Are Ransom Payments Supporting Terrorists?

Organizations, particularly those that recognize that they don’t have essential security and data recovery measures in place, have taken out cyber insurance, which they are regularly using to pay off ransomware attackers. I find it curious that these insurance companies seem to be willing to pay out these claims so readily, as there are clear indications that other insurance companies are fighting cyber claims where the attackers appear to be nation states, as described in my May 6, 2019 BlogInfoSec column, “Cyberwarfare—Yes? Cyber Insurance—No!” It will be interesting to see how these new ransomware claims are handled longer-term and whether insurance companies will backtrack based on evidence that attacks were in support of terrorist groups or acts of war. If they do, then the whole game will change.

There is an outstanding article, dated August 27, 2019, by Renee Dudley for Pro Publica with the title “The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks,” available at Dudley’s article provides an excellent chronology of ransomware attacks and whether organizations paid up or tried to recover on their own. There is also a suggestion in the article that some ransom monies are being used to finance terrorists! If I read that correctly, then these municipalities and insurance companies, which decide that paying up is their most cost-effective approach, are in fact funding terrorism. Is that legal?

However, business and government organizations are in a quandary. Insurance companies are incented to pay the ransoms since the cost to them of recovery from a ransomware attack can be orders of magnitude greater than the ransoms themselves. On page 127 of the book “The Fifth Domain” by Richard A. Clarke and Robert K. Knake, the authors take both sides. At the top of the page, they “often tell [their clients] to pay up,” whereas towards the bottom of the page, they “think that it is time to remove the incentive for cyber criminals to use ransomware by having a government law or regulation that bans paying the ransom or institutes a fine in addition to whatever ransom is paid.” So, which is it? You can’t have it both ways. Well, OK, I understand that, during any such transitional period, there is little incentive for those who have been attacked not to have their insurance companies pay, and that, based on typical experience with government, passing the requisite laws and regulations can take what seems like forever. But we did it for Y2K, when senior executives and Boards were held criminally liable if they didn’t remediate their systems. Why can’t we likewise accelerate the process of holding organizations’ senior executives and Boards to account for creating the resiliency needed to combat ransomware and other present and future malware? Perhaps having backups in the Cloud is part of the answer, except that Cloud services also get attacked, as in the recent Capital One case.

Another point to consider … If you pay the ransom, that money is going to adversaries, who may well be located within a hostile nation. If you don’t pay, then the money to recover will likely go to domestic companies and consultants, which generates income and helps the home economy, even though that money is likely to be considerably more than paying the ransom. From a national perspective also, not paying the ransom is better than paying.

What it comes down to is the “all for one and one for all” argument in my September 9, 2019 BlogInfoSec column. Clearly, paying up is cheaper for those attacked, but only encourages more attacks that, in aggregate, could cost society more than the refusal to pay and then recovering the lost files by means other than decryption. Clarke and Knake happen to give good advice on saving multiple generations of data and gold copies of application software.

If no one paid the ransom, then the incentives of attackers would go away. The problem that remains is that some unlucky bodies, such as the cities of Baltimore and Atlanta, will have already had to pay for the recovery and reconstitution of their data, systems and networks. Perhaps they are the ones who should be remunerated for their costs since the benefits of discouraging ransomware will redound to the overall economy. But it will only work if everyone supports the arrangement, and that is only likely to happen with government intervention.

Clarke and Knake specifically accused two Iranians of launching ransomware attacks against “some two hundred networks in the United States over two years” from the safety of their location in Tehran. If that is indeed the case, what we have here are possible acts of terrorism and cyberwar, and government action is needed.

Post a Comment

Your email is never published nor shared. Required fields are marked *