Enterprises want governments to step up and do a lot more about ransomware.
In a new survey of American companies:
- nearly half (47%) said the U.S. government isn’t doing enough to protect businesses from cyberattacks
- 81% said government bodies should play a bigger role in defining national cybersecurity protocols and infrastructure
The Ransomware Task Force (RTF) is also calling on more action from governments. The new think tank, set up by the Institute for Society and Technology, released its first report in April. At the recent SecTOR cybersecurity conference in Toronto, RTF co-chair Jen Ellis presented top recommendations from the report, with a nod to what’s happened on the ransomware front since the RTF report first came out.
Ellis outlined what the RTF would like governments to do—but also listed steps enterprises should consider taking, too.
What governments can do
Here are some of the RTF’s key recommendations for governments.
- regulate the cryptocurrency sector more closely
Since cyber attackers prefer bitcoin for ransom payments, Ellis said the RTF wants governments to regulate cryptocurrency “consistently and evenly” on a global scale. The same regulations used to fight money laundering and terrorist financing, for example, would be applied to cryptocurrency to combat ransomware.
Washington signalled a move in that direction this autumn when, for the first time ever, the U.S. Treasury Department levelled sanctions against two foreign crypto exchanges for alleged ransomware involvement.
- make it mandatory for targeted organizations to report attacks and ransom payments
The idea, of course, is that knowing as much as possible about ransomware will help us fight it. But how would such mandatory reporting be enforced? Would the government levy big fines against companies that fail to report ransomware attacks or payments? If so, would businesses fear being hit by the financial consequences of an attack not once but twice: first by hackers, then by government fines? All of that remains up in the air.
- require organizations to consider alternative solutions before paying ransom
The FBI already advises businesses not to pay ransom, arguing that payments simply encourage the bad guys to do more hacking. But it takes time for victimized companies to look for solutions that don’t include forking over money, and that delay only ramps up the enormous pressure they feel to restore their IT systems ASAP.
It’s easy to see why Colonial Pipeline paid $5 million in ransom just one day after the start of the cyber siege that shut down America’s largest fuel delivery network last spring.
Ellis suggested businesses should check out some alternatives to ransom payments on NoMoreRansom.org. The site is backed by 170 law enforcement agencies worldwide and has 121 decryption tools for 151 ‘families’ of ransomware. It claims to have saved targeted organizations from paying nearly $1 billion in ransom demands.
- make compliance with the government’s ransomware framework a condition of eligibility for grant funding
Compared to the other RTF recommendations for government action, this one seems relatively easy to implement, with governments and their agencies simply stating this as a requirement on grant applications.
What enterprises can do
Governments have actually been quite active on the ransomware front lately. Israel just introduced new cryptocurrency regulations aimed squarely at the problem. In June, leaders at the G7 meeting called on Russia to crack down on its flourishing ransomware industry. That same month, Joe Biden confronted Vladimir Putin directly on the issue. In October, the White House hosted a virtual ransomware summit with 30 nations. (Russia was not invited.)
“President Biden has (publicly) talked about ransomware at least six times this year. When you think about it, it’s actually astonishing,” Ellis marvelled. “It’s gotten to the point where the White House has issued guidance.”
That guidance was an open letter to American CEOs this summer, urging businesses to take many of the same measures Ellis suggested at SecTOR:
- user education
- timely patching
- IAM strategies including MFA
- network segmentation
- regular backups and network health checks
- building and practicing a ransomware response plan
- talking to your cyber insurer and tech partners
- checking out resources on NoMoreRansom.org
Remember that survey of U.S. companies we started out with? It indicates that, while many businesses want governments to do more, the real threat is already lurking within enterprises themselves:
- almost half (48 per cent) said they or their employees have been directly approached by malevolent actors to help plan insider ransomware attacks
- 83 per cent said these approaches have increased since employees started working from home during the pandemic
Although enterprises are looking for government help, perhaps the global fight against ransomware really has to begin at home, inside their own corporate borders.