended consequences of such a policy demand careful consideration. A multifaceted strategy that includes improving cybersecurity practices, establishing support mechanisms for victims, and considering the legal and ethical ramifications of a ban is essential. As the landscape of cyber threats evolves, so too must our responses.
