Strategic Insight 001/2022
Paddy McGuiness
16 February 2022
Summary
A seminar at the Azure Forum on “Deterring ransomware attacks as an international security priority” in September 2021 prompted the following four recommendations for actions by Nation States which draw on my current work advising listed companies on their cyber resilience and past experience as UK Deputy National Security Adviser and Cyber Programme lead. First, treat ransomware as criminality and address it separately from the conflicted and glacial diplomacy to address state cyber action. Second, make it consequential for the criminal perpetrators, by attacking their wellbeing, their tools and dependencies. Third, support those who are attacked rather than blaming them, and in particular make business needs central to states’ response. And fourth, develop resilience disciplines including more effective response and recovery, data sets as Critical National Infrastructure (CNI), and Public Interest communications.
Commentary
Ransomware is a current security and policy priority in most jurisdictions. Taskforces are at work and strategies are under development. Just last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK and Australian National Cyber Security Centres took the unprecedented step of issuing a joint advisory of the heightened threat to Critical Infrastructure from ransomware. Little wonder given the ever growing pandemic of attacks on businesses and public bodies of every kind without effective response from states, individually or collectively. Situational awareness is poor, and most attacks are not made public or reported to regulators. Victims find little or no practical support or relief from the state. Most, faced by hard business realities, pay.
Few states are as well qualified as Ireland to consider and advise on the necessary response. There is a moral authority which comes from having had the Health Services Executive subjected to a criminal ransomware attack: an action which, if conducted by a state, might well have been considered an act of war or at least an intervention. While the Irish Defence Forces need to deploy effectively in the digital age and make their cyber defence and civil contingencies contribution, they differ from militaries with offensive cyber programmes such as the United States, United Kingdom, and France who, as much as Russia and China, are conflicted when it comes to international action to constrain cyber attackers. These states have an interest in preserving freedom of manouevre for their cyber forces and, unfortunately, it is their techniques which criminals quickly use when these get into the wild. This means that if the international security policy response to ransomware is framed, principally, as being about states it is likely to have limited or no effect in the necessary timeframe. Look at the glacial progress of the UN Group of Governmental Experts (UN GGE) process as a case in point. Ransomware is growing exponentially and seemingly having ever greater real world effect. Counter measures are required now.
Diplomacy focused on state actors also misses a truth. Most ransomware attacks are conducted by criminals for financial gain. Policy discourse and public statements by governments are too much about state actors and the minority of groups truly tied to hostile states. This pollutes the response. The vast majority of ransomware incidents are simply criminal and should be treated as such. The international community have history in addressing criminality which crosses borders or exploits ungoverned space. The United Nations Office on Drugs and Crime (UNODC) might therefore have a much fuller orchestrating role in mapping the phenomena which need to be addressed and suggesting how the ever more industrial cyber criminal ecosystem might be dissected. Approaches which have worked in campaigns against maritime piracy, kidnap and ransom, and many forms of trafficking are relevant here.
First, there is creating consequence for the perpetrators and for the states that fail to act against them. Ransomware is far from a victimless crime and, when healthcare bodies, industrial control systems and energy suppliers come under attack, there is real risk to life. By any measure this is a serious crime and warrants more significant penalties and greater priority. There also needs to be persistence in identification and disruption of the perpetrators and their geographies using the same intrusive powers available for the pursuit of narcotic suppliers or terrorists. Second, there needs to be a systematic deconstruction of the criminal ecosystem which has grown up mainly amongst Russian language crime groups. ‘Ransomware-as-a-Service’ and “Intrusion as a service” create their own attack surface and structural vulnerabilities which cyber capable states should be disrupting. As promising is the potential to deter the use of cryptocurrencies for payment. Central bankers and financial regulators have a role to play that is frankly more significant than cyber envoys in this context.
I have spent much of the last two years supporting companies in multiple jurisdictions when they are afflicted by Ransomware incidents. Two constants are relevant here. First, more than other intrusion or data loss events, Ransomware can quickly impact every aspect of the business such as continuity of operation, supply chain and customers, cashflow, market standing, internal cohesion, physical safety, and community relations. It is like chemotherapy which brings out every existing weak point in the corporate body to compound the original illness. Like chemo it takes months to recover. When business leaders think of it as a technology rather than an all of business challenge, it takes longest. Unfortunately, this is how many shaping the policy response think of it too.
Second, it is the attacked rather than the attacker who currently gets blamed. So do those who actually support recovery – such as the insurers. Sadly, organs of the state do little to actually enable the recovery of these productive units in society. Interaction with law enforcement, national cyber centres, punitive regulators and ministries too often obstructs rather than enables business recovery. The state almost seems to be increasing the effectiveness of the criminal extortionists.
A better approach is to examine how the collective response can best support the viability of the ransomed business. This is not to set aside proper corporate responsibility or the regulatory and law enforcement function but the current approach is off balance. It is predominantly business networks and data that are being ransomed. Business need must be central to the response.
There is then the question of how those engaged in developing international security approaches conceptualise so-called ‘Cyber Resilience’. States’ guidance on cybersecurity is still very much about education towards prevention and defence. Private sector enterprises that spend most on cybersecurity see a poor correlation between that spend and protection from intrusions. Increasingly their view is that the euro spent on preparedness to respond and recover has greater cyber value than the traditional preventative cybersecurity spend. This is a “when not if” approach to ransomware. This ought to shape the national and international response. Companies which have back-ups and/or the capacity to rebuild affected servers and networks are much less likely to pay. Gradually regulators, especially in the finance sector, are moving to mandate secure cyber vaulting of back-ups. A specification for “recovery capacity” may follow. Importantly, a consensus on which data sets and networks deserve additional protection is overdue. This is about understanding what actually makes up CNI but it also applies to data of collective significance – such as healthcare data which supports treatment.
Finally, there is work to do on public communications about ransomware events. The attacked are often constrained by regulation and business need in what they can communicate. In contrast the extortionists have free rein. The pretence that ransom-takers are akin to white hat hackers finding vulnerabilities for the public good needs to be challenged. It is a shock to see otherwise reputable media outlets allowing themselves to be used instrumentally by attackers to increase the pressure on those being extorted. Thought is required to reshape how these crimes are talked about so that ransomware criminals get the same restrained coverage as others who cause societal damage for personal gain.
Paddy McGuinness is a Senior Advisor at the Brunswick Group & Former UK Deputy National Security Advisor for Intelligence, Security and Resilience.
The Azure Forum is a nonpartisan, independent research organisation. In all instances, the Azure Forum retains independence over its research and editorial discretion with respect to outputs, reports, and recommendations. The Azure Forum does not take specific policy positions. Accordingly, all author views should be understood to be solely those of the author(s).