Ownership, accountability, and by extension, liability. It's time to talk about all of these concepts when it comes to ransomware and the digital pandemic sweeping the globe. It is no longer good enough to tell US based organizations about what they should be doing. It is time to force them to do the right thing and hit them in their bank accounts if they aren't. All while not allowing them the feed the bank accounts of ransomware groups.
Call it a "hot take" if you will, but here is the simplest solution to the situation at hand: Make it illegal to pay the ransom for these attacks.
Does that feel like a punch to the gut? Good, it should. It should feel like this is taking away the "easy" out of paying the Bitcoin and getting your data back. By doing so we are taking away the one thing driving these attacks, the profit. Take away the profit and take away the incentive to put the effort in to orchestrate the attacks in the first place.
By making payments illegal, it also provides a significant incentive for organizations to invest in information security programs like they already should be doing, but clearly aren't. How long has it been since the Stuxnet work crippled Iran's nuclear material refinement capability? And yet the Colonial pipeline was still shut down because the SCADA networks were not properly isolated from their normal data networks. This should not have been able to happen. Colonial should have been able to recover their non-SCADA networks without paying the ransom they did covertly while trying to hide the payment from the public.
The message needs to be clear: invest in information security and best practices or be prepared to suffer significantly as an organization because there is no going back.
If the worst does come to pass for an organization that can show it has made the appropriate investments in information security, let's provide additional incentive. Establish a national resource with the Department of Homeland Security where they will are obligated to assist organizations that experience an attack after making strong investments in critical security practices. Show that we as a country are not going to leave those that do the right thing hanging if they need assistance.
Lastly, let's consider these attacks by nation state backed groups as the acts of cyberwar that they are. I'm not saying that the response should be to start firing missiles and dropping bombs. However, let's make it very clear that anyone who hits our critical infrastructure digitally will receive a response that will make the cost of attempting one of these attacks too high in the future. The US has offensive capabilities in the realm of cyberwarfare. Let's use that to make examples of these ransomware groups and let them know they will get a disproportionate response if they initiate action.
Let's end this ransomware pandemic together now. Waiting is not an option.