Even so, the U.S. has edged slightly closer to a ban. In November, the White House joined other members of the International Counter Ransomware Initiative in saying that federal agencies should not pay extortion to ransomware actors. That isn’t exactly binding, however, and doesn’t extend to local or state governments, or private industry.
The idea of a ban, however, has long been debated.
The crux of the payment dispute is that extortion paid to ransomware actors can be spent on improving capabilities for future attacks. But at the same time, entities like hospitals need to get back up and running fast — which might mean paying, said Rob Knake, head of strategy at managed detection and response company ActZero and former deputy national cyber director for strategy and budget.
Previously, IST members noted in an August discussion that payment bans are also likely to encourage ransomware actors to test this and focus heavily on attacking hospitals and other entities least able to withstand prolonged disruption.
Another hurdle is that even if victims refuse to pay, criminals can still get profit by selling sensitive data, said Allan Liska, intelligence analyst at threat intelligence platform provider Recorded Future during the recent panel.
Given these challenges, the nation needs a holistic approach. Any ban must be paired with efforts to help better defend.
It's impossible to separate the ban conversation from discussing the basic cybersecurity hygiene much of the country has fallen behind on, said Sezaneh Seymour, vice president and head of regulatory risk and policy at cyber insurance and security company Coalition.
That’s still an unsolved question, but panelists offered various ideas for useful next steps.
To help defend critical infrastructure, hospitals should be allowed to file for their cybersecurity investments to be reimbursed, just like they can get health-care treatment reimbursements under Medicare and Medicaid, Knake said.
Of course, cutting off cyber extortionists’ profits means stopping payments from all entities, across sectors. But getting most private companies to boost cybersecurity is a challenge the government has limited tools to address, panelists said.
Knake saw the federal government as able to wield two tools: refusing to hire vendors unless they promise not to pay ransomware, and imposing similar conditions on grant program recipients.
Plus, making companies face public hearings or provide regulators with detailed reports about deciding to pay could shame them into being less likely to do it, said Bill Siegel, CEO and co-founder of cyber extortion incident response company Coveware. And holding companies liable in court for cyber negligence could further spur change.
“Right now, the impact of the liability side is not so material to companies even when they have big-time breaches,” Siegel said. “But if that got opened up, and the courts are all of a sudden making very, very substantial rulings against companies that have these material breaches, well that could move the needle.”
Such an approach might see a jury assess whether the victimized company had taken reasonable cyber precautions.
Even so, victimized companies might decide to break bans and pay extortion if they fear they’ll otherwise go bankrupt from a ransomware disruption, Siegel said. Companies might also secretly seek help from sketchy vendors that claim they can decrypt ransomware, which would effectively direct funds to different illicit actors.
Knake suggested that any potential payment ban could be paired with penalties for violating it, ramping up over several years, to encourage companies to steadily improve their cybersecurity. Another move could be classifying any actors who cyber attack a hospital as terrorists, deterring the criminals themselves.
At the end of the day, limited reporting means the U.S. is still trying to estimate the scope of its ransomware problem, which makes it difficult to determine the right policy responses, said IST Chief Strategy Officer Megan Stifel. More reporting requirements are on the horizon, however. For example, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 still needs to come into effect, and the Notice of Proposed Rulemaking on it must be published no later than March, per the Cybersecurity and Infrastructure Security Agency.
“Putting a payment ban in place now, without having the benefit of the information that comes from that reporting seems … to be too much too soon,” Stifel said.
