Think tank pushes back on ransom payment ban
The Institute for Security & Technology’s Ransomware Task Force (RTF) threw cold water on the need for a ransomware payment ban in a report.
The nonprofit think tank has rejected the viability of a ransom payment ban for multiple reasons, including:
- Concerns about a ban’s impact on ransom payment reporting by victims
- The potential to drive more payments underground
- And the unintended consequences and practicalities of critical infrastructure exemptions
Rather than a ban, the RTF detailed 16 milestones it asserts would be “the most reasonable and effective approach to reducing payments.”
“While a ban may be an easier policy lift than activities designed to drive preparedness, it will almost certainly create the wrong kind of impact,” the RTF co-chairs said via email. “The number of organisations making payments is declining, which suggests we’re on the right path.”
Most of the RTF’s recommendations are already in place, under development or at least partially underway. All but one of the proposals were originally shared in a report the group released in September 2021.
“Unfortunately, most organisations still have little in the way of cyber resilience and are woefully underprepared for cyberattacks such as ransomware,” the RTF co-chairs said via e-mail to Cybersecurity Dive. “Implementing a ransom payments ban will not change that and it is not an instant off switch for attackers. They will continue to launch attacks knowing that organisations lack sufficient defenses or mitigations.”
Two of the primary efforts RTF is calling for were completed or advanced in the last couple years. Publicly traded companies must now report report material cyber incidents and disclose cyber governance and risk management strategies to the Securities & Exchange Commission.
The Cybersecurity & Infrastructure Security Agency’s proposed rule for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 will compel upwards of 316,000 US critical infrastructure owners, operators and suppliers to quickly divulge cyberattacks and ransom payments. That rule will take effect within 18 months.
Organisations are already prohibited from making ransom payments to individuals or entities sanctioned by the US Department of Treasury’s Office of Foreign Assets Control.
Debates and policy discussions aimed at curtailing ransomware activity have shifted over the past 18 months as ample evidence emerges that current efforts to deter ransomware aren’t working.
Ransomware victims in the US paid $1.5 billion in ransoms between May 2022 and June 2023, a senior administration official said in November. Almost 5,200 organisations were hit by ransomware attacks in 2023, according to Rapid7.
The Biden administration decided against an outright ban on ransom payments in September 2022, but White House officials revived the potential policy change in mid-2023 through the International Counter Ransomware Initiative.
Disputes over the best path forward continue.
News Wires
Subscribers 0
Fans 0
Followers 0
Followers