In the wake of renewed calls for lawmakers to consider enacting legal bans on ransomware payments, the Computer Weekly Security Think Tank weighs in to share their thoughts on how to tackle the scourge for good.
By
- Mark Cunningham Dickie
Published: 26 Apr 2024
Okay, hear me out. In the 1960s and 70s, the UK began to develop the policy of non-negotiation in response to the increasing number of terrorist incidents primarily from Northern Ireland; though another, more famous example of not negotiating, would be the siege of the Iranian Embassy in 1980. In the US, the position started to be countenanced in the 1970s and 1980s, again with regards to the Middle East, sources are divided on whether president Richard Nixon or Jimmy Carter first officially used the famous soundbite, “We do not negotiate with terrorists”.
This famous, and often quoted, soundbite works because it’s punchy, clear, definitive, and appears to take a principled stance. However, the reality is that both the UK and US do negotiate… when it suits them. Moreover, this rhetoric has resulted in missed opportunities, lives lost, and hypocrisy. One of the clearest examples of when negotiating with defined terrorist groups has led to a positive outcome would be the 1998 Good Friday Agreement which was struck between UK and Irish governments and eight political parties or groupings from Northern Ireland, following multi-party negotiations. The US government, with senator George Mitchell serving as the chair of the talks, also played a significant role in brokering the agreement. This agreement led to a power-sharing assembly to govern Northern Ireland and paved the way for paramilitary groups to decommission their weapons.
For an example of when negotiating and not negotiating have had starkly differing results we need look no further than the fate of hostages held by the infamous ISIS members nicknamed “The Beatles”. While undoubted brutal and guilty of executing British and American journalists and aid workers, the group released all other western captives following negotiations and in exchange for large sums of cash.
Does paying the ransom fee incentivise crime?
One of the key arguments for not paying ransoms, or even negotiating, is that such activities incentivise crime; thereby contributing to its growth. In his book, We want to Negotiate: The secret world of kidnapping, hostages and ransom, Joel Simon delves a lot deeper into the no concessions policy and how adhering to that, rather than protecting people by removing that incentivisation, actually puts them at greater risk of harm. In short, the longstanding no concessions policy did not prevent British and American hostages from being taken, it only led to their deaths.
Recently there have been renewed calls to make ransomware payments illegal. Once again, the premise of the argument is that by paying the ransom it incentivises the growth of the ransomware ecosystem. Given the earlier points, it is worth considering the key question: Do you think that if a hacker no longer has a financial incentive to hack, that they would stop hacking?
If your answer is no, then another mechanism needs to be found. If your answer is yes, then it may surprise you to know that there are actually already laws in place which prohibit ransom and ransomware payments for both UK and US entities. In the US, the Office of Foreign Assets Control (OFAC) under the Department of Treasury has regulations that prohibit transactions, including ransom payments, to individuals or entities on the Specially Designated Nationals List (SDN). OFAC issued an advisory in October 2020 specifically addressing ransomware payments. It warned that making a payment to a sanctioned person or entity could result in civil penalties under US law, regardless of whether the payer knew or should have known they were engaging in a prohibited transaction. In the UK, the Cyber Sanctions (EU Exit) Regulations 2020 came into effect in late 2020 and prohibit transactions with designated persons involved in cyber crime. This includes ransom payments to ransomware attackers. Failure to comply could result in criminal penalties, including imprisonment or a fine. To date, I have found no instances where anyone has ever been prosecuted for paying a ransom either for a human or for data recovery/protection, which itself sets a precedent.
The drawbacks of making ransom payments illegal
To make ransomware payments illegal also has additional negative effects. It is likely that reporting of incidents will decrease, potentially exposing data subjects to risks that they are not aware of. It criminalises victim organisations potentially exposing them to further fines on top of the payment, any fines or sanctions from regulatory bodies, and the cost of the investigation, recovery, and legal fees, etc. But most importantly for me as an incident responder, it removes a valuable tool from our arsenal. If threat actors know that organisations cannot pay a ransom, then there is no incentive for them to negotiate. Negotiation isn’t just about settling on a price. Indeed, negotiation does not need to lead to payment. It can be used as mechanism to gain intelligence on the threat actor, ingress, duration, data access, and as a stalling mechanism to buy organisations time to investigate, eradicate, remediate, and recover.
Whether effective or not, the overall objective for suggestions of making the payment of ransoms illegal is to reduce the number and impact of cyber-attacks. But there’s an entire cyber security industry that is trying to attain the same goal. The suggestion is just one, non-technical, non-security related, lever that is focusing on the problem too late in the game. No one thinks that they will pay a ransom, because they don’t see it as being something that they would have to deal with, so they don’t care if it’s illegal or not. Punitive measures only hit the companies on the bottom line of balance sheets, which is where the c-suite sees the cost of cyber security, not the effect on the individuals impacted by it.
There has been commentary by some that education and training clearly are not getting through to users, and security solutions are coming up short. However, both of these are actually part of a company’s culture. If these are failing, it’s because of a failing in company culture. And the culture starts from the top.
How to improve company culture
So, what then is the solution? Well, there is no one thing that can fix it all, but here’s three points that I believe could move the needle in a positive direction:
Change the company culture by moving cyber security away from being a figure on a spreadsheet: Make, and hold, boards and c-suite executives accountable for ensuring the security of data through personal fines, blocking of bonuses, preventing them from holding a level of office for a period of time, or even imprisonment. Moreover, this should include a recall period, a period of time during which, should the organisation at which they held that position be impacted by a cyber incident, they can be fined or held responsible and accountable. Making the executive personally invested in the security of data held by the organisation will change the culture within the organisation.
Move away from vitriol of engaging with threat actors. You can not only talk to people that you like and who agree with you. To do so leaves you closed off with a very polarised view and less informed and educated than you otherwise could be. This is not a great position to be in during a crisis. In his book, Never Split the Difference, Chris Voss – former lead international hostage negotiator for the FBI (a job title that really does show that the US negotiates with terrorists) cites numerous instances where negotiation has led to outcomes beneficial to the party whose opponent seemly held all the cards; where negotiations led to the gathering of intelligence and the wider disruption of organised crime; where just being heard, or rather listened to, led to the hostage takers to give up on their own initial objectives.
Target the money trail
Finally, if you really want to target the financial systems of threat actors, make it harder for threat actors to utilise/spend crypto assets that they do receive. The blockchain is an open ledger where transaction can be traced, and wallets attributed to threat groups. The concept of zero-knowledge proofs (ZKPs) could be used in a system to track and grade the trustworthiness of cryptocurrency transactions. Law enforcement agencies or cybersecurity firms could maintain a database of known bad wallets associated with cyber crime and ransomware. Each transaction could be scored based on whether it involves these bad wallets. For instance, a transaction that only involves known good wallets gets a high score, while a transaction involving a known bad wallet gets a low score. Over time, new or other wallets could be assigned a trustworthiness score based on the scores of their transactions.
Instead of publicly revealing which wallets are bad, these organisations could use ZKPs to prove that they know a wallet is bad without revealing what, why, or how they know. This preserves a level of privacy of the wallet owners, as well as the organisation’s intelligence, while still allowing transactions to be scored. This approach, while being a closed ledger, also makes it harder for threat actors to try and manipulate the ledger or scoring.
This system could help discourage transactions with known bad wallets and incentivise transactions with known good wallets. Such a solution would require careful design and oversight to ensure it’s not misused or manipulated, and to ensure it respects privacy rights, but may also help with the adoption of decentralised cryptocurrencies for legitimate purposes.
Mark Cunningham-Dickie is a principal incident response consultant for Quorum Cyber. He has over 20 years of experience in the technology industry, including more than 10 working in technical roles for law enforcement and other government funded organisations. Mark has an MSc in advanced security and digital forensics and a BSc (Hons) in computer science.
