A ransomware reality check for CISOs

The rising tide of ransomware attacks targeting critical infrastructure sectors has reached unprecedented heights. Now at the top of many CISOs’ agendas, a confluence of technical, legal, ethical, and regulatory shifting winds is making this scourge on industrial environments increasingly difficult to navigate.

The dilemmas organizations must deal with are dizzying:

• To pay a ransom or not?
• Will cyber insurance provide adequate shelter?
• What’s the role of government?
• Are new mandates and penalties on the horizon?
• How are adversaries evolving their tactics?

To make sense of it all, let’s first focus on the adversaries and their playbook. Cyber criminals have a well-developed business model and carefully contemplated financial calculus of ransomware. They have determined whether they will launch a direct attack to maximize profits or offer Ransomware-as-a-Service, complete with a help desk and other support services, to supplement their income while enabling malicious actors with less technical skill.

They have researched their victims and targeted organizations based on their ability to pay. All these tactics are developed and executed in concert to make paying the ransom the path of least resistance – financially and logically.

Every aspect of a ransomware campaign is calculated to elicit an emotional response from the target such that it is easier to pay the ransom than to bear the costs and delays of trying to recover on their own.

Let’s start with what we shouldn’t do

• This is no time to be morally absolute. There is a vigorous debate as to whether companies should pay the ransom, warning that paying it begets more ransomware. While true, it’s simply not pragmatic or feasible given what’s at stake. It’s easy to be an armchair quarterback but put yourself in the shoes of a CEO responsible for keeping much of the U.S. East Coast supplied with oil and gas. Think about the pressure they feel in the moment, faced with unknowns about the attacker, the attack, and their company’s exposure and resilience. Declaring they shouldn’t have paid the ransom is like telling a victim of a mugging that they shouldn’t have handed over their wallet. It’s absurd.
• Banning payments would only add to the pain. Additionally, another contemplated step was the notion that Congress should ban ransom payments entirely by making them illegal. Our perspective is that this would place political and business leaders in no-win situations, where they would need to choose between breaking the law or impacting public safety and the economy.
• Don’t mistake a transfer of risk with a control. While cyber insurance is an effective risk transference mechanism, don’t confuse it with having a plan. Nor is it a substitute for good governance and risk management. In fact, cyber criminals are actively targeting companies with cyber insurance because they know they are more likely to pay the ransom. With costs rising for cyber insurers and limited data available to create reliable actuarial tables, premiums and deductibles are starting to rise and preconditions are becoming more onerous. Insurers are saying they won’t cover ransomware if an organization hasn’t put proper controls and governance in place. As with any type of risk mitigation strategy, insurance is only one component.

So, what should we do?

• Moving from ignorance to negligence will create urgency. Boards and C-suites understand and commonly factor in a variety of business risks, including market risk, supply chain risk, and liquidity risk, yet many don’t understand industrial cyber risk. It is the responsibility of every board to ask the C-suite questions, to develop a point of view on their risk tolerance, to have a good resiliency plan, and to know the current state of cyber risk in their operational technology (OT) environment. If you’re the CISO, bringing awareness to this new category of risk will create a burning platform that the board cannot ignore without being willfully negligent. Given all the advantages to be gained through digital transformation, cyber risk within industrial enterprises is not a question of “if” but “when”. Keeping your head in the sand once you are aware of your organization’s risk puts you in a state of negligence. It’s time to start the journey of strengthening industrial cybersecurity.
• Fortune favors the prepared mind. While there are a lot of things we can’t do in the face of attack, there is an abundance of things we can do to mitigate risk. The National Institute of Standards and Technology (NIST) has developed the Cybersecurity Framework which helps provide a set of steps for how organizations can think and act around securing their infrastructure proactively and over the course of time. By putting recommended controls in place and building a solid foundation now, organizations can worry less about reacting after the fact. For instance, gaining visibility into your OT environment, running tabletop exercises, and formalizing relationships with incident response and legal firms prepares you to make gameday decisions with confidence.
• Change the financial calculus. The financial model of ransomware attacks has historically favored paying over not paying. The city of Baltimore is one widely publicized example, where the attack cost the city more than $18 million between lost or delayed revenue and direct costs to restore systems, but the ransom was only $76,000 in bitcoin on the day of the attack. It should therefore be no surprise that Congress members in both the House and Senate have proposed legislation to drive mandatory incident reporting, along with a system of incentives and disincentives to change the financial and risk equation in favor of better controls and risk governance up front.

As long as there are profits to be made, ransomware attacks targeting critical infrastructure sectors are likely to continue. To mitigate risk, the most effective path forward is to explore the technical, legal, and regulatory means we have available to enable and encourage behaviors that mitigate risk. This requires working together as a society to come up with ethical and viable approaches that include a mix of proactive techniques and practices, mitigations, and responses. With a deep understanding of the multi-layered dynamics at play, we can use these guardrails to move in the right direction.