Considering three ways that the U.S. government can address ransomware and cybercrime.
Considering three ways that the U.S. government can address ransomware and cybercrime.
F ollowing a wave of enforcement actions against ransomware actors over the last week, U.S.-led efforts to disrupt global cybercrime at last appear to be bearing fruit. Policy-makers, however, would be unwise to lose focus on the present problem: Ransomware is driving the economics of cybercrime in a dangerous direction — and absent sustained policy attention, it will remain a problem for years to come.
Ransomware is changing cybercrime in two ways.
First, the technology of ransomware has expanded the universe of cybercrime in general. Previously, cybercriminals tended to target data held at scale within specific industries — namely, credit-card details, tax records, gift cards, or insurance information. Though the savviest criminals always stayed a step ahead, the constraints of monetization in the pre-ransomware age placed certain limits on the scope of cybercrime.
Today, however, most organizations present a viable target for cybercrime. The only requirement beyond a decent budget and a vulnerable IT network is that an organization rely on digital data, which most do. That is one reason why cybercrime has reached once unfamiliar victims, such as hospitals and school systems. But it is not the only one.
The second is that the economics of digital extortion incentivize cybercriminals to target assets that serve critical functions, and to do so when they are at their most vulnerable — say, at the beginning of the school year, amid a pandemic, or before a holiday weekend. The reason is simple: To maximize profits, ransomware actors must maximize leverage.
As soon as we understand these changes, we can begin to appreciate the insufficiency of solutions that look narrowly at the actors and abettors behind the current ransomware wave. Governments, then, ought to consider more-durable solutions to the ransomware problem.
Let’s consider three places where they can improve.
First, governments must better prioritize risk within critical infrastructure verticals, recognizing that ransomware has introduced a high-volume, low-risk threat into a policy environment dominated by low-volume, high-risk thinking. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has already begun such an effort.
Aspects of CISA’s work on this front remain classified because of concerns about how adversaries might exploit the information to America’s detriment. Fair enough. Yet, the Biden administration should be more circumspect about using the critical-infrastructure label to draw red lines in public. Many entities within the country’s 16 critical-infrastructure verticals do not serve critical functions for local economies, let alone the national economy. The wide application of an increasingly plastic term sets unrealistic expectations among the public and inhibits strict regulation where it is truly needed.
Second, to increase resilience to ransomware attacks, the government should develop standards and obligations for the implementation of operational response plans. These plans would complement CISA’s existing technical guidance for the mitigation of ransomware attacks. They would require entities to plan or rehearse service delivery in the event of ransomware deployment or other forms of data loss.
Given the diverse range of entities that constitute critical infrastructure, the devil will be in the details. Yet, recognition presents a good starting point for planning: Ransomware attacks, or other forms of temporary data loss, are likely over the long-term. Critical-infrastructure entities should have a contingency plan on hand when that day comes.
Third, the government should enhance international cooperation on cybercrime, provide capacity-building support to law-enforcement agencies in foreign countries, and leverage these relationships to apply steady pressure on local cybercrime actors.
In pursuing these objectives, the government should set ambitious targets and track progress in public, lest valid goals devolve into hollow promises. Yet, it should also approach these relationships as a long-term investment. Bringing cybercrime issues to the top of the U.S. diplomatic agenda will pay dividends over the long run, even if the ransomware landscape shifts significantly. In the future, these relationships could help the U.S. government track or disrupt digital threats we do not yet recognize.
Missing from this list are two critical policy innovations, which were not dealt with here because they are already under way to great public effect: that the federal government treat ransomware actors as a national-security threat and strengthen the regulation of global cryptocurrency exchanges. Over time, both can disrupt the money flows that grease the wheels of ransomware attacks.
Ultimately, the ransomware problem cannot be solved with the flick of a policy wand. Ransomware is too lucrative, the barriers to entry are too low, and the government’s authority is too limited. But through regulation, mitigation, and enforcement, the government can gradually depress the market that drives demand for ransomware attacks.
That market has flourished in a seedbed of inattention and pandemic-induced digital transformation. Deprive it of some nutrients, and it might be eclipsed by less toxic alternatives. The U.S. government should work steadily to ensure that it does.