Recently a good friend sent me an article that described analysis performed by an independent organization that performs cybersecurity research and the recommendation they made regarding the paying of ransoms. They make the supposition that stopping the payment of ransoms will end the ransomware threat once and for all. This of course in inherently flawed for two reasons. First, at the moment at least, there are only two entities required by any enforceable regulation to report an incident, healthcare and publicly traded companies. That leaves millions of others who are not, which means they are under no obligation to let the public know they have had an incident or how they chose to respond to it. Secondly, to pay a ransom is a risk/reward based decision. Is the reward of paying greater than the risk of not paying. The only way you are going to enforce not paying a ransom, as suggested in the report, is criminalizing it. Which means you are going to punish the victim three times if they do, the incident, the payment and the resultant fine, and it is only going to be effective if again the penalty is a bigger risk than the reward of paying the ransom. Which would mean significant fines in many cases. Effectively setting up a situation where only the smallest companies might be forced to comply and that hardly seems fair, and in the end will not stop extortion for good.
Which brings me back to the beginning again and the nature of the threat. Believing that ending ransomware payments, without ending all ransoms, will solve the problem is both irresponsible and naïve. The threat is like the mythical hydra, that no matter how many times you sever its head several more grow back. History has shown us that the threat does not go away or end just because one avenue for it is somehow closed, it simply pivots in a new direction. Sometimes in an even more dangerous and harmful direction. Crime does not stop, the threat does not simply give up and go home, it starts looking for the next way to exploit. Fast forward in your thinking only a few years and consider the petabytes of healthcare and personal data that hackers have already amassed and imagine what they will be able to do with it applying AI and Quantum computing. Consider all the times entities have reassured the public their data was not at risk because even though their was a breach the information the hacker got was encrypted. Shortly that will no longer be accurate. The point is the threat is endless, it is persistent, it is cunning, it has been with us since the beginning of time and will be with us till the end of time.
I think we all agree no one likes paying ransoms, no one likes rewarding criminals for bad behavior, and no one wants to do it. That we would all prefer to avoid it if at all possible. I would argue that the surest path to avoiding both catastrophic outcomes in cyber incidents as well as having to make extortion payments is to change how we approach securing information systems and data. We want to be an information-driven society, we want to race headlong into new technologies like artificial intelligence. To do that we need systems we can count on, processes with discipline and data with integrity. And yet we are willing to sacrifice all of those things in our rush to innovate, sell and/or implement. The reason we do this is because we don’t really believe security is critical to performance. We don’t take the time to engineer security into new products, software, etc. We don’t take the time to test while developing or before we put things on the market. We don’t actively analyze new technologies for unintended purposes or consequences and understand their impact. Simply put we let the buyer or user figure it out. And even when we do make an attempt we often get it wrong. Consider the advent of the internet following the research and development by DARPA (the Defense Advanced Research Projects Agency). It was going to revolutionize our lives, and it did, but we never imagined or anticipated how it would be become a mainstay of criminal enterprises or the national security threat it is today. In the 80s we had focus groups look at threats of various kinds and try to predict where they would be 30 years out. Those efforts often fell way short with the threat actually surpassing their predictions in half the time. Why, because we could not accurately predict the future of technology which has historically evolved way faster than man expected. Right now, today, we have scientists and developers saying they can’t explain the outcomes from various AI models, and cautioning restraint, which means they also don’t understand the risk, but you cannot open a magazine, paper, your favorite website or go to a conference without seeing hundreds of presentations on AI and what we are doing with it. Which means that once again we are in a reactive mode. Which means Change Healthcare could happen all over again. Except that AI is supposed to be as revolutionary as the Internet was, so imagine the threat.
If we want a different outcome then we need a different approach to the problem. We need to become proactive. We need to incorporate rigorous testing into every piece of software, product or service. We need to perform due diligence on every aspect of our IT environment that we rely on to operate effectively. We need to accept that the threat is innovative and evolutionary and we must therefore understand where each critical redundancy gap exists. We need to stress standards in design that permit integration of multiple solutions so that if one fails another can quickly and easily replace it to resume operations. We must assume we are going to be attacked, we are going to be breached, and we are going to have to be ready to react, respond and recover. We need to accept that the threat is persistent and stop accepting poor hygiene practices. We need to have a strategy for eliminating/replacing old technologies, discipline in system administration (patching/updating/configuration), etc. And yes that means organizations are going to have to invest more. We spend billions on technology in healthcare alone. It costs billions to develop or innovate new technology. Stop expecting it can be secured, protected and restored on a shoestring budget. And while it is hard to argue with the sentiment of the analysis and the proposal, and they are not all wrong in their thinking, single solutions or responses will not solve the problem, nor will they replace sound, practical, proactive risk management and preparedness.
Mac McMillan is a nationally recognized cybersecurity expert, who has spent more than three decades in a variety of roles as a consultant and adviser in healthcare cybersecurity.
