How can governments curtail growing ransomware attacks?
The problem with ransomware is that victims pay ransoms which creates a very lucrative business for cybercriminals. Yet, the majority of victims never get back all of their data weeks and months later after lengthy and time consuming restoration processes. According to Gartner, on average, only 65% of the data is recovered, and only 8% of organisations manage to recover all data.
Attacks tend to happen when CEOs and their boards fail to evaluate enterprise risks fully and fail to invest adequately in cybersecurity people, process, and technology. Instead, the only risk mitigation is that of cyber insurance to cover some of the direct costs of a ransomware attack. But cyber insurance doesn’t cover the full costs of incident handling, data restitution and recovery, fines and punitive damages, credit monitoring for victims and massive class action lawsuits. Nor can it ever cover loss of reputation following an incident. That company’s name is forever damaged.
A good example of this is the Scripps Health breach in 2021. Scripps was down and unable to treat patients for over a month. Given its geographic concentration in the San Diego, CA area and that fact that patient records were all encrypted, those patients in urgent need of care had to travel up to Los Angeles in many cases to receive treatment and then lacked their medical records for doctors to properly treat them. The impact to patient morbidity and mortality has yet to be assessed by the courts but the families of late-stage cancer patients probably have good legal recourse for damages.
Scripps lost $112.7m in revenue alone. And that is before all the fines, damages, and lawsuits. Although Scripps is reported to have purchased breach insurance, it will likely not even make a dent in the total losses. Now consider contributary negligence and the fact that the head of finance and accounting reportedly came up with a plan to cut costs in 2019 by making redundant the most expensive and experienced IT and security staff including the CIO and CISO replacing them with less experienced juniors. I am sure both Scripps’ insurance company and the class action lawyers are looking very carefully at this information and the CEO’s decisions leading up to the breach.
Cyber breach insurance is also becoming harder and more costly to obtain and now has multiple exclusions for acts of war so if the Russian government or its proxy for example, is found to be behind a cyberattack against a company, the insurance policy doesn’t pay out. Also, if a company lacks reasonably expected cybersecurity controls then it’s considered contributorily negligent in which case the $30m policy may only pay out $5m or less considering just how bad the company’s cybersecurity capabilities were at the time of the incident.
So the first thing that needs to happen is that governments need to make all ransom and extortion payments illegal, with CEOs and board members doing jail time if found to be flouting the rules. (Many currently hide behind directors’ insurance, so fines won’t work). In connection with this, better interbank tracking of bitcoin or other crypto currency purchases is required in order to track who is purchasing crypto and for what reason in connection with the above changes to laws. Privacy advocates will probably have a hard time with this, but if we are to tackle the cybercrime and ransomware problem then it’s a cost we will have to bear.
The second area where government can thwart the growth in ransomware is by better tracking of cryptocurrency transactions and tracking of crypo-wallets used for crime. The FBI in the US has had good recent results in this area and for helping to recover some ransom payments, but it’s by far from complete or perfect.
The third area is to go after the perpetrators of these crimes. However, the vast majority of ransomware attacks originate in the former Soviet states. Few countries have extradition treaties with the Commonwealth of Independent States so, as long as these perpetrators don’t leave this region, they can operate with impunity.
What the world really needs is an international convention of cybercrime that has all countries of the world ratify the agreement in exchange for access to the international financial system as an incentive, otherwise it is unlikely that those countries who benefit most from cybercrime will agree to participate – China, Russia, North Korean and Iran in particular. While the Budapest Convention was a step in the right direction it lacks universal enforcement. Even the Tallin Manual lacks the ‘line in the sand’ that is needed to prevent nation-states from launching cyberattacks against one another.
With most countries agreeing that ransomware is now totally out of control and losses well into the size of the gross domestic product of small countries, perhaps it’s time for governments to step in more directly, either by imposing crippling costs on countries who hide and protect cyber criminals, or by direct action to arrest or take-out perpetrators directly, regardless of where they hide.
As a global society, responsible governments collectively need to draw a line in the sand to state when a cyber attack goes too far and to stipulate repercussions. Without this, criminals and pariah nation states will continue to push the boundaries of acceptability.
About the author
Richard Staynings is the chief security strategist at IoT cybersecurity company Cylera and is an adjunct professor of cybersecurity at the University of Denver. He serves on a number of government and non-governmental committees and has spent the past 25 years helping to secure companies, other organizations, and countries from cyber-attack.