Should Congress ban U.S. companies from paying hackers who launch ransomware attacks and demand extortion payments in return for decryption keys?
Answer: Probably not or at least not yet. Why not? The potential risk for cyber blackmail by data hijackers is too great. What should Congress legislate? The answer increasingly appears to involve Incident reporting to law enforcement.
Keep in mind that any legislation involving cyber incident disclosures could influence how MSSPs, MSPs and MDR (managed detection and response) service providers work and communicate with their customers and the government. With that said, here’s what’s going on right now in Congress on key issues.
FBI Cyber Specialist: Banning Ransomware Payments Is A Bad Idea
A top Federal Bureau of Investigation (FBI) cyber specialist has told the Senate Judiciary Committee that legislation to ban U.S. companies from shoveling what often amounts to millions of dollars to cyber extortionists is essentially a bad idea, just not for the reasons that you might think.
“It’s our position that banning ransom payments is not the road to go down,” Bryan Vorndran, the assistant director of the FBI’s Cyber Division, told panel members. (via The Hill) Doing so will further embolden hackers to threaten victims whose data they’ve stolen that if they report the crime it will be sold on the dark web, he said. That’s on top of locking up their systems.
Vorndran called it a “complicated conversation.” It’s the FBI’s position that “if we ban ransom payments, now you are putting U.S. companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities,” he said. At this point, as much as 35 percent of incidents go unreported to the agency.
Jeremy Sheridan, the assistant director of the U.S. Secret Service’s Office of Investigations, told the Committee that prohibiting ransomware payments would discourage reporting an event to the FBI. “Banning the payments would further push any reporting to law enforcement into obscurity and make it virtually impossible for us to have that relationship,” he said.
Next Up: Mandatory Incident Reporting
Meanwhile, there is relative unanimity among cybersecurity officials that mandatory incident reporting at least for critical infrastructure operations will soon be on the menu. Legislators pushing incident reporting recently received a boost from newly installed Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly and Chris Inglis, the inaugural White House national cyber director.
At their nomination hearings both Easterly and Inglis made it clear that they support imposing minimum reporting standards on critical infrastructure outfits and private companies to notify the federal government of cyber incidents. Virginia Senator Mark Warner (D) has called on Congress to enact new legislation that would require private companies to report cyber attacks to the federal government, joining U.S Intelligence leaders who have also pressed Congressional lawmakers to require private industry to report security breaches and other threat information to the federal government.
Recent Ransomware Attacks, Victims: U.S. Lawmakers Take Note
The Senate Judiciary Committee’s hearing on ransomware follows the latest high profile hijackings and serves as a keen example of companies coughing up ransom money.
- In the attack on energy supplier Colonial Pipeline, the company paid nearly $5 million to restore its systems. The federal government recovered some $2.3 million of Colonial's ransom payment.
- In another incident that infected JBS, a meat processor, the company paid an $11 million ransom to hackers to unlock its network.
- Kaseya, on the other hand, which in early July 2021 was blasted by a ransomware attack on its VSA software attributed to the Russia-lined REvil gang, refused to pay a ransom to obtain a decryptor key and instead procured one on its own. Specific details about how Kaseya actually obtained the key remain undisclosed.
None of the three victims were required to report the incidents to federal authorities. Still, in a recent report, cyber insurance provider Coalition predicted that government regulation and scrutiny in ransomware events will increase. Expect more regulation and more public frameworks from government institutions worldwide with new laws that require far greater disclosure of cybersecurity incidents, the company said.
FBI's Official Stance on Ransomware Payments
The FBI’s official position on paying ransoms is no way, according to the agency’s website: “The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”
In keeping with the agency’s stated position, in late June, FBI director Christopher Wray told the U.S. Senate Appropriations Committee that the agency “would discourage paying the ransom because it encourages more of these attacks, and frankly, there is no guarantee whatsoever that you are going to get your data back.” The goal is to “make it harder and more painful for hackers and criminals to do what they are doing,” he said. Along those lines, it should be noted that eight in 10 organizations hit by a ransomware attack that elected to pay a ransom demand were attacked a second time, often by the same cyber crew, a global study of some 1,300 security professionals surveyed by cybersecurity provider Cybereason found.
Such is the scourge of ransomware that the long-standing question of whether victims should meet a hijacker's demands--one still absent a definitive answer--could take a backseat to Congress banning those payments by law altogether.