It is difficult to ignore how the internet has now made it possible to cause harm in a digital environment (McGovern, 2018). According to Western interpretations of proper jurisprudence and social contract theory, individuals gain safety from legal protections that otherwise would not exist without government regulation, surveillance, intervention, and punishment. In the United States of America, the Constitution and Bill of Rights have served as ethical architecture and scaffolding in the physical world reasonably well since their ratification in 1788. However, due to the unrelenting nature of change, new technologies have since emerged that now question how legal standards such as the First Amendment and a Right to Privacy ought to apply in the modern world. Today, societies must respond and equip themselves with new laws and regulations that better anticipate cyber threats in-advance and proactively take steps to defend against criminal behavior in a challenging and constantly evolving online environment.
In this term paper, I outline the steps I would take to tackle the cybersecurity issue of ransomware as a newly appointed member of Congress representing my home state of Maryland. In the first section, I assess the current threat landscape and start by defining the scope of the cybersecurity issue by illustrating the large attack surface that schools, hospitals, and local government IT systems collectively represent due to their lack of security hardening controls. In the second section, I explain the need for new legislation that more-directly instructs businesses on how they can better prepare adequate cyber defenses in-advance. Further, I specify that any state agency, unit of local government, or public authority ought to be prohibited from paying a ransom due to documented case law that illustrates criminals have not provided a decryption key, even upon fulfilling payment in cryptocurrency. National Ink and Stitch v. State Auto Property and Casualty Insurance Company signed in 2020 provides evidence to support my claim that victims should not trust criminals in what they promise (National, 2020). In the final section, I discuss simple solutions that effectively mitigate against the threat of ransomware, primarily by requiring businesses and government agencies to regularly backup essential data required for skeleton operations. I conclude by proposing legislation that incentivizes more robust cyber defense programs ahead of cyber compromise, and also legislation that mandates basic information technology workforce training in phishing campaigns with annual continuing education requirements given that the shifting landscape of cybersecurity threats will always continue to evolve.
Ransomware hit an incredibly diverse array of American businesses in 2021, as demonstrated by the high-profile ransomware compromises of 3 entirely separate economic sectors (all in one calendar year). Those were fuel gas distributor Colonial Pipeline, meat producer JBS, and software distribution company Kaseya (Miller, 2021). There are many reasons for the increase in frequency of ransomware in particular as a preferred means of cyber attack. The relatively low-risk of attribution in the digital space combined with the high-yield of payment via an obfuscated payment mechanism like bitcoin provides ample reason for the increasing popularity of ransomware as an attack vector amongst criminals. According to a survey conducted by Osterman Research, from June 2015 to June 2016, 79 percent of business organizations in the United States suffered at least one ransomware attack and 22 percent sustained more than twenty (Richardson, 2017). In addition, research from this group indicates that the top four industries attacked by ransomware in order were 1.) Healthcare, 2.) Financial services, 3.) Manufacturing, and 4.) Government. New and ongoing legal battles such as the class action lawsuit drawn by Barry Graham et al. v. Universal Health Services in which the plaintiffs claim UHS failed to protect their protected health information (PHI) highlights the enduring nature of repercussions that arise due to ransomware incidents, even long after the initial point of compromise (Barry, 2021). In a worrying new trend, criminals have also started to develop specialized attack tools, techniques, and procedures that target “high-value” organizations such as government bodies in a focused effort colloquially known as “big-game hunting.”
According to Atapour et al., the number of attacks on government agencies “tripled” between 2015 to 2016, and has been growing steadily ever since (Atapour, 2019). The authors of this paper highlight the perception that local agencies typically have significant budgets available to them combined with poorly trained technical staff. Since many functions performed by the government are highly-critical and time-sensitive (such as 24×7 police, water, or energy requirements), this unique combination of exploitable features makes local governments even more attractive as targets for ransomware criminals. For this reason, it has now become mandatory that government authorities at the federal, state, and local level are using robust risk mitigation strategies that specifically integrate ransomware into their cyber threat models, control mechanisms, and incident response policies, which I move to discuss in the next section of this paper.
The sensationalization of ransomware as an undefeatable attack method that can be leveraged only by extremely sophisticated attackers and requires equally complicated response tools – is a myth perpetuated by mainstream media. As plainly noted by security researchers Richardson and North, “if the data is backed up, there is no need to pay a ransom to get the data back. Instead, it can be recovered from the backups” (Richardson, 2017). The de-mysticism of information technology and accurate high-level understanding by senior management of the end goals ransomware attackers intend to cause are crucial to limiting the damage that can be caused by ransomware attacks. Furthermore, the ethical issues surrounding the dilemma regarding whether or not to pay the ransom leans strongly toward universal prohibition of making a ransom payment to attackers. There are myriad reasons not to pay, but I have synthesized the ethical arguments into two main points. First, and perhaps most obviously, there is no guarantee that paying for an decryption key will actually result in production of a functioning key that successfully decrypts the locked files. In this case, the money paid is wasted and does not contribute an organizational benefit. Next as a second ethical consideration, paying the criminal only validates, legitimizes, and perpetuates the illegal business of ransomware by contributing to its success as a source of revenue for any criminal organization that utilizes it as an cyber attack method. This second result is also not beneficial for the victim who paid, nor for society as a whole because ransomware activity perpetuates harm to more downstream targets. Therefore, enforced prohibition against paying the ransom minimizes harm considered more broadly and ought to be the default selection when developing a response plan to attacks.
Next, examination of case law reveals the exploitative nature of the criminal who engages in ransomware production and distribution, as indicated in National Ink and Stitch v. State Auto Property and Casualty Insurance Company. According to the evidence presented in this case, even after the plaintiff issued initial cryptocurrency payment, the attacker then demanded further payment and still refused to release the software and data. As the plaintiff explained in their testimony, “we got the ‘executable file’, but now we needed to pay more bitcoin if we wanted the ‘configuration file” (National, 2020). Clearly, this case reveals the mentality that criminal attackers will extort their victims for as much money as they are under-informed enough to pay. In order to dis-incentivize the entire financial ecosystem from a top-down approach, it becomes mandatory for government to impose universal prohibitions against paying a ransom for any reason in order to cut-off this lucrative source of funds to exploitative criminal entities. Instead, these would-be ransomware payments should instead finance legislative solutions that more effectively mitigate the risk of ransomware, which I move to discuss in the final section of my paper.
Non-technical individuals with low-security awareness are those employees who are most likely to fall victim to ransomware attacks. They are frequently targeted as the initial access points into government and business organizations since they are also most likely to succumb to phishing attacks that can now more easily take place in a remote, distributed workforce environment. As recommended by cybersecurity expert Ross Brewer, managing director of LogRhythm, “user awareness training is an effective means to teach people to avoid falling victim to phishing email messages that plant malware in the first place. End users need to know what to expect and what to look for in their email messages to avoid infection” (Brewer, 2016). This includes an expressed written policy that instructs employees to never give out administrative credentials to a 3rd party. Although this recommendation seems obvious, the effectiveness of simulating a phishing campaign in a controlled space with a mindful objective of employee education (instead of punishment) should not be underestimated as an effective risk mitigation strategy. Similarly obvious, but also often neglected as an effective risk mitigation security control, is the formalization of IT security processes into written organizational policy with buy-in from senior management. It is essential to ensure that organizational policies “have teeth” and promote “the right tone” regarding acceptable use within a work environment in order to drive any effective business processes (Green, 2022).
Finally, as mentioned previously in this paper, a robust backup and archiving schedule largely neutralizes the threat that ransomware can potentially pose to any government body (Richardson, 2017). Therefore, legislation that incentivizes IT system hardening across the board and also requires scheduled backup procedures in a manner that can be audited by an external organization will only help to reduce the attack surface that otherwise would be accessible to ransomware criminals.
Although the reality of working in cybersecurity is often not as glamorous as depicted on television, many actionable steps can be taken by security professionals leading federal, state, and local government agencies that will help to mitigate the damages of a ransomware attack. Two of the most effective security controls specifically addressing ransomware have been discussed extensively in this paper. They are 1.) Establishing phishing awareness security training programs across all internal operations teams, and 2.) Ensuring the existence and restorability of backups containing all essential business data required to operate at a minimum skeleton function. Legal regulations that codify these two information security controls are badly needed and it would be my goal as a newly appointed member of Congress to establish these rules as fundamental requirements for every government agency. Without adequate written policies that establish prohibition of ransom payment in connection with cybersecurity breaches, cyber criminal behavior will only continue to proliferate online.
References —
Atapour-Abarghouei, A., Bonner, S., & McGough, A. S. (2019, November). Volenti non fit injuria: Ransomware and its victims. NASA/ADS. Retrieved from https://ui.adsabs.harvard.edu/abs/2019arXiv191108364A/abstract.
Barry K. Graham, et al. v. Universal Health Service, Inc., Civil Action No. 20-5375. (May 17, 2021). Retrieved from https://scholar.google.com/scholar_case?case=5633761338621740526.
Brewer, R. (2016, September 28). Ransomware attacks: Detection, prevention and cure. Network Security. Retrieved December 12, 2021, from https://www.sciencedirect.com/science/article/pii/S1353485816300861.
McGovern, B. (2018, November 17). Michelle Carter found guilty in landmark texting suicide case. Boston Herald. Retrieved December 12, 2021, from https://www.bostonherald.com/2017/06/16/michelle-carter-found-guilty-in-landmark-texting-suicide-case/.
Miller, M. (2021, December 10). Officials press for actionable recommendations from New Cyber Advisory Committee. The Hill. Retrieved from https://thehill.com/policy/cybersecurity/585387-officials-press-for-actionable-recommendations-from-new-cyber-advisory.
Mohurle, S., & Patil, M. (2017). A brief study of Wannacry Threat: Ransomware Attack 2017. International Journal of Advanced Research in Computer Science. Retrieved from https://sbgsmedia.in/2018/05/10/2261f190e292ad93d6887198d7050dec.pdf.
National Ink and Stitch, LLC, Plaintiff, v. State Auto Property and Casualty Insurance Company, Defendant, Civil Case No. SAG-18-2138. (January 23, 2020). Retrieved from https://scholar.google.com/scholar_case?case=8430864325697222171
Rashid, F. (2016, March 14). 4 reasons not to pay up in a ransomware attack. CSO Online. Retrieved from https://www.csoonline.com/article/3043936/4-reasons-not-to-pay-up-in-a-ransomware-attack.html.
Richardson, R., & North, M. (2017, January 1). Ransomware: Evolution, mitigation and prevention. Kennesaw State University. Retrieved from https://digitalcommons.kennesaw.edu/cgi/viewcontent.cgi?article=5312&context=facpubs.