The White House and its international partners in the fight against ransomware are considering a potential ban on ransom payments as a means to counter financially motivated threat actors. Anne Neuberger, the deputy national security advisor for cyber and emerging technologies, discussed this possibility during a recent presentation at the Institute for Security and Technology's Ransomware Task Force event. While a ban on ransom payments could be an effective strategy, implementing such a policy comes with its own set of complications and potential unintended consequences.
Neuberger emphasized that specific conditions would warrant a waiver to the ban, particularly in cases where critical services are at stake and proper notification and permission from the relevant government agency are obtained. The objective is to discourage ransom payments on a broader scale, as the underlying issue of ransomware cannot be resolved by individual entities making isolated decisions to pay. However, the move to involve the government more directly in ransom payment policies raises concerns about the complexities that could arise.
The U.S. government, as well as the International Counter Ransomware Initiative, is currently in the process of evaluating the feasibility of implementing a ban. This would mark a significant shift in strategy, as the Biden administration previously opted not to enforce an outright ban on ransom payments. Instead, they strongly encouraged organizations not to pay. The potential ban, if enacted, could have far-reaching implications.
Nevertheless, there are experts who argue against the effectiveness of a ban.
James Graham, the VP of RiskLens weighed in:
"A ban on ransom payments would likely just add another risk factor into the quantified decision about whether or not to pay. That is, victim companies may simply factor these new penalties into their risk equation as a potential secondary loss. If the cost of the ransom and the penalty are less than the consequences of not paying (data breach, lost business, brand reputation, etc.), or if the combined loss figure is still within the organization's risk tolerance, any such ban could prove less than effective as a deterrent."
The reconsideration of the official policy on ransom payments is driven by the persistent and high level of ransomware activity. Recent attacks, such as the one against Dallas and the ransom payment made by the San Bernardino County Sheriff's Department in California, highlight the urgent need for action. Ransomware is a financially motivated crime, and paying ransoms only perpetuates the interest of criminals. However, the complexity of the issue necessitates careful deliberation and the development of a roadmap for businesses and agencies to follow.
While some experts believe that banning ransom payments is a necessary step to reduce ransomware attacks, there is no consensus in the threat intelligence community. The nature of cybercriminals suggests that they will find alternative methods to extort money, even if bans are enforced. Ultimately, the battle against ransomware requires a multifaceted approach that addresses both the financial incentives and the security vulnerabilities that enable such attacks.
###