Ransomware — time for the government to act

There’s a new crime wave in America. Millions, if not billions, of dollars are being stolen every year. But the victims are largely silent, the police are helpless, the laws are inadequate and the criminal organizations are tolerated (if not encouraged) by nations such as Russia, North Korea and Iran.

Action needs to be taken.

In one case from late September last year, 60,000 people in Wyoming, one-tenth of the state’s population, were suddenly told that local emergency rooms could no longer accept them; they had to travel to hospitals 150 miles away. The computer systems of the Campbell County Hospital were hacked — and unless the hospital paid a ransom, the systems would remain shut down. 

Cyber criminals attack computer systems of U.S. state and local governments, hospitals, school systems, law enforcement and businesses, infecting them with malicious software that effectively turns their computer systems into bricks unless and until a ransom is paid. This malicious software, appropriately referred to as “ransomware,” is now one of the biggest cybersecurity risks to our nation’s networks. The problem is global in scale with Russia-centered groups playing a dominant role in carrying out the attacks.

Our collective inaction leaves victim companies and individuals at the mercy of global crooks. Left with no recourse, these victims increasingly opt to pay the criminals’ ransom, which only emboldens cyber criminals to increase their ransom demands while incentivizing and funding new attacks.

Submitting to extortion is abhorrent, but most ransomware victims face a difficult choice: Should they pay the ransom and have a chance of recovering their data and use of their computers quickly or should they refuse, lose their data and be forced to spend enormous effort rebuilding their systems?

Rebuilding systems can take months and cost millions of dollars — as the city of Baltimore learned after an attack in May 2019. Refusing to pay the ransom, the city of Baltimore is now spending $18 million to repair the city’s computer system and officials were without use of their system for more than a month.

The problem is so large that many insurers now cover ransom payments. Rather than contact the police, city officials in Riviera Beach, Florida quietly authorized its insurance carrier to pay almost $600,000 to the hackers in the hope of regaining access to government data needed to run their systems. To minimize their ultimate payout obligations, some insurers encourage policyholders to pay the ransom. An entire industry has sprouted up of companies that will facilitate the ransom payments to the extortionists which are typically made using Bitcoins or other cryptocurrencies because they are untraceable.

So what can be done to stop this crime wave?

First, we need to create incentives for private sector organizations to report ransomware attacks immediately and create ransomware payment disincentives by, for example, giving them greater access to government restoration and mitigation services while requiring reporting for ransomware incidents. Organizations should invest in business continuity plans so that if they are hit with ransomware, they have means to recover their data other than paying the criminals.

Second, our government entities should have a “no ransom” policy. The only way to stop the cycle is to take the profits away. That means — at a minimum — federal, state and local governments should not pay.

Third, we should punish the nation states such as Russia that harbor cyber criminals with multilateral sanctions.

Fourth, we need to create incentives for cyber insurance companies and their third-party payment providers to report ransomware demands prior to issuing any payments. Currently, it is legal to pay ransom unless the group is a designated entity (such as a terrorist group). We should consider making the facilitation of payments to criminals legal ONLY if the incident is first reported to law enforcement.

Fifth, the Cyber “Czar” in the White House should be restored so that there is one accountable official overseeing our collective response to cyber attacks. Legislation recently approved by both Houses of Congress authorizing the creation of Department of Homeland Security cyber incident response teams to help public and private organizations battle ransomware attacks is a step in the right direction but does not go far enough to address this crisis.

Sixth, we should fund cyber 911 programs such as the ones established in Rhode Island and Michigan so it is easy for companies and consumers to report ransomware attacks.

In 2017, the FBI estimated that ransom payments had reached about $1 billion that year, and the problem has only gotten worse since then. We must take action now before many more billions are lost.

Miriam Wugmeister and John Carlin, who is the former Assistant Attorney General for National Security (2013-2016), are globally recognized Cybersecurity attorneys at Morrison & Foerster law firm. Cynthia Rich contributed.