How government and industry are failing in battle against ransomware attacks

The White House recently convened a top-level summit of more than 30 nations to consider a growing cyber threat to national sovereignty and the basic functioning of government and industries — ransomware attacks.

The National Security Council hosting such a convocation on the heels of one of the worst periods of ransomware attacks underscores what many of us in law enforcement have been saying for years — that the need for sweeping action by the federal government has never been greater. 

As shocking as it may sound, government does not require critical U.S. businesses to report hacking attempts, something I and several other senior law enforcement officials have been pressing for years. Pending legislation with support from Homeland Security officials and lawmakers indicates that might soon change.

While such a mandate would allow us to get a handle on the breadth of the criminality, it’s just a start. Until there is a broad-based coordinated response and a greater sense of urgency from federal leadership and corporations, paying the ransom may be the only reasonable option, and I say this as a former FBI official tasked with combatting cybercrime.

Here’s why:

First, victims typically can’t get help from the government in a ransomware attack. That’s not because government leaders don’t want to help. Rather, it’s because government lacks the manpower and the resources to deal with the growing number of attacks.

Our understanding of the scope of the problem is incomplete because many companies don’t report when they’ve been hacked. But what we do know is troubling, with the Department of Justice reporting that U.S. companies and organizations paid some $350 million in ransom in 2020, an increase of more than 300 percent from the previous year. In just one year, from 2018 to 2019, the FBI reported a 37 percent annual increase in reported ransomware cases. 

Immediately after leaving government, I led an information security and incident response practice in the private sector where our team responded to nearly 2,000 breaches over a 2.5-year period. The targets of these attacks ran the gamut — from local governments to large companies. We found that while federal and state law enforcement have outstanding people investigating cyber intrusions, they are under-resourced and outnumbered.

Second, many ransomware attacks, especially when the target provides services central to people’s lives, must be managed immediately, a dynamic exacerbated by the lack of federal and state law enforcement workforce. In just one example during my tenure in the private sector, a large East Coast city was the victim of a ransomware attack. Within hours of discovering the incident, citizens were facing a possible disruption to police operations with emergency communications unavailable, no access to local court dockets and potential loss of key utility services. The city paid the ransom. 

Third, cyber attackers are stepping up crimes against the more vulnerable small- and medium-sized businesses that lack adequate defenses. The attackers know that these companies must weigh the ransom demand against the cost of permanent damage to reputation. Paying a ransom often is the more reasonable solution when the alternative can be an existential threat that evaporates shareholder confidence or shutters the company.

The lessons of the last several years point to a few basics. Organizations must have a team and processes in place to deter attacks and then quickly detect and respond when one occurs. A basic response package should include data forensics and incident response capabilities to identify how a perpetrator infiltrated a system and correct it fast, outside legal counsel to guide an investigation and provide legal notifications, and crisis communications to convey information to key audiences.

Cybercrime has upended the traditional default to law enforcement when a crime occurs. Until a better arsenal exists to defeat threats, until the federal government acts with force and alacrity to counteract growing criminality, companies must be prepared to go it alone — and in dire situations, even consider paying the ransom.

Robert Anderson, Jr. is CEO of Cyber Defense Labs, previously served more than 20 years in the FBI and was a leader of its Criminal, Cyber, Response and Services branch.