Ransomware Policy: Striking a Balance in Prevention, Reporting, and Secure Design

by | Jun 29, 2024

During a recent engagement at the Oxford Cyber Forum, Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), explored the intricate challenges of tackling ransomware. Her dialogue with Ciaran Martin, the former head of the U.K.’s National Cyber Security Centre, underscored the multifaceted nature of the ransomware crisis and the necessity for a holistic approach. Easterly’s discussion highlighted the critical need for proactive measures, comprehensive incident reporting, and a fundamental shift towards secure-by-design principles to address this pervasive threat effectively.

Easterly expressed skepticism regarding the feasibility of a blanket ban on ransomware payments within the U.S. system. She articulated, “I think within our system in the U.S. — just from a practical perspective — I don’t see it happening.” This perspective contrasts with Martin’s previous advocacy for such a ban, as argued in The Times newspaper. The ongoing debate about outlawing ransomware payments encapsulates the broader struggle to devise effective solutions to combat this continually evolving problem. Despite considerable efforts to curb ransomware, Easterly acknowledged the difficulties in measuring success due to the absence of a clear baseline, a gap that the newly enacted Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) seeks to fill. This legislation mandates that critical infrastructure owners and operators report ransomware attacks and other cybersecurity incidents, thus generating crucial data to understand these threats’ scope and nature.

Across the ocean, the United Kingdom grapples with similar challenges under its NIS Regulations, which require critical infrastructure organizations to report cybersecurity incidents. However, plans to update these laws have stalled due to a snap election. The proposed overhaul aimed to ban ransomware payments within the critical infrastructure sector and mandate incident reporting and licensing before making any extortion payments. This delay mirrors the political and logistical hurdles often complicating cybersecurity policy reforms. Legislative measures alone, however, are insufficient. Proactive initiatives are equally critical in preventing ransomware attacks. CISA’s pre-ransomware notification initiative, which disseminates threat detections to businesses, has reportedly thwarted hundreds of attacks. This program capitalizes on threat researchers’ expertise to identify precursor malware and alert potential targets preemptively. The U.K. has employed a similar strategy, utilizing its intelligence agencies’ unique access to information feeds to detect early-stage ransomware threats. According to Recorded Future News, an attack was detected every 72 hours on average during one three-month period.

Yet, proactive efforts alone are not enough. Easterly emphasized the necessity of a fundamental shift towards secure-by-design principles to significantly reduce vulnerabilities. She asserted, “I do think we’ve made a difference, but I don’t think we’re going to make ransomware a shocking anomaly without successful implementation of a Secure-by-Design campaign.” The concept of secure-by-design entails creating technology with built-in security measures, thereby reducing the burden on businesses, especially those with limited security resources, to safeguard their infrastructure.

The global financial impact of ransomware attacks is alarming, with estimates reaching $20 billion in 2021. The emergence of double extortion tactics, where attackers threaten to release sensitive data if the ransom is not paid, adds a new layer of complexity to the issue. The average downtime following a ransomware attack is 21 days, presenting a substantial disruption for any business. Small and medium-sized enterprises are increasingly targeted, and the use of cryptocurrency for ransom payments complicates efforts to trace transactions. The FBI advises against paying ransoms, as it does not guarantee the return of data. However, many organizations feel compelled to pay to quickly regain access to their systems. This dilemma is further compounded by the U.S. Treasury’s warning that paying ransoms could violate sanctions regulations. Insurance companies are also reconsidering their coverage for ransomware payments due to rising costs, prompting businesses to adopt more robust cybersecurity measures.

In Europe, the response to ransomware is evolving. The European Union is contemplating stricter regulations on ransomware payments, reflecting a growing recognition of the need for coordinated international efforts to combat this global threat. Cybersecurity training for employees is becoming a critical component in preventing ransomware attacks, underscoring the importance of human factors in cybersecurity. Looking ahead, the landscape of ransomware attacks is likely to continue evolving. The implementation of CIRCIA in the U.S. will provide valuable data to inform future policies and strategies. Should the U.K. revisit its proposed overhaul of ransomware regulations, it could set a precedent for other countries to follow. The rise of double extortion tactics and the use of cryptocurrency for ransom payments will remain significant challenges. The reconsideration of insurance coverage for ransomware payments may drive businesses towards adopting stronger cybersecurity practices.

The success of initiatives like secure-by-design will be paramount in making a significant impact on the ransomware threat. By embedding security measures into the design and development of technology and fostering a culture of proactive incident reporting and prevention, the global community can aspire to mitigate the impact of ransomware and build a more resilient digital infrastructure. The journey towards a more secure cyberspace is intricate and fraught with challenges, but with comprehensive policies and collaborative efforts, meaningful progress is achievable.