Caveat 9.16.21
Ep 94 | 9.16.21

Pay the ransom anyway regardless of payment ban?


Mark Lance: I absolutely do think that if you attempted to ban ransom payments, there are certain circumstances where organizations will just say, we have to do - pay the ransom anyway because we need access back to our data.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hello, Ben 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben shares the story of a judge allowing a lawsuit against Apple alleging privacy violations in its use of Siri. I've got the details on trade groups lobbying for streamlined breach reporting standards. And later in the show, my conversation with Mark Lance from GuidePoint Security. We're going to be discussing the FBI's recent advice not to ban ransom payments. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, before we jump into our stories, we got a nice bit of follow-up from one of our listeners. A gentleman named Kevin wrote in, and he said, dear Dave and Ben, reviewing the Capital One court case and reading a report from the National Law Review - he says, yes, I have no life - the issue of breaches in IR reports being discoverable came up. Kevin asks, besides hiring your law firm to handle IR hiring - costly, you know how attorneys bill - using a company you've never used before, which takes longer to get up to speed, or writing a totally different SOW for a company you use - costly attorney fees - what are other ways a company or small business could keep their security gaps out of courts? What do you think here, Ben? 

Ben Yelin: Great question. He later says in his note to us, don't embarrass me with your answer, so I cannot guarantee against that, Kevin. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: I apologize. 

Dave Bittner: Kevin, it's a terrible question. You should be ashamed of yourself for even sending it (laughter). 

Ben Yelin: Exactly. The keyword here is standards. So you are often judged as a company in relation to your peers because when we're talking about data breaches, you know, that ends up being a tort case. And in a court of law, you know, the courts will look at what a reasonable company similarly situated would have done to protect its networks or devices. So industry standards and customs are going to be incredibly protective in terms of lowering your legal liability. So for a given company or organization, going to that NIST website, reviewing the security standards for your type of business - you know, if you're a manufacturer, they have a framework for manufacturing. If you, you know, are a government institution, there's a NIST for that, if you will. 

Dave Bittner: Right, right (laughter). 

Ben Yelin: That's going to be the best evidence you have in court that, you know, you are not acting negligently. You are doing the best that you can to adhere to industry standards and to protect your own network. So that's what I would say. 

Dave Bittner: Yeah. 

Ben Yelin: That may not, you know, eventually prevent you from having to hire a bunch of lawyers. 

Dave Bittner: Right. 

Ben Yelin: And yes, they are expensive. 

Dave Bittner: Yeah. 

Ben Yelin: But, you know, that's a good initial step any company can take to try and limit their liability. 

Dave Bittner: Maybe reach out to trade groups, those sorts of things that handle your industry. See what sort of guidance they have as well. 

Ben Yelin: Absolutely. Yeah, trade organizations are a great resource. 

Dave Bittner: Yeah. Yeah. All right. Well, our thanks to Kevin for sending in that question. We would love to hear from you. If you have something you'd like us to discuss on the air, you can email us at 

Dave Bittner: All right, Ben, let's dig into some stories here. Why don't you kick things off for us? 

Ben Yelin: So this is a story about a lawsuit against Siri. Poor Siri. I don't know how you would serve her with a lawsuit. 

Dave Bittner: (Laughter). 

Ben Yelin: She perhaps only exists in our heads and in our minds. 

Dave Bittner: Right. 

Ben Yelin: The article comes from a Washington Post piece on their technology page by Rachel Lerman. And it's about a judge - a federal judge in California who ruled that Apple has to continue fighting a lawsuit brought by users in federal court alleging privacy violations on behalf - or resulting from Apple's use of their personal voice assistant, which is Siri. The allegation is that Siri has improperly recorded voice conversations. I'll note that the judge here is an individual named Jeffrey White. I know him because he was the District Court judge on a long-running electronic surveillance case that was actually finally resolved in the past several months. But it had been going on since 2008... 

Dave Bittner: Wow. 

Ben Yelin: ...Which is all to say that Judge White has experience with these types of issues. So this decision was largely on procedural grounds. The judge threw out the allegation of economic harm, so there wasn't enough merit for that to go forward. But they allowed the plaintiffs to form a class for a class-action lawsuit, which is a key step for any group of plaintiffs. And they allowed the case to move forward on the merits, and the merits are that Siri turns on unprompted and records conversations that it shouldn't have, therefore passing that data to third parties, which would violate a variety of federal laws and user privacy. There are similar suits that we've seen against other companies. This is not just Apple. Pick your personal assistant of choice. 

Dave Bittner: Right. The lady in the tube. 

Ben Yelin: I - yeah, exactly. I have Siri and Alexa myself. They're two of my best friends. 

Dave Bittner: Yeah. 

Ben Yelin: So the idea here is the - Siri is only supposed to hear your wake word and then the two or three words you say before your wake word and then everything you say after your wake word. So they're listening for you to say Siri. 

Dave Bittner: Right. 

Ben Yelin: People have different voices, and, you know, sometimes you could be saying another word that sounds like the wake word, and that might be picked up and shared with third parties. I think from the company's perspective and the reason why I really doubt that this legislation is going to succeed on the merits is not only is this inadvertent collection exceedingly rare, but even rarer is this collection reviewed manually. And it's not exactly clear whether, you know, if this mistaken collection occurs, if either violates - it almost certainly does not violate the terms of service. I'm not sure if it's going to violate a federal statute. So I'm not - I'm kind of bearish on whether the plaintiffs are going to succeed in this case. But it's certainly interesting. I mean, we now have several lawsuits making this same allegation that these personal assistants are doing more than just collecting a few words you say around your wake word. 

Dave Bittner: Yeah. This troubles me - maybe troubles - annoys me is probably a better word for it because we've been fighting the good fight of trying to reassure people and convince people that these devices are not constantly listening to you to sell you ads. 

Ben Yelin: Right, right. 

Dave Bittner: That has been debunked, thoroughly debunked. They're not doing that. They don't need to do that. There are so many other ways that they can figure out the things that you're interested in that they don't need to take the processing power, the bandwidth and all that stuff to be constantly listening to you. I understand it is a compelling illusion. It sure does seem like they're doing that sometimes. But there's always a good explanation for how it's happening, otherwise. 

Ben Yelin: Right. 

Dave Bittner: And I think that gets conflated with what this lawsuit is actually about. And I want to just try to make sure that we differentiate that. Am I correct that these folks are saying that sometimes these recordings for quality control purposes gets... 


Ben Yelin: You put on your nice, little customer service voice there. 

Dave Bittner: Right. They get sent to actual real, live human beings... 

Ben Yelin: Right. 

Dave Bittner: ...Who listen to them and establish what - if they're good or, you know, whatever. They do whatever they need to do to try to make the technology better. 

Ben Yelin: Right. 

Dave Bittner: And the problem that - with that is, let's say, I don't know, I'm in the throes of passion with my wife or my, you know, girlfriend or whoever, whoever I am, right? 

Ben Yelin: Sure. 

Dave Bittner: And I accidentally say a word that sounds like Siri, and now some stranger's listening to that - who knows where, right? And it gets posted to the - you know, the Slack channel of funny things... 

Ben Yelin: Worst adult movie ever. 

Dave Bittner: (Laughter) Right. Exactly. Exactly. But - so I'm being a little - you know, I'm exaggerating here. But that is the concern that people are suing for, yes? 

Ben Yelin: That is the concern. You know, what Apple will say is, A, you can opt out. You don't have to use this personal assistant. 

Dave Bittner: Right. 

Ben Yelin: I think plenty of us survived before, you know, Siri was instructed to play our favorite album or... 

Dave Bittner: (Laughter) I'm not going back, Ben. I'm not going back. 

Ben Yelin: I know. I know. So, you know, that's a huge part of it. 

Dave Bittner: Right. Right. 

Ben Yelin: It's not like you need a personal assistant to engage in everyday work and, you know, family life, which makes a difference in a court of law. We've seen in other cases where, you know, judges are stricter on functions - you know, things like cell site location information, where it's impossible not to share that if you want to be a living human being. 

Dave Bittner: I see, yeah. 

Ben Yelin: Your cellphone is going to ping off the cellphone towers. 

Dave Bittner: Right. 

Ben Yelin: But yeah, you don't have to use Siri or Alexa as personal assistants. Apple also says they're not selling the recordings. The recordings themselves aren't associated with an identifiable individual. 

Dave Bittner: Right. 

Ben Yelin: And they're constantly working on the problem. I mean, they are trying to, like any good tech company does, you know, go through testing to make sure that there aren't as many inadvertent triggers. You know, some of these other companies - Google, as part of this article, says that they don't retain, as a matter of course, audio recordings. You know, I think - I understand what the fear is. You know, the fear is that private interactions are going to be inadvertently recorded and that that information is going to be improperly shared with third parties. 

Dave Bittner: Well, we saw - remember there was a case where there was a murder... 

Ben Yelin: Yes. 

Dave Bittner: Like, somebody in it was in a hot tub or something? 

Ben Yelin: Somewhere in the Deep South. Yep, in a hot tub... 

Dave Bittner: Yeah. 

Ben Yelin: ...Where they caught a confession because it came just before the wake word was invoked. 

Dave Bittner: Right. Right. 

Ben Yelin: Yeah. 

Dave Bittner: So, I mean, that's a legit privacy concern. 

Ben Yelin: Absolutely. 

Dave Bittner: Yeah. 

Ben Yelin: Yeah. I just don't know if there's much strength in a civil class-action suit. I mean, for one, they tossed out this claim of economic harm without having read the details of the complaint. I just don't know if they're going to be able to allege sufficient harm, harm traceable to the conduct of these companies, to allow them relief in the judicial system. So I'm skeptical of that. And I also think that - and maybe I'm being too easy on these companies. I don't think this is an issue of the companies being glib or being, you know, negligent in protecting privacy. I think some of this really is inadvertent. 

Dave Bittner: Yeah. 

Ben Yelin: Now, you can be held legally liable for inadvertent things. But it's going to be less likely if they are, you know, complying with industry standards and doing all of that. So yeah, I'm not optimistic on behalf of these plaintiffs, but I've been known to be wrong before. So... 

Dave Bittner: All right, well, we will have a link to that Washington Post story in the show notes. My story this week comes from the Wall Street Journal, story by James Rundle, and it's titled "Industry Groups Urge Lawmakers to Streamline Cyber Breach Reporting Rules." And what this comes down to is you've got some lobbying groups - in this case, in this story, they're talking about an organization called the Bank Policy Institute, which is a lobby group for large banks - and they're making the point that there are so many breach reporting requirements across states and federal that there's going to be more and more of them. This story points out - there's a woman by the name of Heather Hogsett who is the senior vice president at the Bank Policy Institute. She makes the point that a financial company could be subject to notification rules from the Office of the Comptroller of the Currency, the FDIC, the New York State Department of Financial Services, the Treasury Department and the EU's General Data Protection Regulation organizations as well. They say the U.S. Securities and Exchange Commission is preparing a proposal on breach reports. 

Dave Bittner: So it sounds like industry is kind of saying, hey, enough is enough here; is there a way that we can maybe centralize this and have one organization be a clearinghouse for these sort of notifications that then get disseminated to all the other organizations? What do you make of this, Ben? 

Ben Yelin: Yeah, I think this is a completely reasonable request on the part of these business lobbying groups and organizations. I mean, you can imagine how difficult it is to comply with 50 separate data breach notification laws if you're doing business in all 50 states, not to mention the lack of clarity on, you know, mandatory reporting. Do you have to report for an attempted break-in? Or do you only have to report if your system was successfully compromised and data had been breached? So there are a couple of key debating points there. I think in a perfect world, we would have the federal government come up with a streamlined process that would preempt state laws on data breach notification just because I think this is an area where the federal government - because this involves interstate commerce, not to get a little too constitutionally on you... 

Dave Bittner: (Laughter). 

Ben Yelin: I think this is an area over which the federal government should have some control. It would make compliance much easier for companies that only have to follow one set of rules. And Congress could draft a law in such a way where they explicitly preempt state data breach notification laws. The issue with that is - I don't know if you've seen our Congress recently. They always... 

Dave Bittner: (Laughter) It's a well-oiled machine, Ben. 

Ben Yelin: Yeah. They sometimes get down to the lowest-common denominator... 

Dave Bittner: Right. 

Ben Yelin: ...Where the regulations are watered down through the sausage-making process, whereas - you know, so the consumer protection for data breaches would be significantly lessened than what you get in many states, including here in Maryland. 

Dave Bittner: Right. So the good people of California may have a different idea than the - I don't know, the true patriots of Texas, right? 

Ben Yelin: Yeah, exactly. Exactly. 

Dave Bittner: Yeah, yeah, yeah. 

Ben Yelin: There are true patriots in California, too, Dave - just throwing that out there. 

Dave Bittner: (Laughter) Of course, there are. Of course, there are. 

Ben Yelin: Yeah. And then the other issue is how much companies should be obligated to report. Companies are going to face a series of cyberthreats. Not all of them are going to be successful attacks. Sensitive data isn't going to be revealed after every single attempt at either cyber espionage or cybercrimes or a ransomware attack or whatever. They're not always going to be successful. You know, it would be very burdensome on companies to have to engage in that level of granular reporting. You know, so-and-so in accounting got a phishing email today; do I have to report that to CISA? But... 

Dave Bittner: Could you overwhelm a system like that? 'Cause there's, you know... 

Ben Yelin: Right, exactly. 

Dave Bittner: Yeah, yeah. 

Ben Yelin: The counterargument to that - and this was made by a Democratic congressman, James Langevin of Rhode Island - is that in order to get a proper picture of the full, you know, threat landscape, it's better to have more information than it is to have less information. And that might also be an argument for one of the benefits of 50 different state data breach notification laws, is you probably do end up collecting more data than you otherwise would, and that data can be useful for conducting broader threat assessments. But, you know, I still think for the sake of giving these businesses some level of certainty and setting a, you know, what would hopefully be a robust floor for consumer protection after data breaches, I think it would be advisable, in my opinion, for Congress to do something about this. 

Dave Bittner: Yeah. This article points out that the Senate has a proposed bill that would require, for example, federal contractors and government agencies and critical infrastructure operators to notify within 24 hours of an incident being detected. A House draft bill of the - you know, of the same bill, I assume, gives them 72 hours. I think that's an interesting point. You know, how long is too long? And how short is too short? Where, you know, you have to have some amount of time to figure out or to try to figure out what's going on here. And I suppose you could have the nuance of - if the clock starts ticking - right? - and you are able to notify whoever you need to notify, something's happened. We're not sure... 

Ben Yelin: Right. 

Dave Bittner: ...What's happened, but we're just letting you know something's happened. Stay tuned. 

Ben Yelin: Right. 

Dave Bittner: 'Cause there's a lot more coming. But, you know, something's happened, and we're not sure what it is. 

Ben Yelin: Right, right. Yeah. You know, I think any way that you can - and this is probably something that's going to be decided granularly at, like, the subcommittee level, but there has to be some number there where you determine what that length of time is. 

Dave Bittner: Right. 

Ben Yelin: So, you know, it's - I think it's better to have one's clear, set standard, you know? It might take the federal government a long time to develop what that standard is, but at least you'd only have to comply with one than 50 separate standards. 

Dave Bittner: Right, right. Yeah. I hear people compare this to, you know, the airline industry and, you know, that you have - when there's an airplane crash, for example, or any kind of incident with an aircraft, you know, there's a government agency that investigates that. 

Ben Yelin: Yeah. 

Dave Bittner: And that is their job. And that's what they do. You know, do we need something similar for cyber breaches? I think it's an interesting comparison. And I suppose, you know, in some ways, they're very similar, but in other ways, probably very different. 

Ben Yelin: Yeah. Although I will say they are both - you know, they are both modes that go across borders in different ways. There are things that are not confined to individual states. Air travel - you know, unless you're flying within the state of California, for example, you know, you're generally flying to another state. 

Dave Bittner: Yeah. 

Ben Yelin: With cyber transactions, it's rarely something that's contained within an individual state, which is why I think it's ripe for some type of federal regulation. 

Dave Bittner: Yeah, no, that's a good point. All right. Well, we will have a link to that story from The Wall Street Journal in our show notes. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Mark Lance. He is from GuidePoint Security. And we're discussing the FBI's recent advice not to ban ransomware payments. Here's my conversation with Mark Lance. 

Mark Lance: You know, I think over time kind of there was a stigma associated with paying ransom. And I mean, even you can tell by, you know, looking at the threat actors. They used to have what were called name and shame sites, and they do have name and shame sites. And you know, at this point, I don't think there's as much shame involved with being impacted or affected by ransomware. I think it's - you know, it seems to be a more common trend. And, you know, even organizations in the Fortune 50 are being impacted by this. And so nowadays, when you are hit with ransomware, I don't think it's as much of a black eye. It's more of a commonality between different organizations now that they've had to deal with it. And that's unfortunate, of course, but it's just kind of the state of the things as they are now. 

Dave Bittner: When you're brought in to help negotiate with some of these operators, can you give us some insight to what that process is like? 

Mark Lance: Yeah, absolutely. So I mean, I think a good starting point is just talking about kind of the trend of ransomware. You know, obviously, it started out very opportunistic then transitioned over to organizations, more targeted threats. Initially, it was very much about operational impacts and then eventually transitioned into, like you had mentioned, you know, over the past 18-plus months, this additional piece of extortion. And I think because now you're not just talking about operational impacts, you are talking about theft of data and organizations that are trying to either prevent the recognition of their name being out there, that they were impacted or the loss of sensitive data, intellectual property or whatever was stolen with their environment - I think we are seeing more and more instances where these threat - or sorry, these organizations are potentially interested in paying threat actors. 

Mark Lance: So I think, again, there are multiple reasons and motivations why somebody would have interest in brokering a conversation with the threat actor and potentially negotiating a ransom. And the way that that typically starts is, you know, the organization at first needs to make a determination. Do we want to make contact with the threat actor? Do we want to understand what the ransom amount is because we do have potential interest? And that could be, you know, interest again because they're completely operationally impacted. They don't have access to backups. They can't recover sensitive data or systems that they need access to, or even instances where potentially paying the ransom and getting access to a decryption tool might be quicker than getting access to their offline backups and restoring from those. 

Mark Lance: Other considerations might be that, you know, they don't want to be publicly named and shamed or put on the threat actor site. They don't want to have any data released due to the sensitivity of the data, just, you know, due to the fact that they don't want that out there and recognized, so kind of multiple considerations there. And then basically, the customer needs to make a determination that they do, in fact, want to reach out to this threat actor and understand what the ransom amount is, understand, you know, how much is being requested and why. And there are certain benefits to do that - doing that. A lot of customers have interest in doing that, even if they're not necessarily interested in paying the ransom because they might get an idea of what the threat actor is saying they stole on confirmation on certain data that they believe about the incident, while an investigation is ongoing from the incident response service provider. So, you know, with the different threat actors, there are kind of different methods for you to reach out to them based on, you know, what their kind of standard operating procedures are. Some of them have you send an email. Others have a - you know, a site built where when you're prepared to go initiate contact with them, you go insert your key into this site, and, you know, a chat window is populated, and you're going to be immediately interfacing with the threat actor so that you can communicate with them on ransom amount, what they believe they have and start the negotiation process. 

Dave Bittner: Do the ransomware operators know that they're dealing with a negotiator when you're involved? Is that - I mean, is that generally part of the process or not? 

Mark Lance: Not necessarily. I think ideally, you know, you want them to believe that they're interacting and working with somebody from the organization. Now, that being said, they're fully aware of kind of the brokerage and negotiation services and firms that are - you know, that are providing these types of services. I would be reluctant to say that they don't have awareness or potential familiarity with all of those firms and that they are - and in certain circumstances, likely working with a negotiator. 

Dave Bittner: Where do things stand then today, I mean, in terms of the advice as to whether or not to pay the ransom? You know, at the outset of this ordeal, you know, again, when it was ramping up, the FBI said, pretty strongly, don't pay the ransom. You're supporting a criminal operation. There's no guarantee you're going to get your money back. They might come back to you for more money. You know, there's a whole list of reasons why they recommended not doing that. Again, that's sort of shifted. And it seems to me like organizations like the FBI are taking a more - I don't know - prudent, practical and realistic approach to this. Where do we stand? What is the current state of things? 

Mark Lance: So I think that those recommendations still persist. I still do think that the FBI would advocate for people not making ransom payments if it's not necessary. Where I think you had mentioned - and I believe is occurring is - but there's also some more realistic perspective there in the attempt to potentially ban ransom payments. Again, I think there's a desire where they don't necessarily want you to pay them. Realistically, there might be situations where customers need to pay them to regain access to data. Again, there are instances where a organization's entire architecture is impacted aside from access to a couple of servers or a couple systems, and they don't have access to backups, and the inability to decrypt that data or get access back to that data, it could cause them to potentially even shutter their business. And so I think in those circumstances, I think that they're being more realistic in the sense that there are certain instances where you might need to pay, due to kind of the business requirements of your organization. Now, that being said, I think the guidance is to try to avoid that situation and avoid, you know, funding these criminal organizations, if that is something that you can avoid or if you can, you know, get to the same place in the recovery stage without having to make that payment. 

Dave Bittner: If a ban were put in place, would that lead to some sort of black market? Could organizations, you know, look to - I don't know - you know, offshore organizations who would be able to serve as a middleman for these sorts of things? 

Mark Lance: I believe so. I believe that if you attempt to ban ransom payments, there, again, are these instances where an organization can't function without access to their data, and I think in those instances, they're going to find a way to ensure that that ransom payment is made so that they can retrieve their data, so that they can get their business operational and functioning again. And so I think by placing a ban in those situations, again, you're driving people towards a market where they are potentially going to do whatever it takes to try to recover that data and to pay that ransom so that they can recover. I think it could lead to, you know, organizations or fronted organizations that are potentially even providing those services to customers and maybe not acknowledging that that's what they're doing. I mean, there is history of some companies out there who will, you know, decrypt systems for a dollar amount, and they're not necessarily acknowledging that behind the scenes, they're going to these threat actors, and they are negotiating terms and getting access to decryption keys for certain systems. And so I think that, you know, there is the potential for, you know, black-market services, fronts for services that are being performed but not acknowledged offshore. But I absolutely do think that if you attempted to ban ransom payments, there are certain circumstances where organizations will just say, we have to do - pay the ransom anyway because we need access back to our data. 

Dave Bittner: Are you optimistic that we're going to get a better handle on this? How do you think things are going to play out in the future here when it comes to ransomware? 

Mark Lance: It's a great question. I think that - I think more people are taking it seriously, and we're seeing more and more organizations and clients who are reaching out, talking about, you know, ransomware preparedness, which is great to see. It's - you know, I do think we will continue to see threat actors evolve, find new methods to ensure that they are being compensated and receiving monetary gains, you know, through these criminal activities. So I think we'll continue to see evolution of the threat to make sure that they are still receiving ransom payments. But I do think that we are seeing organizations be more and more conscious about ransomware and just the threat in general and trying to prepare and do things, you know, and take steps to prevent that from happening to them. You know, that being said, again, there's always an evolution of threats. And I think that, you know, the threat actors are going to continue to try to impact customers and gain monetary value. 

Dave Bittner: What's your recommendation for organizations, you know, if they find themselves hit with ransomware? Any tips for how to best proceed from there, how to minimize the damage? 

Mark Lance: Yeah, absolutely. I mean, I think that one is preparing for it overall. You know, you have to look at these threat actors and the amount of organizations and our clients that they're impacting. And so a lot of times for them to gain access to an environment, to, you know, perform the encryption event and the ransomware incident and then eventually receive the ransom payment, the overall level of effort for them is quite minimal. So if you've got more controls in place, more hurdles for them to jump through and it's going to cause an excessive level of effort, I think for some of your smaller threat groups or for various different threat groups, that might almost steer them away because they've got such a large pool of other, you know, organizations that they can try to go impact. So I think having those preliminary controls and hurdles in place, you know, following standard best practices is huge. 

Mark Lance: Now, once you are impacted - you know, to the point of your question, you know, what should you do? I think some of your immediate steps are, one, it's great to have an incident response plan in place so you know, you know, what that escalation path should entail, who you should be contacting, the different roles and responsibilities. That should also include, you know, engagement of external counsel so that you can get direction on, you know, your potential liability, disclosure requirements based on your location, region, potential data that has been identified as part of the investigation. You also should, obviously, work with an incident response service provider, somebody who can perform that investigation so you can fully understand the scope of the incident - how they got in, what did they touch, did they steal data? - and then so you can develop a remediation framework that's going to effectively remove them from the environment, as well as, you know, your insurance carrier to determine what type of coverage do you have. Is it going to pay strictly for the services to assist with the investigation and response effort? Or do I have coverage for ransom payment in case that is something that might be necessary for us to recover? 

Mark Lance: And then the last thing I would say is just - while you're going through this process of, you know, performing your escalations and leveraging your incident response plan, in the interim, while you certainly want to take steps to contain the threat and start, you know, working towards recovery, you definitely do not want to muddy the water forensically. You don't necessarily want to, you know, start rebuilding or reimaging systems without ensuring that you have copies of those because we have seen numerous instances where customers will start rebuilding, reimaging, and we realize that there is an urgency to restore operationally, but by doing so, they're removing forensic artifacts that are going to allow us to fully understand what that incident scope was and how they got in, what systems that they did touch, so that we can answer those questions for them on the best next steps. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: Oh, it's fascinating stuff. I do think we've seen this transition, as Mr. Lance indicated, from where we were several years ago, where the advice was obvious - do not pay the ransom. 

Dave Bittner: Right. 

Ben Yelin: We're rewarding bad actors, that you're valuable information might not even be decrypted - et cetera, et cetera. I think that message, as Mark said in the interview, is still the message. You know, I think that's still better advice than any other potential alternative. I think what's changed is now we can acknowledge the reality of the tradeoffs. We've seen a bunch of incidents where - you know, you look at that Colonial Pipeline; perhaps it is easier in some circumstances to pay the ransom. 

Dave Bittner: Yeah. 

Ben Yelin: I always think about, too - you know, think back to Baltimore City. Granted, we don't have the full suite of information on this that would be necessary to make an informed decision. This is all post hoc. But, you know, that was $18 million in damages and lost revenue, the inability to record real estate transactions, inability of people to pay water bills. They were asking for $90,000 in bitcoin as a ransom payment. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: You know, sometimes you have to contend with the reality of that cost-benefit analysis, even if you - even if there is a moral hazard, you know, where you are rewarding bad actors. But this is not unique to, you know, ransomware, per se. It's - you know, that's - people have paid kidnappers in movies and in real life. 

Dave Bittner: Yeah. 

Ben Yelin: And it's a terrible thing to have to contend with, but it's - I think this is just - we're starting to recognize the reality that it's not always as simple as never give in; don't pay the ransom. 

Dave Bittner: Right, right. There's more nuance than that. For example, for there to be an outright federal ban on paying ransom payments, the FBI is saying, hmm, let's not go that far. 

Ben Yelin: Yeah, we're not ready for that yet. Yep. 

Dave Bittner: Yeah, yeah. All right, well, our thanks to Mark Lance from GuidePoint Security for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.