The writer is a former head of MI6, Britain’s Secret Intelligence Service, and a founding partner of Vega Cyber Associates
It is easy to feel powerless in the face of an amorphous and seemingly random threat like ransomware. But, like all cybersecurity issues, it’s not so much a technology problem as a human problem. And that’s what man can solve.
The current ransomware attacks the Colonial pipeline in the United States and u Irish health system it should be an alarm clock. Things are bad and will get very bad because the incentives to mount such attacks are strong and growing.
There is no silver bullet that will make this problem disappear. But there are things that can make states, organizations, and individuals who, together, could convince ransomware actors to use their undoubted skills elsewhere.
First, we must recognize that this is not only a criminal problem, but also a national security and geopolitical one. The people behind these cyber attacks need places to live and to enjoy their ill-gotten gains. It will not escape the warning of many people that most ransomware operators have a “no food in Russia” policy. The reality is that many are in Russia, and as long as they do not intrude on Russian interests, they will be left alone. President Vladimir Putin has made it clear that he does not believe he owns the problem.
There are old links between the hacking community and the Russian security services. And even if it is not true to say that the State is behind these attacks, it is clear that the perpetrators could not function as they would if the FSB domestic security service were deployed against them.
U.S. President Joe Biden has said the issue is high on the agenda for his meeting with Putin next week. That’s where it should be. And I would have to use the whole range of geopolitical figures and sticks to get the ultimate exponent of realpolitik to take the problem seriously.
I was acclaimed by the success of the FBI in gaining access to the bitcoin wallet used by colonial hackers and taking back a large portion of the ransom. The threat of mail ransomware is now such that the application of high-end national capabilities is entirely appropriate.
Incentives for such criminal activity should be addressed, too. As head of the Secret Intelligence Service, I have seen first-hand the effects of the non-payment of the terrorist redemption policy adopted by the United Kingdom and our allies in the intelligence-sharing group. Five Eyes intelligence. Such a policy is often painful to implement, but it is the right thing to do. The alternative is to fund the very activity you are trying to prevent.
There is a case for bringing such an approach to ransomware. Opponents question whether prohibiting payment in a life-threatening situation can ever be justified on moral grounds. They have a point. But a partial ban, which allowed payment in “emergency” circumstances, would simply encourage attackers to create a similar situation. And that would be the worst of all worlds.
If one accepts that this is a national security issue, then it becomes difficult to defend the suggestion that governments should only leave these decisions to private citizens. As a first step, I think it should be mandatory to disclose payments publicly and in detail. Attackers are trying to present the payment as the easy option. We’re going to change that.
We also need to look out for insurance and moral hazard risks. Often attackers have access to insurance policies in advance and know exactly how much they can get away with. However, insurers now expect to see good quality cyber security evidence before writing down activities.
Then there is the issue of cryptocurrency. It is arguable that the problem does not exist without cryptocurrency, which allows ransom payments to be made in a way that preserves the anonymity of the recipients. This is not to argue for a ban on such currencies, which are obviously here to stay. But it is to encourage the development of robust laws to know your customers and anti-money laundering laws appropriate for the digital age.
Cryptocurrencies are not traceable: they are placed on the blockchain and are sometimes more easily traced than in cash. The difficulty that law enforcement agencies face in discovering the true identity, or at least the true intent, of the recipient or origin. The good news is that modern data and analytics can come together in a way that allows good transactions to be distinguished from bad ones.
And then, an irony. Often, the software used by attackers is based on code written with the best of intentions by penetration testers who help organizations probe their systems for vulnerability. While there are significant practical hurdles, we need to leverage our experience in counterproliferation licensing techniques and identify ways in which we can limit the use of such code to its intended purpose.
It follows that governments can and should do more, but not to the point of absolving individuals and businesses of their responsibilities. A surprisingly large amount of this is based on the basics of cyber security.
Finally, it is a human agency. Individually, we are easy to pick up and intimidate. But collectively, we are far from powerless. These attackers are bullies. And the bullies come back for more, unless you intimidate them, preferably in company. If anything good comes out of the recent attacks, it will be that the day that happens is approaching.