Ransomware Task Force co-chair says a ban on ransom payments would need to be phased
Any federal ban on the payment of ransom demands by hackers in cyberspace would likely need to be phased, according to a co-chair of the Ransomware Task Force.
In an interview with FedScoop, Chris Painter said that any such move would be introduced incrementally, and would be accompanied by new measures to support entities hit with online attacks, such as a victims recovery fund.
While federal agencies don’t pay hacker ransoms, legislation would be needed to create a fund so ransomware victims could avoid paying or to elevate cybersecurity resiliency over a period of several years, he added.
“You can phase [a ban] in over time. You can come up with various backstops to help fund or protect them to get them up to a particular level of standards over a period of a couple of years,” Painter told FedScoop.
“Obviously some of the things we suggested require legislation like having a pool of funds and helping victims so they don’t have to pay the ransom or do better in terms of resiliency for these victims,” said Painter, a former federal cybersecurity official. “There’s a lot we can do to disrupt the business model of these ransomware groups and do more to protect victims.”
Painter is the co-chair of the White House-backed Ransomware Task Force (RTF), which was set up in December to foster public-private collaboration in response to the epidemic of ransomware attacks.
He was previously the U.S. government’s most senior cyber diplomat and was a senior member of the team that carried out President Obama’s Cyberspace Policy Review in 2009. He has also held senior roles at the Department of Justice, FBI, the National Security Council and the State Department.
The question of whether companies that fall victim to cyberattacks should pay digital ransom demands has proved central to discussions of how the federal government and the private sector should respond to ransomware attacks.
According to the RTF’s “Combating Ransomware” report, which was published at the end of April, public and private sector representatives were unable to reach an agreement over whether to implement a unilateral ban on such payments. In the report, RTF recommended that government establish cyber response and recovery funds to support ransomware response and other cybersecurity activities.
Advocates of banning the payments say they fuel a market for cyber criminality by guaranteeing hackers that their demands will be met. Opponents say that the cost of paying ransom demands is often a fraction of the damage caused to companies and their shareholders by refusing to pay.
The Department of Justice elevated ransomware investigations to a similar priority as terrorism for that reason and ordered information sharing with RTF, Reuters reported Thursday.
Speaking to FedScoop, Painter said that without a ban, victims who pay risk violating federal law if the ransom winds up going to a group on the Treasury Department‘s prohibited enemies list, which currently is hard to determine.
“To enable more companies to bear the financial cost of remediation, national governments should create ‘Cyber Response and Recovery Funds’ (CRRFs),” the report said.
It proposed the creation of a CRRF to help cover the cost of restoring IT functionality for local governments, critical national functions, or other entities as their recover from a ransomware attack.
The late April report recommends the creation of a cyber backstop scheme that could function like the Terrorism Risk Insurance Program (TRIPA), which was created after 9/11 and creates a federal requirement for the government to act as reinsurer of last resort.
TRIPA permits the private sector to provide terrorism insurance by guaranteeing that the government would pay a portion of claims in the event of a major terror attack.
Painter added that the Biden administration’s cybersecurity executive order and its recent budget proposal to allot $9.8 billion to cybersecurity were a “good start” in moving forward the country’s response to the ransomware epidemic.
The cyber expert noted also that the recent ransomware attacks on Colonial Pipeline and food processing giant JBS differed from traditional espionage, because of the direct impact they had on the day-to-day lives of U.S. citizens.
“It does make a difference when people can’t get gas or can’t get a hamburger; it brings it home for people,” he said.