State bans like these keep taxpayer money from funding cyber crime, but such small-level, standalone prohibitions are unlikely to have a big impact on the ransomware problem, said Jen Ellis — Institute for Security and Technology (IST) adjunct senior policy adviser and Ransomware Task Force co-chair — in response to a Government Technology question during an IST webinar yesterday.
A nationwide ban applying to both public- and private-sector victims would reach farther, however, and past years have seen cyber researchers debate the pros and cons. Deputy National Security Adviser Anne Neuberger said in May that federal officials had “grappled” with the question of whether to ban most extortion payments while allowing the federal government to grant waivers.
If the U.S. means to do so, there are plenty of risks and challenges to consider, cyber experts said during yesterday’s webinar.
That includes introducing and launching such a policy.
Silas Cutler is an adjunct senior cyber threat adviser at IST and a principal reverse engineer at cybersecurity company Stairwell. He worried that busy small-business owners may not be keeping up with the latest cybersecurity legislation and could accidentally commit a crime if they pay after a hypothetical ban passes. That would give cyber attackers leverage to keep extorting the businesses in exchange for keeping the fact of the payment quiet.
Another concern is attackers are likely to respond to a payment ban by testing how well it sticks. Attackers may intensify their focus on the victims most likely to feel compelled to pay, such as small- to medium-sized businesses — which may not be able to stay afloat during an interruption to their operations — and essential service and critical infrastructure providers where “disruption isn’t really an option,” Ellis said.
But offering waivers might just highlight those entities to attackers, said Jason Kikta, adjunct senior technical adviser at IST and CISO for endpoint security company Automox. Threat actors might fixate on those entities, whether with ransomware or other strategies for making money off them.
“All we're doing is teaching them [that] this is the soft underbelly, this is what we really truly care about — go after that,” he said. “They're going to look at who gets to pay and who doesn't get to pay, and they're just going to look for more things that look like that.”
Plus, waiver request management could become an administrative nightmare.
Kikta tried to figure out just how many waiver requests federal officials would need to evaluate. Using data from threat and risk intelligence services company eCrime.ch, he considered the number of unique organizations in the U.S. known to have been victimized by data extortion or ransomware so far this year. What he found is that it comes out to an average of slightly more than eight organizations per day of the work week.
Of course, the eCrime.ch data likely underestimates the victim count, because not all incidents are known. But given that not all organizations will seek waivers, the notion that federal officials could face eight waiver requests a day may still be roughly accurate, he said.
Federal officials would likely need to make their waiver determinations quickly — within 24 hours — to prevent a backlog and stay on top of developing situations, Kikta said. But decision-making could be a complicated process to complete rapidly.
“This has to be legal due process to make that decision of ‘you are allowed to pay’, ‘you are not permitted to pay,’” Kikta said. “There’s going to be a lot of factors going into that — companies are going to have to prepare these packages, and if it doesn't go their way, they're going to sue.”
Adding pressure is the fact that officials could see new waiver requests come in unpredictably, at the last moment. That’s because some victims may plan against paying only to discover “at the eleventh hour” that they’re unable to restore their systems from backups and so would need to pay up to maintain their operations.
Kikta, who previously served in U.S. Cyber Command, recalled one company that had tested various backup restoration processes and believed it could rebound from a ransomware attack, only to realize at the last minute that it had never tested restoring the entire company all at once. It discovered that bringing everything back simultaneously at its data rates would take months, far longer than the organization could withstand.