Handcuffs lying on computer keyboard plus dark shadow of a hand showing ransomware attack

Ransomware Is Too Easy for Criminals; Let’s Make It Harder

Russian hackers chose July 4th, America’s Independence Day, to launch the largest ransomware attack on record. Although their target was a US software company, the effect of the breach was global, compromising about 1,500 companies in 17 countries.

The scope of the attack shows just how connected the digital world really is – and how little companies understand the risks to which service providers can expose them.

Ransomware is driven by an economic logic that motivates both victim and perpetrator. For some companies, paying a ransom makes sense: If you have a $10 million business and hackers want $500,000, you may decide to pay up, recover your data, and get back to work, rather than facing the possibility of losing everything and starting over – or shutting down completely.

Payment can also make sense if an attack targets critical infrastructure. The head of Colonial Pipeline chose to pay hackers $5 million because the privately owned company provides 45% of the fuel consumed on the East Coast of the United States, and no one knew how long it might take to get the pipeline up and running again.

Attackers, too, are guided by economic logic. Their goal is to make money, not cause chaos or prove a political point. They must keep their promise to return all frozen assets, lest future victims conclude that capitulation is pointless.

Some have proposed that governments should outlaw ransomware payments. Others say doing that would just encourage hackers to focus on the organizations least able to cope with downtime: hospitals, schools, and providers of electricity, water, and other vital public services.

How to undermine the economic motives that help ransomware attacks succeed, without compounding the harm suffered by the victims?

First, even in the litigious United States, there are few clear legal liabilities associated with making insecure software. That needs to change. CEOs and boards that run their business without adequate protection should be held accountable.

As companies collect larger volumes of data, their investment in cyber security must grow proportionately. That may seem obvious, but executives forced to choose between spending 5% of a company’s annual revenue on cyber defense, versus investing it in marketing, might deem security to be the lower priority.

Second, governments and the private sector must do a better job sharing information about cyber threats and vulnerabilities. This will help ensure that hackers cannot repeatedly use the same ransomware attacks against different governments. Ransomware is a global problem, and only a global solution will help stop it. National solutions will just shift the problem to the most vulnerable countries, enterprises and individuals.

Third, we need clear, shared cyber security standards. These standards must apply globally, or data will just wind up being stored in countries where security measures are lax and costs are low.

Standards can be established with legislation. The European Union took this approach in 2018 with the General Data Protection Regulation. GDPR has been adopted by several non-EU countries and numerous companies and effectively has become the first global data protection law. Companies that fail to protect the data of EU citizens face fines of up to 20 million Euros or 4% of corporate group revenue, whichever is greater.

That creates a strong incentive for companies to safeguard customers’ privacy; something similar is needed for cyber security. Starting last year, European companies began to comply with a newly strengthened version of the EU’s first cyber security law, and that’s a step in the right direction.

But given the stakes, companies should voluntarily begin meeting globally recognized security standards. Several good ones already exist: the ISO 27000 standards on information security management; NESAS, an assessment mechanism defined by the telecom industry’s leading standard-setting organizations; and the Cybersecurity Framework developed by NIST, part of the U.S. Department of Commerce.

Holding companies legally accountable, sharing information, and creating shared security standards won’t completely eradicate ransomware attacks. But they will make it considerably harder to carry out those attacks successfully.

Companies are exposed to far more risk than they realize. Understanding that exposure more clearly will shift the economic calculations made by CEOs and boards when weighing the costs and benefits of taking steps to strengthen security. That shift will help prevent, or at least mitigate the effects of, future ransomware attacks.