Ineffective Response and Perverse Insurance Incentives Compound Ransomware Problems

Cybercriminals are mining a lucrative revenue source – ransomware. These attackers launch malware to encrypt digital files and demand bitcoin payment to unlock them. We know that local governments are often paying ransom and that private industry is also suffering from the ransomware plague. Cyberattackers seem to have the upper hand.

Source for Industry Average Payments: Coveware

To Pay or Not to Pay?

A ransomware discussion on Hackbusters caught my attention:

“The debate over whether to pay or not to pay the ransom once your system is encrypted is heating up,” wrote one commentator. “Yesterday, the US Conference of Mayors approved a resolution coming down in favor of not paying cybercrooks. There are arguments on either side of the question. Paying the ransom creates a huge incentive for ransomware crooks to keep plying their trade. However, in many cases, the costs of not complying with the demand can cost many millions more than paying and may not be a realistic option for some smaller cities.”

One commenter that noted that paying or not should be a business decision: “Wasn’t the ransom for Baltimore only ~$76K, which they didn’t pay, and now they’re estimating the cost of recovery to be ~$18 million?”

However, paying isn’t a foolproof solution either. Consider what happened to Lake City, Florida. “More than 100 years’ worth of municipal records, from ordinances to meeting minutes to resolutions and City Council agendas, have been locked…by unidentified hackers who…demanded more than $460,000 in ransom. Weeks after the city’s insurer paid the ransom, the phones are back on and email is once again working, but the city has still not recovered all its files. There is a possibility that thousands of pages of documents that had been painstakingly digitized…will have to be manually scanned, again.” 

We Need More than a Resolution

I weighed in on the Hackbuster discussion: “Any responsible security pro has to vote for “not pay.” However, from the business perspective this can’t be an absolute prohibition any more than you could tell parents not to pay kidnappers for a child’s release – and expect them to always heed your request.”

Starting to wrap my head around the problem, I continued: “A stronger resolution from the Council of Mayors would initiate a framework to support not paying. This could include shared remediation support services funded through pooled self-insurance contributions from a community of organizations, and volume discounts on general cyber-insurance policies for members of that community who follow a specified set of improvement practices.”

I got an interesting response: “I agree, Dan. This is not a yes no situation. There are several efforts at establishing task forces at state, federal and local levels. My guess is they are in the process of trying to put together a framework. I think there is already discussion going on about this in cyber task forces proposed or in operation across states. You might try reaching out to them directly. One group is the Task Force on Cybersecurity.”

Yet Another Checklist Isn’t Enough

A search for “Task Force on Cybersecurity” turned up the National Conference of State Legislators (NCSL). After a bit of digging I found an NCSL newsletter pointing to the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). CISA has published a “strategic intent” paper. The only ransomware reference in the paper, however, was a pointer to “CISA Insights, a list of best practices.”

Unfortunately, the CISA list is quite brief and provides no new information. If checklists were going to solve the industry’s omnipresent breach and ransomware problems, cybercriminals might already be out of business!

Can the Feds Help?

Clearly, U.S. local governments are looking to the Federal government for help with the ransomware epidemic. NCSL referenced a Politico article, which has the following tidbits.

• Federal funding for ransomware defense might accelerate responsiveness and restoration and result in fewer municipalities paying ransoms. However, Congress has introduced only four pieces of legislation this year, none specific to ransomware, and none that would to address the full scope of the attacks to local governments, let alone private industry.
• Both the U.S. Federal Bureau of Investigations (FBI) and DHS have issued guidance, such as the CISA insights. The FBI is making direct efforts to repel ransomware attacks on voter registration databases managed by local election administrators. The federal government could lead more ransomware-specific exercises designed to prepare states and localities to defend or respond.
• The Politico article also notes that Federal agencies don’t always have the same agenda as the localities under attack. “The FBI wants to investigate and prosecute,” said John Dermody, a legal adviser interviewed for the article. “The private sector and state and locals may want to get back on line as fast as possible by simply paying the ransom.”
• In the face of Federal inaction, U.S. state and local governments such as California, Connecticut, Michigan, Texas, and Wyoming are acting on their own to pass specific legislation that further criminalizes ransomware. Michigan established a Cyber Civilian Corps whose volunteers provide expertise to the state, while the governors of Colorado and Louisiana also mobilized volunteer resources.

Today, Cyber-Insurance Provides a Perverse Incentive

Amidst the clutter of research accumulating in my browser tabs, one thing struck me. Maybe you saw it too: “Weeks after the city’s insurer paid the ransom, the phones are back on and email is once again working, but the city has still not recovered all of its files.”

Seriously, I couldn’t make this stuff up. With the Federal government moving at its glacial pace and fragmented local efforts to solve the problem, it doesn’t help that cyber-insurance policies are being used to pay the ransoms. In the long run, cyber-insurance may be facilitating a real tragedy of the commons by helping victims buy off ransomware perpetrators, which only incentivizes more ransomware.

Instead, Cyber-Insurance Could Facilitate the Way Forward

 Ultimately, the industry needs a two-track answer:

• Organizations implement controls against ransomware and become harder targets.
• Even among the (fewer) organizations compromised, fewer pay, ransomware becomes less lucrative, and the attack levels may even decline.

That’s why I’m advocating public support for cyber-insurance policies covering ransomware remediation for organizations that follow a specified set of improvement practices and keep their IT environments “up to code.”

The cybersecurity landscape is ripe for a risk-based, market solution. If insurance companies can determine standards of practice and systematically drive more effective controls throughout the industry, the level of ransomware losses might stabilize. We’ve seen a precedent before in the jewelry business where adoption of a standard set of protections across all policyholders reduced losses, for example, years ago.

A voluntary insurance industry agreement to NOT make ransom payments except under extreme circumstances, or legislation to that effect, might be a good place to start.