A couple of years ago I gave a talk before a group of
forensic examiners that dealt with the topic of data protection and cyber
security. The speech proceeded along the
typical lines, dealing with some interesting topics - still I’m certain more
than a few people were eager to hit the road as the afternoon wound down. Then, as we proceeded into the question and
answer period, things started to heat up.
For people following the news in recent weeks there will be little
surprise concerning the topic that got things going. The discussion in the room had turned to
ransomware.
Everyone had a view on what was then an emerging threat –
but I think I shook up more than a few people when I said that this was the one
instance where I think it should be legal for companies to “lie”.
Now, for a group of professionals whose job largely revolves
around uncovering and exposing truth this was quite a bombshell – but once I
explained my motivations and what I meant I believe a good few
people had come over to my view. By “lie” I wasn’t
advocating that companies (or governments) be allowed to use a false threat of
cyber attack to their advantage, or to mislead people as to the financial
status of their business. What I did
think needed to be addressed – and I continue to feel this way – was the
distressing impact that publicising ransomware attacks could have on the
frequency of the next ransomware attack.
Put yourself in the shoes of a board of directors or
CEO. Your company, which for the
purposes of this thought experiment is publicly listed, is attacked by a
malware virus and the perpetrators demand payment before freeing the company’s
systems. You therefore have a few
choices – (1) you pay and hope that the pirates keep their word; (2) You go to
the authorities and place the company and its shareholders at risk for huge losses; (3) You do
nothing and hope that you can find an internal solution to defeat the
blocks. All of these choices are going
to be complicated by other factors – if you’re in a critical industry (as with
a recent energy company) you have public welfare to worry about. Perhaps you are in the middle of acquisition
negotiations and even the publicity of a cyber attack could cripple those
talks. Maybe you do a cost benefit
analysis and realize that the risk of loss from paying is de minimus compared
with the threat of holding out - so you pay – regardless of whether there were
other viable options.
Whatever you do the risks involved are potentially
great. This article is not an essay on
how to analyse that risk – but I do wish to discuss why publicising it is potentially
an even greater threat.
It needs to be understood that during a ransomware attack
there are two parties doing cost/benefit analyses. One is the victim – but the perpetrator is
likewise carrying out the same exercise. Ransomware attacks increase in
frequency in direct correlation to the perceived reward available. If it becomes common practice to disclose the
frequency, targets, origin, methods, outcome and gain associated with ransomware
attacks – it only increases the associated value of said attacks. Currently many companies feel it incumbent to
disclose the fact that they have been attacked – and in some cases rules with
regard to financial disclosure can be interpreted to require such
revelations. It might be time to rethink our approach to that.
That need to reassess approach is what I was advocating during my
talk to those examiners. Current rules
in respect of data breach and cyber attack have been largely geared towards ensuring
that companies disclose publicly when those instances take place. It is entirely understandable why those laws –
ranging from SEC guidance to the broad scope of GDPR – were put on the books.
Letting individuals know when their data may have been compromised is extremely important. But the time has come when the proliferation
of ransomware attacks has made it necessary to take a deep breath, step back,
and assess whether or not we are “feeding the beast” when we make disclosure of
a ransomware attack a requirement.
Surely – it is not too much to realise that there are instances when companies should be given the opportunity to assess (with the help of regulatory
oversight) whether a disclosure is in the best interest of the public welfare
and what form that disclosure should take.
So yes, I do believe there are times when, if asked whether
their company has ever made payments in respect of data breaches or cyber-attacks
– a company should be able to have a way to avoid confirming that fact to a
public forum. "Shield" laws and regulations should be established. Reporting requirements
concerning the existence of, or financial steps taken to, deal with cyber-attacks
should likewise be tempered in certain circumstances. To fail to take these steps will only encourage the next
attack. I also believe there are times
when the relevant authorities should be able to green-light the making of
payments which might otherwise be prohibited.
Finally – as with other types of reporting I believe the press should establish
a set of self-imposed regulations and standards when dealing with cyber-attacks.
I do not believe that all this should take place in a
vacuum. There needs to be greater
clarity concerning the regulations that will apply to disclosure concerning
cyber-attacks. There certainly needs to
be more international coordination in respect of that approach. There should also be specialist agencies (or
inter-departmental specialists) that are tasked with the resources to assist
companies faced with such attacks. Finally
– we have reached the point where penalties for making or abetting
cyber-attacks need to be strengthened – both in the case of rogue actors and state-sponsored perpetrators.
This morning I awoke ready to go to the local vaccination centre
to receive my first inoculation. The
first bit of news I was hit with was that the Irish Health Services Executive
had been the victim of a ransomware attack by cyber criminals. There was uncertainty as to whether any of
the scheduled vaccinations could proceed.
Happily – I was able to go – but the news was filled with reports of
other services – cancer screenings, pre-operative assessments, organ-transplant
reviews – that were cancelled. If we
have learned anything in the past year and a half it is how interference with
the orderly provision of health care inevitably leads to increased
mortality. People are dying by their
thousands in India right now not because we are worse at dealing with Covid
than we were a year ago (in fact – we are much better) – but because the medical
infrastructure there has been compromised.
So people die.
Let me state an unpleasant hidden fact – but something that
nonetheless remains a fact. The interference with the Irish medical infrastructure by cyber-criminals means that people will
die. The heartless attack by those criminals
killed someone today – we just don’t know their name yet. Someone who
missed a test, had to re-schedule an appointment, was passed over for a
screening – will pay for the delays caused by greedy hackers. We cannot afford to make such a crime easy,
we cannot afford to make such a crime attractive, we cannot afford make such a
crime, for lack of a better term, “affordable”.
We must band together to end the perception on the part of cyber criminals that the risk of undertaking a ransomware attack is "worth it".
