In the television show Arrow, billionaire playboy Oliver Queen returns to Star City after being trapped on an island only to find it overrun with crime and corruption. Oliver Queen dons a green hood, grabs a bow and arrow and takes on the criminal elements of Star City as the Green Arrow. When Green Arrow would take down a villain he would shout, “You have failed this city.”
That catchphrase rings true to me today as the debate rages about whether or not governments should implement a ban on paying ransoms to ransomware groups. We are in this situation because the security community has failed to adequately protect the people we are supposed to protect. Of course, that is not the way it is portrayed. Instead, in the rare instances when we learn how a ransomware attack happened we get headlines like the victim didn’t properly enable MFA or they didn’t patch a vulnerability or some other failure on the part of the victim. The truth is, we make it hard to properly secure and maintain a good security posture. We force organisations to jump through hoops to understand their weaknesses and vulnerabilities and we throw so much at them that it is impossible for even the most resourced organisations to keep up with everything they need to do to keep every aspect of securing their increasingly complex networks.
Inevitably, this leads to security failures and ransomware attacks. When those attacks happen, we blame the victim, “Oh, why didn’t they put MFA on all the things?” Never mind how hard some vendors make it to enable MFA. Or, “How could they not have patched that system?” Ignoring the fact that the organisations may have 50 “critical” vulnerabilities that need to be “patched immediately.” We even hear choruses of, “How can they still be using vendor X when it has so many vulnerabilities?” Despite the fact that switching out vendors is a long process and there is a good chance that many of the competitors to vendor X have just as many vulnerabilities.
Through all of the finger pointing and victim shaming, it is rare that we look at the security industry as a whole and realise what an utter mess it is. How can we expect to properly secure the people we are supposed to be protecting when we can’t get our own act together?
So, we’re left with increasingly imperfect solutions that likely will not work, because nothing else we do – at least are willing to do – is working.
Enter government-wide bans on payments to ransomware groups. This is the next step in increasingly escalatory measures designed to make up for inadequacies in protection. Is it a good idea? No. Will anyone be happy with how it is implemented? No. Will it stop ransomware? The few test cases we have seen in places like North Carolina and Florida, ransom payment bans have not slowed down the number of attacks.
But, ultimately, it may be the least bad option available to us.
Not exactly a ringing endorsement, I know. But I don’t think anyone wanted it to come to this. The good news is that we don’t have to go into this blind. As my colleague Sofia Lesmes and I pointed out, we have a history of law banning ransom payments to kidnappers to learn from and we should take those lessons seriously.
There have already been a number of recent great debates outlining the reasons that a ban on payments to ransomware groups is necessary, I won’t rehash those reasons. The truth is, as other experts have pointed out, reasons for not implementing the ban fall apart under close scrutiny.
Instead, I want to emphasise that public reporting must be included with any ban on ransomware payments. Earlier, I mentioned that we don’t think the payment bans enacted by the states of Florida and North Carolina have been effective. That is based on the number of attacks collected through open source reporting. Neither North Carolina or Florida offers a way to verify the effectiveness of the law by providing information on the number of ransomware attacks on the public entities covered by the law.
Without an effective and public reporting regimen we, the taxpayers, can’t gauge the effectiveness of these bans and lawmakers can’t make adjustments to the laws as needed. Some might argue that being forced to report attacks will encourage organisations to try to cover up ransomware attacks. Sure, but organisations do that now and with a law in place there will be consequences if they are caught. This was one of the concerns when the Department of Health and Human Services mandated reporting from healthcare providers in the United States. That did not happen, and we now have better, imperfect but better, insight into cyber attacks against the healthcare sector in the United States than almost any other sector.
Banning ransom payments combined with rigorous reporting requirements by victims of ransomware attacks will allow us to get a better handle on the number of ransomware attacks and help us, collectively, figure out where to devote resources to try to stop attacks. It is a terrible solution that no one wants, but until we can develop security solutions that are effective without being overly cumbersome and complex it may be the only way we can stop failing the people we are supposed to be protecting.
Allan Liska is a threat intelligence analyst at Recorded Future.
