The Center for Strategic and International Studies has issued a report examining ransomware attacks from the victim’s perspective, finding that current policies have failed to deter adversaries and calling for “disincentivizing” making payments, spurring incident reporting and providing support to victims.
“While they are sympathetic to businesses who fall victim to these attacks, which can sometimes be existentially threatening, few policymakers (or their staff) have ever experienced the shock of an attack firsthand and, as a result, are searching with incomplete information for the right combination of carrots and sticks that will help victims and hurt attackers,” according to the CSIS authors.
The report, “Hard choices in a ransomware attack,” was written by Emily Harding, deputy director and senior fellow in CSIS’ international security program, and research assistant Harshana Ghoorhoo. It was released Wednesday.
“This report aims to put the reader in the shoes of the victim — the shocking, powerless moment of realization of a ransomware attack. It walks through a set of decisions that victim must make on their worst day and in the weeks to follow,” according to CSIS.
“How well an entity succeeds in navigating that peril depends on decisions made well before an attack, so the report also makes recommendations for both government and industry on how to encourage preparation and simple defensive steps,” CSIS said.
The report takes readers through attacks on two “hypothetical entities” – a publicly traded car rental company and a small water utility – and examines questions from who to call first, insurance implications, the state of backup systems, forensics and first response, communications strategy, and “the long recovery.”
The details are “based on a compilation of [actual] victim experiences, interviews with cybersecurity professionals, and published accounts,” according to the report.
Among its recommendations, the report notes that, “Recently enacted legislation will use regulatory authorities to require critical infrastructure owners and operators to report cyber incidents and ransomware payments to CISA. Policymakers should implement this law, evaluate its success at the one-year mark, and then adjust the legislation to fix any revealed flaws.”
It says, “They should then expand this requirement to all victim entities. This data collection will enhance accountability for those paying and help the U.S. government collect information about the scope of the problem, identifying trends and patterns.”
Further, “Policymakers need to further disincentivize ransom payments. Congress should consider instituting a penalty of 10 percent of the ransom, phased in over several years to give companies time to adjust. The revenue from any such penalty should go to fund CISA’s cybersecurity education and support programs.”
The report suggests “exploring creating tax credits for cybersecurity efforts. The U.S. government has used the tax code to shape behavior, such as tax credits for green upgrades. Hybrid car tax credits, solar tax credits, and energy efficient appliances, and windows credits all make such steps slightly more affordable and create incentives. Certifying actual progress in cyber hygiene would be challenging, but the difficulties and potential fraud are worthwhile risks in order to prompt progress.”
“Similarly,” it says, “tax credits for sharing detailed information about a ransomware attack could incentivize companies to pass more information on to the FBI or CISA. Attempting to judge the quality or quantity of information would be complicated and controversial, but the ‘fact of‘ reporting a compromise and associated details to the FBI or CISA could generate a receipt for tax purposes, much like a charitable donation.” – Charlie Mitchell (firstname.lastname@example.org)