Understanding Response Risk Relative to Ransomware and DoT Guidelines | Don’t Pay, Can’t Pay, What Next | A Conversation With Dr. Catherine Lotrionte, Adam Hickey, And Stewart Baker


Manage episode 282457665 series 1535672
By ITSPmagazine Podcast, Marco Ciappelli, and Sean Martin. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

What do we think about this cybersecurity strategy? We wait for an attack to happen, then we respond to the threat by paying a criminal organization to get out of the trouble. Does it seem like a good one? Probably not, especially when it is illegal to do so. Let's discuss.

Ransomware is a digital attack against an individual or organization that holds data and/or systems hostage until a payment is received. Like many other forms of cybercriminal activity, this is on the rise, affecting our society at large.

If and when this happens, the options in front of the victim are generally:
- Restore the system/data from a known good backup
- Pay the ransom and go back to normal — (hopefully, assume the criminal honors the “agreement”)
- Don't pay and experience the consequences

The FBI discourages organizations from paying ransomware, and now the Department of Treasury has declared that paying ransoms is illegal and violates OFAC regulations. Seemingly this puts boards—and the conversation in and around evaluating risk—in a very precarious situation. The consideration around this and the balance of fiduciary responsibility depends on the organization: a manufacturing company vs. a hospital, for example, and what data is being held. However, it still squarely could disrupt the natural flow of risk considerations for Boards.

How about cyber insurance? Can we just skip prevention because there is a cure? Probably not.

Beyond the illegality of the payment, there's also the idea that the funds paid don't just land in the pocket of an individual criminal actor looking to buy a new sports car. It most probably supports international crime and nation-state activities such as funding human trafficking or nuclear weapon research and development.

Also, why is this still a problem in 2021? Why can’t we win here?

Listen in to this group of experts as we try to figure that out.

Maybe we solved the problem. Maybe not.

Dr. Catherine Lotrionte, CSIS Technology Policy Program

Adam Hickey, US Department of Justice

Stewart Baker, Steptoe & Johnson LLP

RSAC 365 Session: Understanding Response Risk Relative to Ransomware and DoT Guidelines

Dept. Of Treasury Ransomware Advisory: https://home.treasury.gov/news/press-releases/sm1142

FBI Position on Ransomware: https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware

RSAC 365 Virtual Summit: https://itspm.ag/virtual-summit-d0974

This Episode’s Sponsors:

BlackCloak: https://itspm.ag/itspbcweb

To see and hear more The Cyber Society content on ITSPmagazine, visit:

Are you interested in sponsoring an ITSPmagazine Channel?

829 episodes