Inside Cybersecurity

October 23, 2021

Daily News

Former White House cyber advisor Hathaway urges prohibiting ransomware payments

By Charlie Mitchell / May 18, 2021

Melissa Hathaway, who served as top cyber advisor to two presidents, says the U.S. should legally prohibit companies from paying out on ransomware demands, as an essential step in disrupting the operations of cyber criminals and curtailing the proliferation of attacks like the one that recently paralyzed Colonial Pipeline.

“[T]he U.S. Department of Justice should determine and make clear that paying a ransom is illegal,” Hathaway said in an article posted May 13 by the Institute for New Economic Thinking.

“This step would likely force organizations to further invest in their security and ability to withstand and recover from an incident (i.e., increase their resilience). Categorizing ransom payment as an illegal activity would also clearly remove coverage for these types of payments from insurance policies,” Hathaway wrote.

Melissa Hathaway

Melissa Hathaway, President, Hathaway Global Strategies

Hathaway was a senior cybersecurity advisor to Presidents George W. Bush and Barack Obama, and her work in the White House helped frame the federal government’s organizational steps on cybersecurity. She is president of Hathaway Global Strategies.

The cyber policy veteran pointed to the vast economic disruptions caused by the Colonial Pipeline attack as well as continued attacks on the health and education sectors, and said no sector is immune. “Lives are already at risk and these terrorists are taking advantage of the fragility, distraction, and fear of society to co-opt and coerce for economic gain,” she wrote.

According to Hathaway, the Treasury Department “should expand its list of Specially Designated Nationals (SDN) to include as many of the ransomware gangs as possible. Of course, this will require support from the intelligence and law enforcement communities, but if we want to stop the flow of ransom payments to our adversaries and their proxies, these malicious actors must be clearly identified and named, so that authorities can begin to impose real costs and consequences.”

She wrote that the “’epidemic’ of ransomware attacks should be systematically and operationally dismantled, which requires the government to treat it like terrorism — working operationally across all government agencies and with its international partners. The government has shown that it can track transnational networks, follow their illicit finance, and prevent malicious activities before they can cause harm to society. This type of crime should be no different.”

Hathaway said, “These ransomware syndicates work for themselves and for nations as proxies. They have sophisticated services to launch their malicious attacks (ransomware as a service) and rely on infrastructures to turn their cryptocurrencies into cash. Supporting sustained operations that take down their servers of service and monitor and eliminate the cryptocurrency exchanges that launder their money would be a strong beginning.”

And, she wrote, “policymakers should prioritize identifying who is backing — or ignoring — these syndicates that are holding our institutions hostage with ransomware. U.S. Representative Jim Langevin recently stated that ‘if the international community can identify areas where a country is clearly looking the other way and it has a concentration of bad actors and they’re not doing enough to shut down these bad actors, there’s a role for international, multi-nation efforts to hold nations accountable.’ If governments around the world began to treat ransomware organizations similar to how they treat terrorist organizations, then a higher priority may be placed on dismantling their operations and refraining from harboring their activities in sovereign territories.”

Ransomware has been identified as a top priority for Homeland Security Secretary Alejandro Mayorkas and for the Cybersecurity and Infrastructure Security Agency.

Former CISA Director Christopher Krebs during a recent congressional appearance held back from endorsing a call to make ransomware payments illegal, saying “there’s a lot to consider” before taking that policy step.

But Krebs did say: “We need to prioritize countering ransomware as a nation. That includes appropriately investing in our government agencies and their ability to investigate, disrupt, and apprehend criminals. We need to do more to understand the ransomware economy and the various players in the market. And at the points where cryptocurrency intersects with the traditional economy, we need to take action to provide more information, more transparency, and comply with the laws that are already on the books.”

The Institute for Security and Technology’s Ransomware Task Force on April 29 released “Combating Ransomware: A Comprehensive Framework for Action,” with recommendations across a range of related cybersecurity issues, including insurance and how that industry can play a central role in collaborative efforts against the threat. Michael Phillips of Resilience Insurance served as one of the task force co-chairs.

At the same time, insurance industry leaders have pushed back on the idea that insurance payouts actually encourage criminals to launch ransomware attacks. Matthew McCabe of global insurance broker Marsh said, “insurance rates are rising because of the prevalence of ransomware attacks,” and observed that the “companies impacted aren’t getting off the hook” when insurance policies cover a payout on ransomware demands, rather “they’re facing higher costs.” – Charlie Mitchell (cmitchell@iwpnews.com)