To pay or not to pay — it’s the ransomware question that dogged the U.S. government as it considered whether it should ban payments to attackers, raising moral dilemmas along the way.
Ultimately, U.S. officials decided against an outright ban, Anne Neuberger, deputy national security advisor for cyber and emerging technology on the National Security Council, said earlier this month at the Code Conference.
“It is so hard and so much more work needs to be done to improve the security of tech, to improve the cybersecurity of systems, that we’d essentially be pressing victims to make their payments go undercover,” Neuberger said.
The U.S. government would rather have organizations reach out, ask for support and recover quickly as the Los Angeles Unified School District did earlier this month after it was hit with what Neuberger described as a “crippling ransomware attack.”
A moral quandary remains over ransomware payments, especially when the human context is taken into account, she said. It pushes against a desire to not incentivize the next act by making payment.
Even though there is not an outright ban, authorities actively discourage ransomware payments.
The advice, instead, is to follow what Neuberger described as basic cybersecurity practices: consistent backups stored offline, multifactor authentication and data encryption.
“Our first, really strongest request is to do those practices because then you really are protected against only the most sophisticated attackers,” Neuberger said. “Beyond that, if somebody does get hit, reach out to the FBI, as the Los Angeles Unified School District did [earlier this month], and we will surge support to help you recover.”
Federal authorities also discourage insurance providers from paying ransoms, but insurers can play a significant role in reducing the rate of ransomware occurrences broadly, according to Neuberger.
Insurance companies should incentivize good cybersecurity practices by imposing higher thresholds of compliance for underwriting approvals and offering lower premiums to organizations that meet those objectives, she said.
“That makes it a lot harder for attackers because many attackers are using vulnerabilities that are known where there are patches available,” Neuberger said. “If we can raise the bar to where an attacker has to come up with something new each time, we would see the number of attacks dramatically fall. It's way too easy today.”