The writer is a former head of the British Secret Intelligence Service MI6, and co-founder of Vega Cyber Associates.
It is easy to feel helpless in the face of an amorphous and seemingly random threat like ransomware. But, like all cybersecurity issues, it is not so much a technical problem as a human one. It is a problem that humans can solve.
Recent ransomware attacks on Colonial pipeline in the United States and the Irish health care system It must be a wake-up call. Things are bad and will only get worse because the incentives to launch such attacks are strong and growing.
There is no magic solution that will make this problem go away. But there are things that countries, organizations, and individuals can do that, together, can convince ransomware actors to use their unquestioned skills elsewhere.
First, we have to realize that this is not only a criminal problem, but a national security and geopolitical problem as well. The people behind these cyber attacks need places to live and enjoy their ill-gotten gains. Many people will not escape noticing that most ransomware operators have a “No eating in Russia” policy. The fact is that many of them are in Russia, and as long as they do not interfere with Russian interests, they will be left alone. President Vladimir Putin has made it clear that he does not think he has the problem.
There are long-standing links between the hacking community and the Russian security services. And while it is not correct to say that the state was behind these attacks, it is clear that the perpetrators would not be able to act as they would if the FSB were deployed against them.
US President Joe Biden said this issue is high on the agenda for his meeting with Putin next week. This is where it should be. And he has to use the full scope of the geopolitical carrot and stick to get the absolute foundations of realpolitik to take the problem seriously.
I was delighted that the FBI succeeded in gaining access to the bitcoin wallet used by Colonial hackers and recovering a large portion of the ransom. The threat that ransomware now poses is the application of fully developed national capabilities.
The motives for this criminal activity must also be addressed. As head of the Secret Intelligence Service, I have seen for myself the effects of the non-payment of terrorist ransom that the UK and our allies in the Five Eyes Intelligence Sharing Group have embraced. Implementing such a policy is often heartbreaking, but it is the right thing to do. The alternative is to fund the activity you are trying to prevent.
There is a reason to bring such an approach to ransomware. Opponents question whether forbidding payment in a life-threatening situation can be justified on ethical grounds. They have a point. But a partial ban, allowing payment in “emergency” circumstances, would simply motivate attackers to create such a situation. This would be the worst in the world.
If one accepts that this is a problem of national security, it becomes difficult to defend the proposition that governments should leave these decisions to ordinary citizens. As a first step, I believe that disclosure of payments publicly and in detail should be mandatory. Attackers seek to present payment as an easy option. We have to change that.
We also need to consider insurance and moral hazard risks. Attackers often have access to insurance policies in advance and know exactly how much they can get from ordering them. However, insurers now expect to see evidence of quality cybersecurity before writing works.
Then there is the issue of cryptocurrency. Arguably, the problem would not exist without encryption, which allows for the ransom to be paid in a way that keeps the identity of the recipients confidential. This does not mean the argument for a ban on such coins, which clearly remains. But the goal is to spur the development of strong Know Your Customer and Anti-Money Laundering laws for the digital age.
Cryptocurrencies are not untraceable: they are on the blockchain and sometimes more easily traceable than cash. The difficulty for law enforcement agencies lies in discovering the true identity, or at least the true intent, of the recipient or originator. The good news is that modern data and analytics can be combined in a way that distinguishes good transactions from bad ones.
And then, ironic. The software that attackers use often relies on code written with the best intentions by penetration testers who help organizations scan their systems for vulnerabilities. While there are significant practical hurdles, we need to draw on our experience with anti-proliferation licensing techniques and identify ways we can restrict the use of such code for its intended purpose.
It follows that governments can and should do more, but not to the extent that individuals and companies are relieved of their own responsibilities. A surprisingly large part of this has to do with getting the basics of cybersecurity right.
Ultimately, this is about human efficacy. On an individual level, it’s easy to get carried away and intimidate us. But collectively, we are far from powerless. These attackers are bullies. And bullies come back for more, unless you’re bullying them, preferably in company. If the recent attacks result in anything good, that day will be approaching.