Americans queuing up to fill gas canisters as a major pipeline was taken down. An entire nation unable to carry out blood tests for health emergencies after Ireland was targeted by hackers. Barely a week goes by without crisis incidents of computer networks penetrated by criminals, and yet the world appears immobilised on tackling the problem.
Ransomware attacks are big business. They are conducted at low cost and for high reward. Companies and countries hand over tens of millions of dollars regularly for the return of their systems. The pressure is all on one side, forcing the victims to pay up.
Policy options are few. When the World Economic Forum issued a policy paper on the issue in the oil and gas industry recently, it urged operators to put cyber resilience at the heart of the business. The 10-point plan in the report was heavy on resilience in the face of the threat, demanded clarity on the firm’s risk appetite, and made clear the importance of internal reporting and accountability.
Read More from Damien McElroy
Policymakers have so far failed to provide an overarching response to stop the ransomware blitz in the first place.
Experts are examining the importance of cryptocurrencies in the transactions. Pressure for a ban or, at least, a new effort to regulate cryptocurrencies is inevitably going to grow. There is a strong logic behind this, but the signs are governments are going to try every other option before honing in on the most effective one.
The scale of digital payments to unlock frozen systems or return access to data is only growing. The US firm CNA Financial revealed last week it paid $40 million to unlock its data from a ransomware variant of Hades, the malware created by the Russian hackers Evil Corp. The clue to the predicament is so often in the name.
Colonial Pipeline confirmed it paid $4.4m to the hackers DarkSide. An analysis of the bitcoin wallet found it had been paid – presumably from all attacks – a total of $17m since March, according to the specialist experts at Elliptic.
The average payment for ransom attacks was $312,493 in 2020, an increase of 171 per cent on the previous year.
The Irish government has been adamant that it is not going to pay the $20m demand. Its healthcare services – from treatments to blood tests – have been down for a week. Patient and staff payroll data was stolen and there is an expectation this will be sold on the dark web. The plight of people unable to access care appears to have forced the hand of the hackers. A decryption key was provided and the government has stressed no payment was made for this. However, these keys are often partial solutions and not all encryption can be unwound in one go.
The insurance industry has started to sound the alarm on the trend. According to Swiss Re chief executive Christian Mumenthaler, there is a lack of appreciation that, while ransom payments can still be seen in the context of $5.5 billion premiums from cyber insurance policies, the overall fraud in the sector is hundreds of billions a year globally.
The French insurer Axa, meanwhile, was hit by a ransomware attack when it said it would no longer pay out on its policies to cover ransoms. Its Thailand and Hong Kong offices were targeted.
What is puzzling is that governments have a well-developed set of policies on piracy, kidnapping and ransom but so far not cyber.
The US State Department has estimated that, while many kidnappings in places such as the Sahel are reported as political, up to 80 per cent are carried out by criminals seeking a financial gain. The US Treasury has imposed sanctions on hackers. For example, 17 individuals and six entities linked to Evil Corp were targeted with penalties in December 2019.
However, there is little consistency in the system. CNA Financial is reported to have shared intelligence about the hack, including the demands and the hackers’ identity, with Treasury and FBI agents.
Cyber-currencies make ransoms too easy to store and hold
On the other hand, Colonial Pipeline appears to have frozen out the authorities as it moved to restore its control over its system. There are arguments for victims to face a legal obligation to notify and declare all ransom payments so that the issue no longer resides in the shadows. Counter-arguments have been made that this further penalises the victim.
The dark world of ransom payments could also be targeted through mainstream banks and the international financial system. An extension of the “know your customer” requirement on financial institutions has been effective in reducing payments and donations to terror groups.
Dominic Raab, the British Foreign Secretary, used a keynote speech recently to position capabilities to fight cyber attacks – he put the number of compromised organisations in the US at 30,000 and in the UK at 3,000 – as a key strategic asset in the international system. Fighting the “war of attrition”, he warned, is going to take offensive state-level cyber capabilities.
Ultimately, the phenomenon of cyber-currencies cannot be ignored. These make ransoms too easy to store and hold.
There are parallels with the famed system of numbered bank accounts in Switzerland. Eventually, governments got together and decided that bank accounts must bear names, addresses and be subjected to checks. This is another area where the crypto boom needs reining in.
Damien McElroy is the London bureau chief at The National