Understanding the multi-tiered impact of ransomware.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]
Jamie McCall: It's known by most people as RUSI, and it's the oldest defense and security think tank in the world, I think one of the oldest think tanks in the world. It was founded in 1831 by the Duke of Wellington. And historically, it's predominantly been associated with military history, the military sciences until the last few decades when it's moved into kind of broader security areas, much like, you know, global security has changed in the last several decades.
Dave Bittner: Our guests today are Jamie McCall, a research fellow in cybersecurity, and Dr. Pia Hüsch, a research analyst. They're both from the Royal United Services Institute, commonly known as RUSI. The research we're discussing today is titled "Ransomware: Victim Insights on Harms to Individuals, Organizations, and Society." [ Music ] Well, let's dig into this research itself. What prompted you and your colleagues to take on this topic?
Jamie McCall: So I've been interested in ransomware for quite a long time. I used to work in cyber threat intelligence, and when I started in that, it was when targeted ransomware was first becoming a phenomenon, so when SamSam was coming through targeting, you know, local governments and hospitals in the US. And I moved into public policy about three or four years ago, and at that point, the kind of people were starting to pay attention to ransomware and kind of national security community, sort of public policy community, but it still wasn't really considered a kind of national security issue in the way it is today. And this specific research was prompted by the real lack of kind of insights and transparency that there is around kind of what victims go through and the harm that ransomware is creating for victims. So yeah, it was -- it's something that I was thinking about for a long time and something that I knew would be very challenging just because you may know as a journalist how difficult it is to get victims of ransomware or any cyber security incident really to speak about their experience.
Dave Bittner: Yeah. So, Pia, I would love to dig into the framework that you all have here in the research here in the section on the ransomware harms. You organize it into first-order, second-order, and third-order harms. Can we go through those one at a time and describe what we're talking about here?
Dr. Pia Hüsch: Yes, of course. So for the first order harm, we are looking at the organization and its staff members that have been directly hit by the ransomware attack. So think about an organization and their staff members or school and the teachers or the hospital and any staff members who work there. They experience a wide range of harm. It could be on the organizational side. It could be financial. It could be a reputational and so on. And then on the individual side, you might experience psychological harm, again, financial harm, but also reputational harm or weakening of social links.
Dave Bittner: And so let's continue on to the second order.
Dr. Pia Hüsch: For the second-order victims, we're looking at more indirect victims. So this could now be individuals who are patients at a hospital that's been affected, students at a school that's been impacted. But also, if you're an organization and anyone in your supply chain might experience a ransomware attack, then you are still a victim. But in our framework, you're a second-order victim in that instance.
Dave Bittner: You know, one of the things that I found fascinating in the research was kind of the distinction between the organization itself and the employees, the people who work there. Can you take us through that difference?
Dr. Pia Hüsch: Yes, in our research, we wanted to distinguish between the two because the priorities and the way you experience a ransomware attack might differ. So if you're an organization in particular, it's senior management, you might be very concerned about the financial implications of a ransomware attack. That's because to some businesses, a ransomware attack can have existential consequences or an existential risk. So your main priority is how to stop any business interruption and how can you quickly go back to business as usual. Whereas if you're an individual working at an organization that had a ransomware attack, or if you're perhaps part of the IT team working to counter the ransomware attack, then you're primarily experiencing stress and anxiety. It's really the psychological harm that hits you the most.
Dave Bittner: Jamie, can I hand it over to you to talk about the third-order harms?
Jamie McCall: Yes. So the third order harms is what we characterize as the cumulative effect of ransomware incidents on a country's national security, economy, or society. The reason we wanted to focus on that as a category was to really try and emphasize to -- I suppose, policymakers in particular, but also industry and the general public, that it's quite easy to forget, you know, how many ransomware incidents we've seen over the last several years against critical national infrastructure, against small businesses. And our feeling is that the cumulative effect of that is actually having an impact on, you know, the UK, the US's national security, on their economies, on the society, whether that is because of, you know, particularly in the US, the number of ransomware attacks you've seen against healthcare providers. In the UK, we've had a lot of ransomware attacks against primary and secondary schools over the last several years, you know, which does have consequences for, you know, the education of our children. But also, in terms of national security, you know, no firm is safe, and that includes, you know, critical companies and defense supply chains, you know, critical companies and logistics. And -- yeah, so the idea was really just to highlight how bad the problem has got. [ Music ]
Dave Bittner: We'll be right back. [ Music ] It's interesting to me that -- at least my perception is that that element is not as emphasized as the others. So we talk about the financial loss and the reputational impact, but the notion of the impact on broader society, I think it's underreported. To me, I can't help wondering. Pia, I'm curious on your take on this. Is there, like, an escalation of the notion of kind of ambient anxiety, you know, that there's this -- there's this thing that could happen and you don't know who's going to be hit next?
Dr. Pia Hüsch: I think the reason why it's underreported -- that it's such a national security threat and the wider societal implications -- is because it's really hard to demonstrate that. The further away you get from the immediate victim, the harder it is to actually demonstrate that the harm occurs as a result of a ransomware attack. A lot of the victims we talked to experienced a ransomware attack during or after the pandemic. So a lot of the consequences occurred at the same time as they were assessing, is this a result of the pandemic or does this come from a ransomware attack? So it's really hard, and then that's hard for an individual organization, let alone on a national level, on a society level, to trace back where certain trends and, yeah, harms come from. So I think that's why we don't talk about the national level enough.
Jamie McCall: I think there is an ambient anxiety about cyber attacks, but I think that tends to more be about kind of hostile state activity. So predominantly Russia, China, Iran, North Korea, and I think that's also a sort of comfort zone for policymakers. They understand why those states are a threat and kind of have an existing framework to think about combating it. I don't think that we've really wrestled with the idea that there is a highly disruptive form of cybercrime that can cause as much harm, I would argue, as anything that Russia, Iran, North Korea, and China can do.
Dave Bittner: Well, the third section in the research talks about the implications for policy and future research. Can we go through some of the highlights from that? What are you recommending here to policymakers?
Jamie McCall: So unusually for a policy paper, we haven't actually kind of recommended anything specific at this stage because the project is still ongoing. There are certainly implications in the paper for public policy around cybersecurity and around national security more generally. The main one, as I've just touched on, is to -- is that I think we believe that ransomware should be treated in the same way as nation-state cyber threats are in terms of how law enforcement, intelligence agencies are resourced and tasked. So that's one important takeaway for us. And then I think a couple of others and peers already touched on this, but we are very keen for people to start thinking about ransomware and cybercrime more generally as something that causes harm beyond just the financial losses, which are much easier to understand and quantify. And one thing that we really pick up on the research is the psychological harm to staff and individuals sort of downstream from a ransomware attack. And, you know, we had some quite harrowing conversations at times with people that either owned companies or worked at companies affected by ransomware. And it kind of had a really -- it had taken quite a significant toll on their mental health, personal lives, social lives. And I think that's something that tends to get missed with cyber because it is something that is quite intangible to most people that happen -- from most people's perspective, it's something that happens in a virtual space rather than, you know, physical environment.
Dave Bittner: Pia, what are your insights when it comes to aspirational policies here?
Dr. Pia Hüsch: Yeah. I would also say that one of the other implications that followed from the research was that particularly when you look at second and third-order harm, so harm experienced more indirectly, this tends to disproportionately affect those who are already vulnerable. Think about the patient in the hospital waiting for a treatment. Think about perhaps a student already -- like very young person. Think about someone in a council who is receiving benefits from a local council and then unable to receive them. These are already people who are in vulnerable position to begin with, but they might be more affected by some of the ransomware attacks and the indirect harm that they're experiencing. Just because if you're in a more privileged position, you might be -- not receiving benefits in the first place or you might be able to afford private health care. But it's really where ransomware attacks target those public service providers that indirect victims who are already vulnerable feel disproportionate amount of harm.
Dave Bittner: Where do you hope that this research leads? What are next steps here for you and your colleagues?
Dr. Pia Hüsch: We're publishing a second paper based on the same interview data that really dives deeper into the victim experience and what makes the victim experience better or worse. So we're exploring the factors that can help victims, but also the factors that make it particularly bad going through a ransomware incident. And that paper will follow up with some detailed policy recommendations, what policymakers but also victims, service providers such as incident response teams can do. And then also the public sector, of course, what they can do in order to mitigate ransomware harm and help the victims.
Dave Bittner: Jamie, any final thoughts?
Jamie McCall: Yeah, I mean, one of my hopes with the research is that it contributes to the wider public debate about whether to treat ransomware as a national security issue or not. Because I think quite a lot of -- and maybe this is more in the UK and Europe than the US, where there have been kind of senior national security figures in the US that maybe have been more vocal about it than in the UK. But I think in a lot of ways, people have been paying lip service to ransomware as a national security threat. So, you know, there'll be the odd speech about -- maybe the odd interview. But when you actually look at resourcing, legislative changes, how it's prioritized within intelligence agencies, I don't personally think much has changed. And I think it's quite important that we kind of overcome the cultural bias, I think, within the national security community that doesn't treat serious and organized cybercrime with the respect that it deserves. [ Music ]
Dave Bittner: Our thanks to Jamie McCall and Dr. Pia Hüsch for joining us. They are both from the Royal United Services Institute. The research is titled "Ransomware: Victim Insights on Harms to Individuals, Organizations, and Society." We'll have a link in the show notes. [ Music ] The CyberWire Research Saturday podcast is a production of N2K Networks. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]