CISA Director Says Ransom Payment Ban Unlikely

Date:

July 3, 2024

World map

The Director of CISA (Cybersecurity and Infrastructure Security Agency) Jen Easterly said it is unlikely the U.S. government would issue a formal ban on ransom payments to ransomware operators despite the fact that such a ban would diminish the financial incentives for further attacks.

“I think within our system in the U.S. — just from a practical perspective — I don’t see it happening. We have done enormous work with our partners to try and reduce ransomware attacks. It is not clear that we’ve been terribly effective at it, but I will say it’s very hard to know, frankly, because there is no baseline,” The Record reports Easterly as saying.

“I do think we’ve made a difference, but I don’t think we’re going to make ransomware a shocking anomaly without successful implementation of a Secure-by-Design campaign. We cannot expect businesses that don’t have huge security teams to be able to secure that infrastructure unless that technology comes to them with dramatically reduced numbers of vulnerabilities,” Easterly continued.

Takeaway: Whether to make ransom payments to threat actors has been at the core of the ransomware remediation challenge since the start.  

While the simple answer would seem to be yes, ban all payments to ransomware operators across the board because financial incentives primarily drive ransomware attacks, so reducing or eliminating the financial payoffs for the attacks would certainly stifle this illicit industry.  

However, the answer is not that simple. In some cases, such as when a hospital is attacked or other systems that control critical infrastructure where lives could be at risk, then expediency is of the utmost concern - ostensibly, paying a ransom demand would speed up recovery efforts, but not always.

While paying a ransom and receiving a decryption key from the attackers is likely more efficient, it is not a foolproof plan, as most organizations don't get all their data back.  

Offering a waiver to the ban for some victims is also problematic due to the delays in determining if the incident or victim qualifies, posing risks to the public's health and safety.

Lastly, with data extortion, even if an organization decides not to pay a ransom to restore systems, they may still be subject to extortion because the attackers already have stolen valuable and/or private data they use as leverage for leverage as payment.

Ultimately, we need to get to a place where we are not focused on addressing a ransomware attack after sensitive data has been exfiltrated and the disruptive ransomware payload has been delivered.  

This means a focus on detecting these multi-stage operations earlier in the attack sequence, as well as on resilience should the attack be successful, with an emphasis on preventing data loss and extended system downtime.

Achieving cyber resilience requires more than just robust cybersecurity measures; it demands a comprehensive understanding of an organization's preparedness to withstand and rebound from cyber incidents. Central to this endeavor is the strategic selection and diligent monitoring of key performance indicators (KPIs) and metrics tailored to assess cyber resilience effectively.  

Here are some of the essential metrics that can assist in bolstering cyber resilience:

Mean Time to Detect (MTTD): This measures how long it takes for an organization to detect a cyber threat or incident. A lower MTTD indicates better detection capabilities. MTTD is a key indicator that can be used to determine whether an organization is properly prepared to respond to threats in a timely manner. Lowering the MTTD can help contain the lateral movement within an organization and is an effective way to reduce the potential impact spread in a breach.  

Mean Time to Respond (MTTR): This measures how long it takes for an organization to respond to a cyber threat or incident once it has been detected. A lower MTTR indicates faster response capabilities. Once an incident has been detected how quickly is an organization able to respond to the event, in order to effectively lower this metric, consider the outcomes of tabletop exercises and implementation of lesson learned during incidents that should provide indications of area for improvement in the response.  

Incident Response Plan Effectiveness: Assess the effectiveness of the incident response plan by measuring how well it is followed during a cyber incident, including factors like containment time, communication effectiveness, and coordination among response teams. In order to have an effective cyber resilience strategy it is key that an organizations response plans are effective and followed, if the plan is not being followed it can lead to an increase in the time required to respond and effectively mitigate the issue. Evaluate whether the plan needs to be changed to address changes in the threat landscape, risk themselves, or the organization response.  

Cybersecurity Training and Awareness: Measure the effectiveness of cybersecurity training programs by tracking metrics such as employee awareness levels, completion rates of training modules, and performance in simulated phishing exercises. At the end of the day cyber incidents often have at least some if not a major human component. Evaluate the effectiveness of the training you are providing and the way it is provided. Often organizations provide a “one size fits all” approach to cyber training and awareness, this unfortunately misses the mark, a successful approach for a developer will not address the same needs for the CFO.  

Cybersecurity Hygiene: Track metrics related to cybersecurity hygiene practices, such as the frequency of system patching, vulnerability scanning results, and compliance with security policies and standards. Hygiene should be table stakes for any organization trying to increase their cyber resilience, however this is often not the case. Create a prioritized approach to address the hygiene issue. Avoid the pitfall of chasing the next new cyber solution until you have a successful approach to address your organization's cyber hygiene.  

Cyber Risk Exposure: Quantify cyber risk exposure by assessing the organization's risk posture based on factors such as asset criticality, vulnerability severity, and threat likelihood. If you don’t have a valid way to measure your exposure, then you have little ability to identify where to prioritize your resources and increase your resilience.  

Third-Party Risk Management: Track metrics related to third-party cyber risk, including the number of third-party assessments conducted, the level of compliance with security requirements, and any incidents or breaches involving third-party vendors. In today's interconnected world it's impossible to have any perspective on the resilience of your organization if you can understand the risk that your third-party relationships and connections are introducing into the ecosystem you operate in.  

Security Controls Effectiveness: Assess the effectiveness of security controls by monitoring metrics such as intrusion detection/prevention system (IDS/IPS) alerts, firewall rule effectiveness, and malware detection rates. Are your controls effective? Should you be investing in other areas with potentially better ROI? Measuring whether you have implemented the right controls and are delivering the right results is important to consider.  

Backup and Recovery Metrics: Measure the effectiveness of backup and recovery processes by assessing metrics such as backup success rates, recovery time objectives (RTO), and recovery point objectives (RPO). In an incident, can you get the data back? How long will recovery take? Does it match the desired recovery window? This should be tested and confirmed that the expectation meets real world results.  

Business Continuity and Disaster Recovery (BCDR) Metrics: Measure the organization's ability to maintain operations during and after a cyber incident by tracking metrics such as recovery time objectives (RTOs), recovery point objectives (RPOs), and the success rate of BCDR exercises.  

Effective cyber resilience requires a holistic approach that incorporates proactive measures, rapid detection, efficient response, and robust recovery mechanisms. By monitoring and optimizing these key metrics, organizations can enhance their ability to withstand and recover from cyber threats, safeguarding their operations and maintaining business continuity.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.