Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
Should Paying Ransoms to Attackers Be Banned?Big Payments to Ransomware Gangs by CNA, Colonial Pipeline Stir Debate
Insurance company CNA's apparent decision to pay attackers a $40 million ransom and Colonial Pipeline Co.'s payment of a $4.4 million ransom are stirring debate over whether such payments should be banned under federal law.
Bloomberg News reported Thursday that Chicago-based CNA had paid the hefty ransom (see: Insurer CNA Disconnects Systems After 'Cybersecurity Attack'). Meanwhile, Colonial Pipeline CEO Joseph Blount confirmed Wednesday that the company had paid a ransom on May 7 after discovering an attack using DarkSide ransomware that led the company to temporarily shut down its fuel pipeline serving the East Coast.
CNA reported being victimized by a "cybersecurity attack" on March 23 that caused a network disruption and affected certain systems, including corporate email. The attack led the company to disconnect its systems, including taking down its website. CNA later confirmed it had been victimized by ransomware.
But CNA has not confirmed it paid a ransom. The company did not immediately reply to a request for comment on the Bloomberg report.
Those supporting a federal law banning ransom payments argue that once criminal groups know it's unlikely their ransom demands will be met, they will wind down their ransomware attacks.
But opponents of such a ban argue that it would be "regulatory overreach" and increase risks, because for some ransomware victims, the payments may represent the only practical way to regain access to data, resume operations and avoid the publishing of stolen data.
And some argue that requiring those making ransom payments to report those payments to regulators would be preferable to an outright ban.
Support for Banning Payments
"As the scourge of ransomware continues to grow, all options must be on the table, including prohibiting ransom payments, says Rep. Jim Langevin, D-R.I. "At the end of the day, we need to make sure that crime doesn't pay. We can do that by improving our cyber defenses and by actually going after the cybercriminals, as well as by making it harder for them to cash out."
But no member of Congress has yet introduced a bill calling for a ban on ransom payments.
Mike Hamilton, former CISO for the city of Seattle, adds: "If there was an outright prohibition on paying ransom, backed up by [Department of Homeland Security] Secretary [Alejandro] Mayorkas' 'response and recovery fund,' we would break the business model of ransomware operators," says Hamilton, who is the co-founder of CI Security.
The Cybersecurity and Infrastructure Security Agency has proposed creating a $20 million Cyber Response and Recovery Fund, which would enable the agency to provide more incident response services to organizations outside the government.
Etay Maor, an adjunct professor at Boston College and senior director of cybersecurity strategy at Cato Networks, believes there is almost always an alternative to paying a ransom, such as relying on backups. Plus, he points out that paying the ransom does not guarantee a satisfactory outcome. For example, Colonial Pipeline discovered the decryptor provided by attackers did not work properly.
"When you pay a ransom, you not only encourage the ransomware economy, you can also get infected again if the attackers are still on the network with a different ransomware," Maor says.
The Arguments Against a Ban
But some opponents of a ransom payment ban argue that it's unrealistic.
Phil Reitinger, a former director of the National Cyber Security Center within the Department of Homeland Security, says that it's difficult to criticize businesses for paying ransoms because they have to consider many factors, including the survival of the firm and the safety of employees.
"There are reasonable public policy reasons to consider banning payment of ransom," says Reitinger, who is now president and CEO of the Global Cyber Alliance. "However, if the government wants to do that, it needs to make the rule explicit and own the consequences."
He adds, however, that "government also needs to consider whether a single nation banning ransom payments is likely to be effective on the global internet. My view at present is that any steps in this regard should be based on reporting payments rather than banning them. Government may be slowly coming to this conclusion, based on the recent comments from the National Security Council."
Similarly, Tim Wade, former security and technical manager for the U.S. Air Force, contends that legislation banning ransom payments would be counterproductive.
"A federal law to ban ransomware payments reminds me of the calls to weaken encryption standards, another example of regulatory overreach that would ultimately act to weaken the safety of individuals and private parties," says Wade, who is now technical director of the CTO team at the security firm Vectra AI.
Wade says banning ransom payments would hinder a company's ability to stop an attacker from leaking stolen data that might contain personally identifiable information on its customers or clients.
The FBI had long recommended that organizations should not pay ransoms to cyberattackers, noting there is no guarantee the attacker will supply a functional decryptor key - as Colonial Pipeline discovered - or refrain from releasing stolen data. Plus, the bureau says payments encourage further attacks.
"It is not illegal at this point for a U.S. company … to pay a ransom, though more than a half-dozen states now do have anti-cyber extortion laws on the books," says Scott Shackelford, chair of Indiana University’s Cybersecurity Program. "There’s a good argument for why this needs to change at the federal level since it obviously incentivizes attackers to keep launching ransomware at vulnerable firms, and various levels of government.”
The state anti-extortion laws in California, Michigan, Connecticut, Texas and Wyoming make it illegal to conduct ransomware attacks, but they do not ban making a ransom payment.
If a ransomware attacker has any connection with nations placed on the U.S. Treasury Department's Office of Foreign Assets Control sanctions list, paying the attacker a ransom is illegal, under the Trading with the Enemy Act, as was highlighted in an OFAC advisory issued in October 2020.