An item in Wired recently pointed out that anybody who facilitates ransomware payments to certain U. S. Treasury-sanctioned actors may also be liable to prosecution because they have violated Office of Foreign Asset Control (OFAC) regulations, which prohibit such dealings. This puts ransomware victims in a worse bind than ever: pay up to free your kidnapped data and get fined by the Treasury, or refuse and do without your data.
Perhaps this is just a backwards way for the Treasury Department to encourage organizations that rely on IT facilities—which is nearly everybody nowadays—to be more vigilant in preventing cyberattacks. And that's not a bad thing. But if I worked for the IT services division of a large firm or government agency, I would feel somewhat put upon by the notion that rather than helping me avoid ransomware attackers, the Treasury Department was letting me know that if I get attacked, they'll be standing by to make sure any ransom I pay doesn't go to sanctioned criminals.
The utter permeability of national boundaries to the Internet-mediated WorldWideWeb has led us to ignore some long-standing expectations and categories of thought, and I think we ignore them at our peril. To see what I mean, let me take you back for a moment to Canterbury, England in the fall of 1011 A. D. A couple of years earlier, an army of Danish Vikings led by Thorkell the Tall had threatened the city, but the populace raised and paid a 3,000-pound silver ransom, and Thorkell turned instead to points south, leaving Canterbury alone for the time being.
But in 1011, Thorkell attacked Canterbury again, and the Anglo-Saxons decided to fight this time. After a three-week battle, the Vikings broke through the city's defenses and captured the Archbishop of Canterbury, who was named Aelfheah, and a number of other high officials. After burning down Canterbury Cathedral, Thorkell ran off with the Archbishop and demanded another 3,000-pound ransom.
But the Archbishop himself let it be known that he didn't want to be ransomed, and didn't want his people to pay up. After seven months of holding on to Aelfheah hoping for a ransom, some of the Vikings under Thorkell lost patience (the Vikings were not known for that virtue), and began to throw cowbones at Aelfheah, finishing him off with a blow from the blunt end of an axe. Thorkell, who had tried to stop his men from killing Aelfheah, felt so bad about it that he eventually joined forces with the English king, Aethelred the Unready, and fought bravely in his behalf.
What has that got to do with ransomware? More than you might think.
For one thing, our little history lesson shows that placating kidnappers and other demanders of ransom tends to lead, not to the end of ransom demands, but to their encouragement. Thorkell may have figured, "Hey, we got 3,000 pounds of silver from Canterbury a couple of years ago, let's go try it again." So like blackmail payments and similar shady dealings, the payment of ransom for either people or data just encourages the bad actors to keep doing what they're doing, in the long run.
Secondly, the people of Canterbury didn't expect Aelfheah to fight off the Vikings all by himself. They mounted a united defense, and though they failed to stop Thorkell the second time, things could have turned out differently if the balance of power had been more in favor of the Anglo-Saxons. But they would have had to plan for such an attack and devote resources to preparing their armed forces.
Because ransomware attackers don't show up on the streets of U. S. cities armed with tanks and flamethrowers, they escape being placed in the same category as we would place the Vikings in 1011 A. D.: as invaders bent on pillage and destruction. But that's what they are.
It's true that few if any people have died as a direct result of a ransomware attack. But the net effect is the same: an invasion of a sovereign territory by (typically) foreign actors leads to money going into the pockets of the attackers.
In its limited bureaucratic way, the U. S. Treasury is alerting potential victims of ransomware attacks that paying ransom to certain sanctioned organizations can get you in trouble with the government, on top of whatever expenses and problems the attack itself causes. But it's apparently not the Treasury's job to help you defend yourself against such attacks.
At a recent social gathering, I met a youngish man who turns out to be a freelance IT security specialist who goes around trying to attack systems to discover their vulnerabilities, and then informs the client about the weak spots he's found. I didn't spend enough time talking with him to discover if one of his tricks involves threatening ransomware attacks—it would be hard to try that without actually fouling up a client's systems, which is going a little beyond the remit of a consultant. But such people are an important part of an overall cybersecurity policy that every organization of any size needs to have.
I wish there was some way the U. S. military could guard our Internet borders the way they guard our physical borders. But the way the Internet has grown makes that nearly impossible, and probably inadvisable as well. For whatever reason, IT-intensive organizations have to do the equivalent of paying for their own guards and military defenses against the attacks of cyber-Vikings, rather than relying on the government for security as we do for our physical borders.
But minds and organizations change slowly, which is why there are so many outdated operating systems out there, just begging to be hacked or attacked by ransomware. Maybe some kind of tax credit for IT security expenditures would make a difference in encouraging organizations (at least private ones) to do a better job of safeguarding their systems so well that most ransomware attacks would fail. Like anybody else, the attackers go around looking for low-hanging fruit, and I suspect that many ransomware attacks would have been foiled by more vigilant IT security on the part of the victims.
The long-term solution, if there is one, is increased vigilance and more resources devoted to IT security, plus a disinclination to pay ransomware attackers. But as long as there are people out there who would rather raid and invade for pay rather than earn a living in a more peaceful way, we will probably have to deal with ransomware attacks.
Sources: Wired's website carried an item about the U. S. Treasury's warning concerning payments to certain ransomware attackers at https://www.wired.com/story/ransomware-fine-grindr-bug-joker-malware-security-news/. The Treasury's announcement itself can be viewed at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf. And I got the story about Thorkell the Tall and Aelfheah from the Wikipedia article "Siege of Canterbury."
No comments:
Post a Comment