At a glance.
- US considers a ban on ransomware payments.
- New privacy laws from two US states.
US considers a ban on ransomware payments.
The US government has been vocal in discouraging ransomware victims from meeting their attackers’ demands, but has fallen short of implementing an official ban. A top US cybersecurity official says the White House is now considering officially prohibiting ransomware payments. Speaking at the Institute for Security and Technology’s Ransomware Task Force event last Friday, Anne Neuberger, the US’s deputy national security advisor for cyber and emerging technologies, said, “Fundamentally, money drives ransomware and for an individual entity it may be that they make a decision to pay, but for the larger problem of ransomware that is the wrong decision.” Neuberger went on to say that in certain cases the government could grant a waiver to the ban, allowing the victim to pay if, for instance, an attack disrupts critical services. However, as Cybersecurity Dive notes, some experts say a ban, even with a waiver, could present new challenges. Victims could be less likely to disclose they’ve been hit with ransomware, for fear they’ll be penalized if they choose to pay up. Not only could this be detrimental for victims, but any progress the government has made in tracking ransomware attacks would be squandered. “We already have a reporting problem,” said Allan Liska, threat intelligence analyst and solutions architect at Recorded Future. “You’re just pushing it further underground…We may, two years from now, say ‘oh look, there’s no more ransomware,’ because everybody’s doing everything they can to cover up every ransomware attack.” What’s more, the state of North Carolina has implemented a ransomware ban at the state-level, but the move has done little to slow down the rate of attacks. Still, some experts say a ban is the only option. Brett Callow, threat analyst at Emsisoft, stated, “Less payments equals less ransomware. It’s that simple.”
Jason Kent, Hacker in Residence at Cequence Security, explains why paying the hackers isn't always the best answer:
"I don’t like to negotiate with terrorists. It legitimizes the terrorist agenda and creates victims every time the terrorist wants to strike.
"Ransomware is terrorism. Should it be banned, absolutely. The challenge with banning anything is how it is discovered and how it is dealt with after it is discovered. If a ransomware gang targets an organization and gets deployed in their servers, when will the ban take effect? Its going to be out there no matter what. And, companies are going to be weary of reporting anything if there are too many regulations around it.
"So what about payments? Well, that is a bit more nuanced. I still say that negotiating with terrorists is a bad idea. How do you know they won’t just take the money and run? How do you know if the decryption keys are going to work on every system? What assurances do you have they won’t come back via the backdoors they left? Should you pay them, no. You need to be ready to toss those systems out and start over, you were infected and that means they left ways to come back.
"If we kill the economics of Ransomware, we kill it as a tool of terror. Now we have to realize it can still be used as a tool of destruction and be prepared."
(Added, 4:45 PM ET, May 12th, 2023. James Graham, the VP of RiskLens, pointed out the way a ban would, whatever other effect it might have, further complicate victims' risk calculations. "A ban on ransom payments would likely just add another risk factor into the quantified decision about whether or not to pay," he wrote. "That is, victim companies may simply factor these new penalties into their risk equation as a potential secondary loss. If the cost of the ransom and the penalty are less than the consequences of not paying (data breach, lost business, brand reputation, etc.), or if the combined loss figure is still within the organization's risk tolerance, any such ban could prove less than effective as a deterrent.")
New privacy laws from two US states.
The US states of Tennessee and Montana are following in the footsteps of states like Virginia, Colorado, and California by implementing state-level omnibus privacy legislation. While these new laws are not the first of their kind, and for the most part they mirror Virginia and Colorado’s legislation, Seyfarth notes that they do contain some fresh components. For instance, Tennessee Information Protection Act (TIPA) stands out for incorporating specific guidelines on how businesses can develop and deploy their individual privacy programs by requiring the use of the National Institute of Standards and Technology (NIST) privacy framework. This approach could have its challenges, as NIST’s framework does not take into account the varying size, capabilities, and processing risk activities of different companies. However, TIPA does not make it clear if failure to follow the framework would equal violation of the law. As well, TIPA is unique in that it allows companies to use a certification program as evidence of compliance. Data controllers that participate in the Asia Pacific Economic Cooperation Forum Cross-Border Privacy Rules system may be granted certification that they are already compliant with TIPA.