Welcome to The Cybersecurity 202! Good problem to have: Julius the cat has taken to wanting to live on my lap of late, which is great and cute until leg cramps and such kick into gear.
To ban or not to ban: The question before the Network on ransomware payments
The idea of banning victims from making payments to ransomware gangs has floated around for years, most recently when an Australian strategy document suggested it last month before the government abandoned the notion for the time being.
The majority of our Network of cyber experts came down against a ban: around 74 percent of the experts who answered our survey were anti-ban. The rest said they favored a ban.
Their views largely reflect the main arguments from both sides of the debate. Those in favor of a ban say that if organizations can’t lawfully pay their attackers, the attackers are robbed of any financial incentive for their crimes. Those against say that a ban will make victims less likely to share any information about their attacks and illicitly pay anyway, thus making the phenomenon harder to combat.
But the experts had other ideas about why to ban or not ban, along with some alternative approaches, too.
Against a ban
Even with the options of answering only “yes” or “no” on being in favor of a ban, our experts brought a number of caveats and nuances to it.
“It’s a complicated issue,” wrote Amy Hogan-Burney, general manager and associate general counsel for cybersecurity policy and protection at Microsoft. “While government should empower companies to avoid paying ransoms, a total ban runs the risk of penalizing cyberattack victims. In some cases, critical infrastructure, like hospitals, face no choice but to pay so that they can keep vital systems running.”
A number of our experts feared what a total ransomware ban could do to victims, even as they hated the idea of ransom payments ending up in the hands of villains.
“You never really know where the money goes,” wrote Cris Thomas, a.k.a. Space Rogue, a member of the famous hacker collective L0pht who now works on cybersecurity issues for IBM. “You could be funding repressive regimes or … just straight up criminals but at the same time, in some cases, a ransomware event may be an organization ending event.”
A fellow L0pht member, Veracode’s chief technology officer Chris Wysopal, said a ban just wasn’t the right tool for the job: “There is no one size fits all ransomware attack. Each attack has different impacts and implications for organizations, their partners, and customers. A ban is too blunt an instrument to use.”
Many anti-ban Network members pointed to the potential inequality a ban would underline.
“Given the poor state of cyber resilience throughout the economy, banning ransomware payments will set off a game of chicken with the ransomware gangs, leaving the cyber poor — main street America — at greatest risk,” said Megan Stifel, chief strategy officer for the Institute for Security and Technology. “Not only would banning payments effectively revictimize the victim, it will also not work in reducing payouts to gangs. Instead, it will drive the activity underground, where investigators will have even less visibility into the nature of this threat, these funds and the organizations who transmit them will be even further beyond the reach of law enforcement and regulators.”
Amy Chang, a resident senior fellow for cybersecurity and emerging threats at the R Street Institute, questioned whether the government ought to be involved.
“At the end of the day, whether or not to pay a ransom is a business decision,” she wrote. “Is it a best practice? Absolutely not. Despite that, organizations do sometimes neglect best practices, and it is not a national government's role to spend time and resources determining parameters for a ban and enforcing it.”
Those who said they opposed a ban also proposed some different options:
- “A better solution than contributing to re-victimization of the victims by banning payments is to look at ways to prohibit insurance companies from reimbursing policyholders for ransom payments,” wrote Dmitri Alperovitch, the co-founder and chairman of the Silverado Policy Accelerator. “That would go a long way toward accomplishing the policy goal of discouraging ransom payments from getting made except in circumstances when they cannot be avoided due to risk to life or business survivability.”
- Andrea Matwyshyn, a professor at Pennsylvania State University’s law school and engineering school, said “national governments should compel public disclosure of the payment, the amount, and an explanation of the vulnerability/internal control shortfall that resulted in an organization's exploitation.” At least some of that is on the U.S. regulatory horizon.
In favor of a ban
Steve Weber, professor of the graduate school at the University of California at Berkeley where he founded the Center for Long Term Cybersecurity, framed the case for a ban like this, using a phrase — collective action — others did as well.
“It's a classic collective action problem,” he wrote. “Left to their own devices, those who pay are essentially free-riding on those who refuse to pay. Government can assure a better outcome by punishing those who would otherwise free-ride. Doing so would also force more effort and expenditure on prevention and protection.”
One expert, Recorded Future’s senior security architect Allan Liska, said he didn’t want his answer to be “yes,” and has changed his mind back and forth over the years. “The truth is that organizations aren’t doing enough to protect themselves from ransomware and something needs to change,” he wrote. “Laws like this are terribly painful, and will cause a lot of misery and I feel like implementing it without fully understanding the problem (which we don’t) will be imperfect. But, I feel this is a situation where we don’t want the perfect to be the enemy of the good.”
Some experts said they didn’t want to see an overnight or hasty ban.
- “Governments would need to do a lot of work to make such policies effective,” wrote Michael Daniel, CEO of the Cyber Threat Alliance. “For example, they would need to have robust capabilities to assist organizations hit with ransomware recover. Absent such support networks, payment bans harm the victims, not the ransomers. Banning payments should be the last step in dealing with ransomware, not the first.”
- “Countries should be developing policies that start moving down this path with a goal of fewer payments and eventually no payments rather than simply debating an all out criminal ban or keeping things where they are,” wrote Ari Schwartz, coordinator of the Center for Cybersecurity Policy and Law who also wrote a blog post on Monday about just how a ban might be configured.
The network
Other thoughts
The topic of whom a ban should apply to and whether there should be exceptions came up on both sides of the debate.
- “It makes sense to ban payments for government entities,” said Suzanne Spaulding, senior adviser for homeland security as part of the International Security Program at the Center for Strategic and International Studies. Spaulding otherwise said she opposed a ban, and cited other exceptions as problematic: “If you make exceptions for vital entities like hospitals, they will be the primary targets of future attacks.” The Biden White House also has weighed in on government entity-specific bans with its allies, even as it has rejected the idea of an overarching ban.
- “Any such ban should, at a minimum, have an exception where paying the ransom would help law enforcement or national security, such as where paying the ransom would provide evidence about the identity of the attacking group,” said Peter Swire, who teaches privacy and cybersecurity at Georgia Tech and is senior counsel at Alston & Bird. Swire answered “yes” to the question of whether a ban should be put into place.
- “Banning payments is impractical for myriad reasons,” said Jeff Greene, senior director for cybersecurity programs at the Aspen Institute, who answered “no.” “Would there be exceptions for life or national security reasons? And if so, would that just paint a target on organizations that could qualify for exceptions? What’s the punishment if an organization violates a ban? How would this advance collaboration, reporting, and information sharing?”
The keys
Israel-linked hacking group targets Iranian petrol stations
Israel-linked hackers targeted Iranian petroleum stations on Monday in response to attacks carried out by Iran-backed proxy groups in the greater region as Israel and Hamas continue fighting in the Gaza Strip, Reuters reports.
The attacks confirmed by Iran Oil Minister Javad Owji were claimed by a group called Gonjeshke Darande or “Predatory Sparrow,” according to Iranian and Israeli media reports. The group announced the attacks on Telegram.
- Per the report: “Owji had earlier told Iranian state TV that services had been disrupted at about 70% of Iran's petrol stations and that outside interference was a possible cause. He later said 1,650 petrol stations were operational. The ministry supervises 3,800 petrol stations.”
- “We have nothing to say about Iran's claims,” Israeli government spokesperson Tal Heinrich said in a Monday news conference.
- The nation’s civil defense agency is still weighing all possible causes for the incident, according to Reuters. Iranian officials have previously claimed U.S. and Israeli-linked hackers were responsible for a major 2021 cyberattack on fuel pumps.
A Predatory Sparrow representative told the outlet five days after Hamas’s Oct. 7 attack in Israel that the group was prepping for future attacks and “keeping some ‘buttons’ on hold.”
The attack did not cause a fuel supply shortage but Iran’s petrol stations association advised drivers to not take their vehicles to refuel, Reuters writes, citing the Fars News Agency, which is backed by the Islamic Revolutionary Guard Corps.
- Iran-affiliated hackers recently carried out cyberattacks on U.S. water treatment infrastructure that uses Israeli-made components, underscoring how hacktivist groups have played a significant role in cyber activity connected to the ongoing Israel-Hamas war.
Intelligence agencies outline 2022 election interference efforts, say no evidence voting systems were compromised
Two reports released Monday by the U.S. intelligence community as well as the Department of Homeland Security and Department of Justice found that found that cyber activity connected to the 2022 midterm elections had no material impact on election results.
The DOJ/DHS report said that there is “no evidence that any detected activity prevented voting, changed votes, or disrupted the ability to tally votes or to transmit election results in a timely manner; altered any technical aspect of the voting process; or otherwise compromised the integrity of voter registration information or any ballots cast during 2022 federal elections.”
- Senior cybersecurity officials provided a similar update for recent off-year elections.
In 2022, China showed a “greater willingness to conduct election influence activities than in past cycles,” and Beijing “tacitly approved efforts to try to influence a handful of midterm races,” the intelligence community report concluded. Chinese intelligence, diplomats and “online influence actors” undermined and promoted candidates from both major parties, according to their report.
- But Chinese leaders “refrained from authorizing a comprehensive campaign to influence the midterms” for one party or question the legitimacy of the election, according to the intelligence report. That’s probably because they saw the risks of such an effort as being larger than the rewards, the report concluded.
- Suspected China-affiliated hackers “scanned both election-related and non-election state government websites,” according to the DHS and DOJ report. Alleged Chinese hackers “also collected publicly-available U.S. voter information, probably to collect personal identifying information and other data on U.S. voters,” it adds.
Russia “and its proxies sought to denigrate the Democratic Party before the midterms and undermine confidence in the election, most likely to weaken US support for Ukraine, and to erode trust in US democratic institutions,” according to the intelligence community report. But the report said “we did not detect concerted efforts to shape outcomes in specific races, activities targeting election infrastructure, or hack and leak operations, despite the collection of some potentially compromising material. The report also noted that Moscow has long focused on presidential elections.
- Russia-backed hackers that carried out a denial of service attack, which “resulted in temporarily restricted access to a public-facing U.S. state election office website,” according to the DHS and DOJ website.
Iran, meanwhile, probably tried to influence elections in Albania, Bahrain and Israel, according to the intelligence community report. “Iran’s actions in the lead-up and through the US midterm elections reflected its intent to fuel distrust in US political institutions, increase social tension, and advocate for candidates and policy positions that aligned with Tehran’s foreign policy interests,” the report also said. The report also said that “unlike its efforts in 2020, we did not detect an Iranian effort to promote violence in the United States.”
Cuba “attempted to undermine the electoral prospects of specific US Congressional and gubernatorial politicians that it perceived as hostile,” according to the intelligence community report. It focused on candidates in Florida, according to the report.
Government scan
Securing the ballot
Industry report
Global cyberspace
Cyber insecurity
Privacy patch
Daybook
- NIST holds a virtual listening session on U.S. standards for emerging technologies at 11 a.m.
Secure log off
High winds at the perfect time of day created a rare Rainbow Waterfall in Yosemite National Park pic.twitter.com/spRGs8btHK
— Nature is Amazing ☘️ (@AMAZlNGNATURE) December 18, 2023
Thanks for reading. See you tomorrow.
