Editor’s Note: Mike Chapple is teaching professor of information technology at the University of Notre Dame’s Mendoza College of Business. The opinions expressed in this commentary are his own.
Over the past several weeks, ransomware attacks shut down a critical gas pipeline serving the Eastern United States, disrupted meat plants in Australia and North America, exposed sensitive police files in Washington, DC, and delayed ferry service to Cape Cod. Other recent attacks have disrupted hospital systems and crippled Ireland’s national health service in the midst of the Covid-19 pandemic. These critical infrastructure disruptions bring into clear focus that ransomware poses a significant risk to national security, and it’s time to begin treating it as we would any other serious threat.
Ransomware builds upon the computer viruses and worms of years’ past and adds a terrifying twist. Once ransomware infects a system, it encrypts all of the data on that system, rendering it inaccessible to legitimate users. The ransomware author then demands the payment of a ransom in exchange for providing the decryption key required to restore access. Recently, ransomware authors have gone even further and made extortionary threats to disclose sensitive information unless the ransom is paid.
The recent flurry of successful ransomware attacks highlights how our national security is at stake. This series of uncoordinated attacks affected our energy infrastructure and transportation services. A group of attackers intending to inflict havoc could quietly infect a series of critical systems and then simultaneously cripple many elements of our infrastructure.
Now, we must focus our national attention on addressing this risk with a comprehensive, interdisciplinary approach. Unfortunately, as with most claimed panaceas, there is no simple solution to the scourge of ransomware, but there are some good places to start.
Below are some do’s and don’ts for the government and companies to keep in mind:
Rely on national intelligence
At the end of April, just days before the Colonial Pipeline attack made headlines around the world, a more-than 60-member Ransomware Task Force (RTF) released an 81-page report, “Combatting Ransomware.” Acknowledging the complexity of the problem, this group of cybersecurity experts recommended 48 specific actions that government and industry leaders may take to push back against the increasing number of ransomware infections.
Some of the task force recommendations rely on the government to play an important role. If we consider ransomware a national security priority, it only makes sense that we would bring the resources of the nation’s intelligence community and law enforcement agencies to bear on the problem. The United States possesses the world’s most sophisticated intelligence collection and analysis capabilities. Surely, those capabilities could be used to identify and pursue the perpetrators of ransomware attacks.
We saw the beginnings of this coordinated approach earlier this week when the Justice Department announced that it seized $2.3 million in bitcoin paid to the Colonial Pipeline attackers. This was a remarkable feat of intelligence and law enforcement, as tracking Bitcoin transactions isn’t easy. It’s exactly the type of activity that will deter and disrupt future attacks.
Disrupt the business model
Similarly, the government can disrupt the business model for ransomware. Ransomware attacks continue to happen because they are profitable. Disrupting those profits would deter attackers from investing time and resources in these attacks. The RTF report includes a dozen recommendations for doing so, including enforcing existing financial crime laws, enhancing seizure capabilities and applying statutes designed to combat organized crime.
The coordinated seizure of funds from the Colonial Pipeline attack is a good example of this strategy, but more is needed. Federal, state and local law enforcement officials must share information and work together with their international colleagues to bring these attackers to justice. Attackers must begin to live in the constant fear that their funds will be seized and they will be arrested.
Develop a national ransomware incident response
Companies that fall victim to these attacks need to know what to do when an attack occurs and where they may turn for expert advice. Large businesses often have dedicated cybersecurity teams and the resources to bring in expert consultants, but smaller businesses, non-profits and government agencies often lack access to those resources. Creating a national center of excellence in ransomware response would help organizations of all sizes gain access to expert guidance when they face a ransomware crisis.
Businesses must bolster their cybersecurity
Ransomware isn’t a problem that the government alone can solve. Organizations around the world must also bolster their cybersecurity defenses to reduce the risk of falling victim to these attacks. This definitely requires strong technical measures, including the use of security technologies and data backups.
But this isn’t just a technical problem. Ransomware often enters an organization after a single employee makes a single mistake. Effectively fighting ransomware requires strong education and awareness efforts that help everyone in an organization understand the risk and their role in protecting critical systems.
Don’t ban ransom payments
Banning ransom payments might seem appealing because it would hit attackers in the pocketbook. Prohibit American businesses from making ransom payments, the theory goes, and ransomware authors will lose the incentive to wage attacks. The fundamental problem with this policy is that it would further victimize the victims of a crime. This is the reason that we don’t outlaw the payment of ransom to kidnappers and it’s also the reason that we shouldn’t outlaw ransomware payments.
Are we really willing to tell a hospital that suffered a ransomware attack that it is not allowed to pay the ransom that would restore access to critical medical devices or patient files? Waiting for companies to rebuild their technology infrastructure because they aren’t allowed to pay ransom could cause prolonged disruptions to gas pipelines, mass transit, the food supply and other essential industries. Small businesses suffering ransomware attacks will simply go out of business because they can’t get back up and running again. When you consider the negative side effects of banning ransom payments, the solution no longer seems so simple.
Don’t ban cryptocurrency
Ransomware authors demand payment in Bitcoin and other cryptocurrencies because the nature of those currencies allows anonymous transactions. Some experts argue that banning cryptocurrency entirely would shut down the ransomware markets, but banning cryptocurrency entirely isn’t the answer either. While there are very strong arguments that most cryptocurrency transactions are either speculative investments or criminal activity, it’s a major stretch to jump from there to the assertion that cryptocurrency should be completely illegal. It would be almost impossible to stop cryptocurrency transactions if we tried. The United States lacks the jurisdiction to create or enforce an international ban, and the decentralized nature of cryptocurrency systems makes it difficult to imagine how such a ban would even function.
Ransomware is a complex problem that poses a significant threat to our national security, but we’ve tackled complex problems in the past. The country that put astronauts on the moon and stemmed the coronavirus pandemic is certainly capable of successfully fighting the battle against ransomware.