The scourge of ransomware is the inevitable result of decades of schizophrenia about our relationship with information technology and security. Treating this problem in the same fashion as we have those that came before it will only prolong our suffering. Clarity, creativity, and will are required if we are to have any hope of a future where ransomware is an annoyance and not a plague.
Ransomware is not new, and neither is using alternative payment systems to fund criminal activity. Cryptocurrency has certainly made ransomware much more prolific, and thanks to persistent access to computing technology and ubiquitous connectivity, its impact has been much more significant than in the past.
Recently a task force was formed to help come up with ideas on how to address the ransomware problem. The release of their findings coincided with a ransomware infection that caught the attention of – if not all – certainly half of the country. You could almost be forgiven for thinking that collectively we – government, industry, and citizens – are finally ready to mobilize against a cybersecurity problem.
Don’t hold your breath.
Über Alles
The problem with getting too worked up about proposed solutions to security problems, especially ransomware, is that they inevitably default to “things we know how to do” not necessarily things that might work. Most efforts ignore some important issues that neither security nerds nor policy wonks seem to want to factor into their calculus.
We place a much higher value on functionality than we do security. When the average Jane started getting online without services like AOL or CompuServe, all that (Web) activity was unencrypted. It was not long (1995) before SSL came along, yet it took until 2021 for ‘a majority’ of traffic was encrypted. That is not just a long time in ‘Internet time’ it is a long time, period. Meanwhile, outside of the security realm, in that same timeframe we went from CGI and Perl scripts to ASP, SOAP, Rest, etc.
Cash rules everything around us. The ransomware infection on the Colonial Pipeline company is on everyone’s mind, but Colonial Pipeline’s pipeline system was not hacked; the system that allowed them to bill customers did. Most hacks of economic note can trace their origins to the attitude that ransoms and DFIR expenses are a cost of doing business, and not necessarily something to be avoided at all costs.
We would rather talk about “security” even if security is not the best approach to the problem. A $162B dollar industry will not be ignored. Ask 100 different security product or service vendors what the best defense against ransomware will be and none of them will bring up a sound, validated, and secure backup scheme (and related recovery procedures). Why? Because that is a system administrator’s job. Security companies would literally rather blow an advantage over the adversary to make a buck. We would rather whinge on about the “talent shortage” than admit that one of the world’s biggest security problems can be effectively addressed by the “mere” IT guy.[1]
We avoid conflicts at all costs. Public private partnerships, information sharing schemes; with very few exceptions everything you might consider doing in the name of cybersecurity is entirely voluntary. Organizations like NIST establish standards, but unless you work for the government you are not obliged to follow them (and even then…). Any mention of requiring commercial concerns to adhere to standards, policy, or practices brings out the lobbyists and arguments about how industry can regulate itself, which I am sure makes for a very compelling tale if you are running for re-election.
We cannot think clearly about the problem. Ransomware is a criminal activity. Full stop. It is not “cyberwar” and it is not “terrorism.” As a tactic it could be used in support of both war and terror, but getting paid has nothing to do with the violent promotion of political ideology.[2] Such talk really only serves as a defense for the use of currently foreign-facing intelligence capabilities against domestic targets. This is a scenario only a totalitarian could love, because once the government starts doing something, it never stops. The Internet would become a panopticon that you are forced to pay for (at least the apps that spy on you now are “free”).
We argue morality when we should be practicing humanity. Without a doubt paying a ransom rewards criminals and supports further criminal (and likely worse) activity. But understand what people are saying when they say, “don’t pay the ransom.” What they’re saying is that denying a criminal – who will almost certainly never see the inside of a prison cell much less a courtroom – a payday is more important that the businesses that will go under, the jobs that will be lost, and the families that will be impacted because they cannot recover. If you are of a certain age this sort of thinking will seem familiar. A solution build on a graveyard of bankruptcies and broken lives is not a solution to be proud of.
Accept the Things We Cannot Change…
Now that we have recognized the reality of our situation, it is time to think about how to move the ball forward in a fashion that fits within that reality. I am under no illusion that they are perfect solutions, or even very palatable ones (they are certainly not comprehensive), but they are also not dependent upon the world becoming a spherical cow of uniform size and density.
Leverage market forces; explain risk and affirmative risk acceptance. The desire for more functionality will always win out over security. So make it clear to users exactly what the risks are with regards to a given product or service. Not legal-ese in 4-point type on a click-through no one reads; up-front and in plain English. Zero-trust? Right now most people are dealing with zero-knowledge. With time the right balance of functionality and security will out, as people decide what level of risk they are comfortable with online, just everything else in their life.[3]
Make a market when there is none (or it is weak). Banks take security seriously because they would not be banks very long if they could not ensure an acceptable level of security for the float in the cell in the database in the data center that represents our life savings. Every patient trusts that their doctor is not going to tell the world about their issues, but what their doctor’s computer has to say is another story. The market to support security in banks is massive; the market to support security in small medical practices is almost non-existent. Is that a cybersecurity-ACA for underserved markets? Maybe.
Enough Security, More Resilience. As long as there are jobs that require opening email and clicking on attachments, no amount of yelling about the evil that lurks in email (how most ransomware happens) is going to change things. You can try to avoid taking punches, which means you will only lose tired, or you can build up the ability to take punches, which extends how long you can fight.[4]
Hate the players not the technology. No one calls for the abolishment of fiat currency because it is the spendable medium of choice for criminals. No one calls for the shuttering of financial institutions – who are supposedly professionals who know better – when they get caught doing shady deals and dealing with shady characters. Cryptocurrency is not the villain here. We should demand and enforce better behavior (know your customer, etc.), we should not be attacking technology.[5]
Think Safety, Not Security. Security regulations are all about what you cannot do, and enforcement of such rules brings out the baton-wielding pseudo-cop in every security practitioner. Safety regulations are often about what you cannot do as well, but they’re also about how you can do things in a fashion that won’t result with your workforce missing limbs or otherwise hospitalized. It turns out we know how to reduce risk “without adverse effects to employment, sales, credit ratings, or firm survival” we just don’t apply that model to cyberspace.
The Future We Want
For five days in December of 1952 the city of London was hit by “the big smog.” Officials estimate that as many as 10,000 people died and 100,000 were made ill as a direct result of this confluence of weather and coal smoke. The Clean Air Act of 1956 was the result.
In 1962 the Cuyahoga River in Cleveland Ohio caught fire, one of the last of a series of environmental disasters that led to the creation of the Environmental Protection Agency.
In 2010 the Deepwater Horizon oil spill was the largest environmental disaster in U.S. history and “the biggest public health crisis from a chemical poisoning in the history of the country.” It resulted in the passage of the RESTORE Act, funded by $20B in fines paid by BP.
We have an opportunity to do decisive and meaningful things that reduce the risks associated with our increasing dependence upon information technology before we the world burns and people die. This, of course, requires a level of will at individual, corporate, and governmental levels that heretofore has been absent when it comes to cybersecurity issues. We can improve the likelihood that our collective intestinal fortitude will rise to the occasion by addressing these issues in ways that are likely to work because they are rooted in reality, even if they seem conciliatory, or the approach is unfamiliar to us. To create a future where ransomware doesn’t exist, or is merely an annoyance, the usual way and pace of doing business will not suffice.
[1] In the interest of full disclosure, the author was formerly merely an IT guy.
[2] We want it to be more than just crime because we paid all this money for things like Cyber Command and CISA and feel like we need to get our money’s worth in a publicly attributable fashion.
[3] Ready, willing, and able to accept that we’ve already achieved that state, we just haven’t made it official yet.
[4] Again, unsexy IT stuff, not fancy blinky box security stuff for which you can charge a premium.
[5] What is the difference between malware and an app? Intent.
