There are nearly as many opinions on how to play defence against the ransomware threat as there are cybersecurity professionals. The prevailing thought early on seemed to be to never, ever pay a ransom. (“We don’t negotiate with terrorists” comes to mind.)

But that’s easy for a remote expert to say, one who’s not facing catastrophic disruption to their organisation, not to mention the collateral damage to public confidence and reputation.

And while the actual impact of ransomware is difficult to quantify, one expert told Stateline that last year more than 110 state and local governments in the US were hit. That number jumped to almost 1,700 for schools, colleges and universities.

As the threat evolved, there were rumblings, albeit quiet ones, that victims of ransomware should just pay the ransom. Maybe it’s the most expedient way of putting the incident behind them?

While some security experts were aghast at the suggestion, some agencies, particularly smaller, under-resourced ones, do make that decision when their backs are against the wall, vowing to beef up their defences to keep from being hit again. The approach got validation, of sorts, from reports that oftentimes organisations spend way more money recovering from an attack than they would have paying the original demand from the hackers who infiltrated their systems.

One element of cybersecurity strategy that has gained ground alongside ransomware is cybersecurity insurance. While it does not replace the need for good cyber hygiene practices (keep those patches up to date, back up your data, etc), many public agencies now purchase an insurance policy to help mitigate losses and add a layer of protection. Government Technology’s sister organisation, the Centre for Digital Government, reports that it’s now more likely than not that US cities, counties and states have cyber insurance policies.

But policymakers are also contemplating what should be done about ransomware. Legislators in multiple US states have taken up proposals in the name of protecting citizen data that would ban victims from paying ransoms. The argument is that bans disincentivise the crime, sending would-be ransomware attackers to go pick on someone else.

It’s encouraging that many of these proposals include funding to boost the cybersecurity posture of under-resourced governments to guard against attacks in the first place. And there are exceptions that are being incorporated into the discussion on bans, like utility companies and hospital systems, for example, where legislated bans could put lives and critical infrastructure at risk.

US Energy Secretary Jennifer Granholm voiced support for ransom bans recently, though she acknowledged uncertainty about whether the Biden administration was prepared to take a policy step in that direction.

“I think we need to send this strong message that paying a ransom only exacerbates and accelerates the problem. You are encouraging the bad actors,” she said.

But the idea does not have universal support, based largely on the continued vulnerability of most public and private organisations to cyber threats like ransomware.

John Davis, retired US Army major general and vice president of Palo Alto Networks, served as the co-chair of the Ransomware Task Force for the Institute for Security and Technology, which presented its ransomware framework earlier this year.

Davis recently described the discussion among task force members (a broad coalition of international representatives from government, the private sector and academia) about ransomware payment bans as “the most contentious thing the task force debated”.

Until the task force’s key recommendations are implemented broadly, Davis explained that banning ransom payments is “impractical and potentially counterproductive”.

“We’re not there yet. We need to raise the maturity of the ecosystem that surrounds the problem itself,” he concluded. But unlike bans on ransom payments, what’s not contentious is pointing resources toward making the public sector a less vulnerable target

 - TNS