[ad_1]
The writer is a former head of MI6, Britain’s Secret Intelligence Service, and a founding partner of Vega Cyber Associates.
It’s easy to feel powerless in the face of a threat as amorphous and seemingly random as ransomware. But like all cybersecurity issues, it’s not so much a technology issue as a human issue. And it is that humans can solve.
Recent ransomware attacks against Colonial canalization in the USA and the Irish health system it should be an alarm call. Things are bad and will get a lot worse because the incentives to launch these attacks are strong and growing.
There is no silver bullet that will make this problem go away. But there are things that states, organizations, and individuals can do that together could convince ransomware actors to use their undoubted skills elsewhere.
First, we must recognize that this is not only a criminal issue, but also a national and geopolitical security issue. The people behind these cyberattacks need places to live and enjoy their ill-earned gains. It will not have escaped the warning of many people that most ransomware operators have a “do not eat in Russia” policy. The reality is that many are in Russia and, as long as they do not get into Russian interests, they will be left alone. President Vladimir Putin has made it clear that he does not believe he is the owner of the problem.
There are long-standing links between the piracy community and Russian security services. And while it is not true to say that the state is behind these attacks, it is clear that the perpetrators could not function as they do if the FSB’s national security service were deployed against them.
U.S. President Joe Biden has said the issue is the first on the agenda of his meeting with Putin next week. This is where it should be. And he should use the full range of carrots and geopolitical carrots to get the top exponent of realpolitik to take the problem seriously.
I was glad of the FBI’s success in accessing the bitcoin wallet used by colonial hackers and recovering a large portion of the ransom. The ransomware threat now posed is such that the application of high-end national capabilities is entirely appropriate.
Incentives for this criminal activity must also be addressed. As head of the Secret Intelligence Service, I saw first hand the effects of the non-payment of the terrorist rescue policy adopted by the UK and our allies in the Five Eyes intelligence exchange group. This policy is often heartbreaking to implement, but it is the right one. The alternative is to fund the same activity you are trying to avoid.
There is a case for approaching this approach to ransomware. Opponents question whether the ban on payment in a life-threatening situation can ever be justified on moral grounds. They have a point. But a partial ban, which allowed for payment in “emergency” circumstances, would simply encourage attackers to create this situation. And that would be the worst of all worlds.
If it is accepted that this is a national security issue, it becomes difficult to defend the suggestion that governments should simply leave these decisions to private citizens. As a first step, I think it should be mandatory to disclose payments publicly and in detail. Attackers are looking to present payment as the easiest option. We need to change that.
We must also take into account insurance and moral hazard risks. Attackers often access insurance policies in advance and know exactly how much they can get. However, insurers now expect to see good quality cybersecurity testing before writing business.
Then there is the issue of cryptocurrency. It can be argued that the problem would not exist without cryptography, which allows rescue payments to be made in such a way as to preserve the anonymity of the recipients. It’s not about arguing for a ban on these coins, which are obviously here to stay. But it is to urge the development of robust customer knowledge laws and anti-money laundering laws appropriate to the digital age.
Cryptocurrencies are not traceable: they are placed in the blockchain and can sometimes be traced more easily than cash. The difficulty faced by police agencies is to discover the real identity, or at least the real intention, of the recipient or originator. The good news is that modern data and analytics can be combined so that good transactions can be distinguished from negative ones.
And then an irony. Often, the software used by attackers is based on code written with the best intention by penetration verifiers that help organizations investigate their vulnerability systems. While there are significant practical hurdles, we need to draw on our experience in counterproliferation licensing techniques and identify ways in which we can restrict the use of this code to its intended purpose.
It follows that governments can and must do more, but not to the point of absolving people and businesses of their own responsibilities. A surprisingly large amount is about getting the basics of cybersecurity right.
In short, it is a human agency. Individually, we are easy to reach and intimidate. But collectively we are far from helpless. These attackers are harassers. And the bullies look for more again, unless you intimidate them, preferably in company. If anything good comes out of the recent attacks, it will be that the passing day is approaching.
[ad_2]
Source link
