I think forced reporting is a great idea, and a payment ban is an excellent idea. Here's why. A rational and responsible company that had invested wisely in its own IT infrastructure should not be under threat of a ransomware attack. If proper measures have been taken and they do come under attack, they should call on law enforcement to track down the adversary and call on public resources to mitigate the attack, all of which costs taxpayer money.
As it stands, companies have incentive to cover up attacks because they won't invest in proper security. To an individual company, that's shortsighted and costly; to the country, in aggregate, it's both a national security threat and a huge drain on public and private resources which end up going to the worst possible place - to bolster scammers abroad.
The government is well within its right to prevent large cash or crypto transfers overseas, even in normal circumstances. Ringing this bell will force more companies to take measures to shore up their rickety systems.
There are 6-figure jobs aplenty out there to go into ABC Valve Manufacturing, rip out all their Win95 boxen and tell them what to buy, set it up and secure it for them.
While I agree with the sentiment around not paying, I don't think it's as simple as that. Calling on law enforcement to "track down the adversary" is not easy, and when you track it back to a random Russian cybercrime group what can you do with that information?
A lot of these payments are not fortune 500 companies with unlimited IT budget, it's small or medium businesses with a 3 person IT team. Should they have proper off-site backups? Yes. Should we just let these companies go out of business until organizations learn their lesson? I would say no.
I really like the idea of making payment more difficult and mandating organizations to report these incidents. You're correct, companies do have the incentive to cover things up. Banning payment won't stop that.
I'm interested to see how people will circumvent this if the bill passes. If you pay a third-party company who "deal with the issue" on your behalf, all under legal privilege of course, would you still need to report?
> Should they have proper off-site backups? Yes. Should we just let these companies go out of business until organizations learn their lesson? I would say no.
Can you expand on that? Bad management leading to criminal interaction seems like something we'd be better off without.
> when you track it back to a random Russian cybercrime group what can you do with that information?
Having solid evidence of state-sponsored (or egregiously tolerated) criminal attacks on Americans is the first step to building will to launch (cyber) counterattacks, or at least credibly threatening them.
I'm a one-man IT show for a few small- and mid-sized companies, and I had to manage an incident a few years ago where one of the companies was taken down for several days under a massive dDOS attack. This was accompanied by a ransom email to me. I disclosed the email to the company owner and he asked if we should pay it. I told him I wouldn't pay it if he ordered me to. I was sleeping on the floor for an hour at a time - the host handling the dedicated server basically said we had to go and threatened me that I would have to pay for their downtime, and the attack was large enough to shut down their connection to the transatlantic cable, so I had to fight around it for 48 hours while trying to quietly exfiltrate our data off the server through another one I had in Europe at the moments I could connect. I was contacted by the FBI and ultimately they found the assailants and one of the people behind it went to prison for a couple years; I got a judgment against him for my cost mitigating the attack (although it's symbolic, obviously. I'm sure I won't see a dime of it). He was just some schmuck in Florida.
TL;DR - if everyone refused to pay there would be no profit in it. And if everyone had to have IT staff who were competent, or worry about being fined for malfeasance, there would be no question of paying a third party to deal with something quietly. It's right and proper that authorities get involved. Even if they do find it's some troll farm in Russia, they can sanction and block in a way that small companies cannot. It's one of those situations where you stand together or die separately.
ABC Valve Manufacturing is running on a 6% profit margin. That cost wipes out their entire profit margin for the year. (They are competing against people in other countries without the same constraint.)
Now, perhaps this is an upstream problem. Perhaps the problem is that we have built systems that are nigh impossible to secure for small businesses. Perhaps we need laptop computers with no USB slots (no external keyboards.. no external mice.. no external monitors..) and no ability to install anything without going through an app store.
This company (that makes its own operating system) also will tell you exactly the systems you can use. Everything is certified by this company to be secure and you pay them a yearly protection racket fee to assume liability. In return, you have no control over your computer. Very strict internet filters are on these computers - no stack overflow, no hacker news, just the systems that the business has paid for.
This sounds dystopian to me. I'd hate to work there. However, that's literally the only solution I see for many businesses, because the current IT system is failing us.
The irony of all of this is that the finance industry is providing all the liquidity for bitcoin so that their ransomware payments are actually worth something.
Ransomware predates crypto. It does not rely on crypto, crypto just has some superior characteristics which make it attractive to both legal and illegal ventures. Criminals regularly adopt new tech faster than businesses as they are naturally less risk averse. The implication that someone or some industry is acting antisocial simply because they utilize a tech that criminals also utilize is short sighted.
Sporadic instances of ransomware predate cryptocurrencies. However, ransomware didn't start becoming dominant until the early 2010s, with the rise of Bitcoin. Before then, building a botnet was the profit motive for most viruses.
I like the idea of a payment ban because it will force most companies to look at the systems that should be in place to prevent attacks. So many companies don't have working backups, and have not partitioned their systems in ways that prevent an attack (or accident, or corruption) from spreading from system to system. The disappointment is real when you tell the ransomware guy, "We're not paying. We just restored from backup."
>The disappointment is real when you tell the ransomware guy, "We're not paying. We just restored from backup."
Worked at a trucking company as a software dev and this exact thing happened. Got hit with ransomware attack but our IT team had daily backups of EVERYTHING. This was when ransomware was first "taking off" and they weren't even 100% sure if the attack was real.
I wish I got to see the ransomware's operator's reaction, but I honestly feel like they probably had enough people falling for it so I doubt they really got that upset.
This is of no utility until the DoJ and courts start punishing corporations for breaking laws and regulations in some meaningful way.
Right now, even egregious violation of regulations results in a trivial financial payment and the charges are put on the shelf - and forgotten about if the corporation "behaves." In theory. In reality, companies can keep breaking the law, violating those agreements to 'behave' - and the DoJ / courts never pursue the matter.
you seem to be mixing up reporting regulations with the "we both know you did something shady but it was likely not explicitly illegal back then, so let's not go to court and waste each other's time, but let's never try that, and for this courtesy you pay us a few billion USD, mmkay?" deferred prosecution agreements.
reporting regs are clear (clearer at least) than the other stuff.
The US stole money and resources from developing countries to get to where it is. Now the US is realizing they can get fucked as well. On a far far far smaller scale.
Watching the government and people freak out about this has been very amusing.
Readit News
As it stands, companies have incentive to cover up attacks because they won't invest in proper security. To an individual company, that's shortsighted and costly; to the country, in aggregate, it's both a national security threat and a huge drain on public and private resources which end up going to the worst possible place - to bolster scammers abroad.
The government is well within its right to prevent large cash or crypto transfers overseas, even in normal circumstances. Ringing this bell will force more companies to take measures to shore up their rickety systems.
There are 6-figure jobs aplenty out there to go into ABC Valve Manufacturing, rip out all their Win95 boxen and tell them what to buy, set it up and secure it for them.
A lot of these payments are not fortune 500 companies with unlimited IT budget, it's small or medium businesses with a 3 person IT team. Should they have proper off-site backups? Yes. Should we just let these companies go out of business until organizations learn their lesson? I would say no.
I really like the idea of making payment more difficult and mandating organizations to report these incidents. You're correct, companies do have the incentive to cover things up. Banning payment won't stop that.
I'm interested to see how people will circumvent this if the bill passes. If you pay a third-party company who "deal with the issue" on your behalf, all under legal privilege of course, would you still need to report?
Can you expand on that? Bad management leading to criminal interaction seems like something we'd be better off without.
Having solid evidence of state-sponsored (or egregiously tolerated) criminal attacks on Americans is the first step to building will to launch (cyber) counterattacks, or at least credibly threatening them.
TL;DR - if everyone refused to pay there would be no profit in it. And if everyone had to have IT staff who were competent, or worry about being fined for malfeasance, there would be no question of paying a third party to deal with something quietly. It's right and proper that authorities get involved. Even if they do find it's some troll farm in Russia, they can sanction and block in a way that small companies cannot. It's one of those situations where you stand together or die separately.
It shifts the burden from the company to the authorities
Now, perhaps this is an upstream problem. Perhaps the problem is that we have built systems that are nigh impossible to secure for small businesses. Perhaps we need laptop computers with no USB slots (no external keyboards.. no external mice.. no external monitors..) and no ability to install anything without going through an app store.
This company (that makes its own operating system) also will tell you exactly the systems you can use. Everything is certified by this company to be secure and you pay them a yearly protection racket fee to assume liability. In return, you have no control over your computer. Very strict internet filters are on these computers - no stack overflow, no hacker news, just the systems that the business has paid for.
This sounds dystopian to me. I'd hate to work there. However, that's literally the only solution I see for many businesses, because the current IT system is failing us.
Comment suggested "calling on public resources to mitigate the attack" implying some sort of government funded program to upgrade old IT.
Ransomware would keep going if cryptocurrency disappeared tomorrow, these people have the infrastructure to receive and launder huge wire transfers.
Even the far less sophisticated african groups manage that, read the Hushpuppi indictment for an example.
Worked at a trucking company as a software dev and this exact thing happened. Got hit with ransomware attack but our IT team had daily backups of EVERYTHING. This was when ransomware was first "taking off" and they weren't even 100% sure if the attack was real.
I wish I got to see the ransomware's operator's reaction, but I honestly feel like they probably had enough people falling for it so I doubt they really got that upset.
Right now, even egregious violation of regulations results in a trivial financial payment and the charges are put on the shelf - and forgotten about if the corporation "behaves." In theory. In reality, companies can keep breaking the law, violating those agreements to 'behave' - and the DoJ / courts never pursue the matter.
reporting regs are clear (clearer at least) than the other stuff.
Watching the government and people freak out about this has been very amusing.