Understanding Response Risk Relative to Ransomware and DoT Guidelines | Don’t Pay, Can’t Pay, What Next | A Conversation With Dr. Catherine Lotrionte, Adam Hickey, And Stewart Baker
Manage episode 282457665 series 1535672
What do we think about this cybersecurity strategy? We wait for an attack to happen, then we respond to the threat by paying a criminal organization to get out of the trouble. Does it seem like a good one? Probably not, especially when it is illegal to do so. Let's discuss.
Ransomware is a digital attack against an individual or organization that holds data and/or systems hostage until a payment is received. Like many other forms of cybercriminal activity, this is on the rise, affecting our society at large.
If and when this happens, the options in front of the victim are generally:
- Restore the system/data from a known good backup
- Pay the ransom and go back to normal — (hopefully, assume the criminal honors the “agreement”)
- Don't pay and experience the consequences
The FBI discourages organizations from paying ransomware, and now the Department of Treasury has declared that paying ransoms is illegal and violates OFAC regulations. Seemingly this puts boards—and the conversation in and around evaluating risk—in a very precarious situation. The consideration around this and the balance of fiduciary responsibility depends on the organization: a manufacturing company vs. a hospital, for example, and what data is being held. However, it still squarely could disrupt the natural flow of risk considerations for Boards.
How about cyber insurance? Can we just skip prevention because there is a cure? Probably not.
Beyond the illegality of the payment, there's also the idea that the funds paid don't just land in the pocket of an individual criminal actor looking to buy a new sports car. It most probably supports international crime and nation-state activities such as funding human trafficking or nuclear weapon research and development.
Also, why is this still a problem in 2021? Why can’t we win here?
Listen in to this group of experts as we try to figure that out.
Maybe we solved the problem. Maybe not.
Dr. Catherine Lotrionte, CSIS Technology Policy Program
Adam Hickey, US Department of Justice
Stewart Baker, Steptoe & Johnson LLP
RSAC 365 Session: Understanding Response Risk Relative to Ransomware and DoT Guidelines
Dept. Of Treasury Ransomware Advisory: https://home.treasury.gov/news/press-releases/sm1142
FBI Position on Ransomware: https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware
RSAC 365 Virtual Summit: https://itspm.ag/virtual-summit-d0974
This Episode’s Sponsors:
To see and hear more The Cyber Society content on ITSPmagazine, visit:
Are you interested in sponsoring an ITSPmagazine Channel?