The Ransomware Task Force, a collaboration of more than 60 stakeholders, released its long-awaited ransomware framework on Thursday morning, advocating nearly 50 interlocking government and private sector strategies to tackle the criminal scourge.
The Institute for Science and Technology announced the Ransomware Task Force (RTF) in December, drawing delegates from state, national and international government, law enforcement, cybersecurity insurance, security vendors, academia, think tanks and industries likely to be disrupted by ransomware. Even before its release, the report drew interest from U.S. policymakers.
“We’ve been briefing Hill staff and other members of senior leadership across DHS, DoJ, Treasury and State. There’s interest in what we’re recommending,” said Megan Stifel, co-chair of the RTF, senior policy counsel for the Global Cyber Alliance and former Department of Justice lawyer.
The 81-page document suggested international collaboration between governments to tackle the issue, with the United States organizing much of the effort and prioritizing clear guidance and support for targeted organizations.
An issue of national security
Solutions were grouped by four key themes, each of which had its own RTF working group: Deter, Disrupt, Prepare and Respond. Some were familiar, while others more novel: dissuading – but not outright banning – organizations from paying ransoms; collapsing payment systems used to acquire ransoms; and placing global pressure on nations seen as safe harbors for ransomware actors. The report also advocated for the design of a NIST-type framework for ransomware, to help guide organizations from prevention through response.
Unlike many of the past efforts to stifle ransomware, RTF takes a very deliberate focus on the government’s role in solving the problem, painting it as a national security issue lawmakers can no longer ignore. Jen Ellis of Rapid7, who co-chaired the Prepare committee, said that it was time to move beyond a belief that technological problems required purely technological solutions.
“The reality is that technological solutions, in and of themselves are not going to solve this,” said Ellis. “If that was the answer, we have a product and we have marketing; Rapid7 would have solved this problem. But that isn’t actually the way it works. In security, everything is always about people, processes and technology.”
The RTF framework looks to disincentivize ransomware payments through a number of mechanisms: mandating any company paying ransom to publicly report doing so, establishing a fund to help reconstruct firms that don’t pay, and requiring an assessment of options before paying.
The payment dilemma
The report did not take a stance on banning the payment of ransoms, which remains one of the most controversial solutions often put forward. The report does, however, provide a potential strategy for any country that chose to do so.
“It’s clear that a lot of the money that is collected by the ransomware actors furthers their activity and furthers the marketplace for ransomware,” said James Shank, senior security evangelist at Team Cymru and organizer of an RTF background research group looking at the worst-case scenarios of ransomware. “But there’s also a sense of human compassion for the victims of this crime. And the question is, from an operational perspective, does banning ransomware payments cause undue or greater harm to the victims of these crimes than affording them the option of paying the ransom to recover their operational status quo? The group didn’t come to a consensus on how to answer that question.”
“I mean, I don’t have a consensus in me,” Ellis added.
RTF takes aim at the business of ransomware by making payments more difficult, and imposing bank-like regulation on cryptocurrency including know-your-customer laws. It also hopes to engage insurers as part of the effort to recuperate paid ransoms. In the past, insurers have been a driver of ransomware markets, often mandating payments and negotiations with criminals. The RTF report suggests that with additional training, insurers could take a more active role in procedural venues to retrieve stolen funds.
The report envisions several law enforcement options, including subsidizing tips to out ransomware operations, global cooperation in the field and using intelligence techniques to better observe criminal groups. It also looks at policy levers to make countries known to harbor ransomware criminals beyond extradition less likely to pursue that option.
The need for structured guidance
RTF hopes to solve some of the strategic problems faced by organizations. One issue noted is the broad selection of information products about ransomware on the market, leading many companies to feel overwhelmed.
“Ransomware attacks still made $350 million last year,”said Ellis. “Why are all the guidances out there not working? Why are we not seeing organizations be better prepared?” The slew of one-page vendor guides provide little tangible help, she said, while more granular guides can be too technical for many audiences.
The RTF’s solution is, ironically, another information product – this time a framework for handling the issue from prevention to recovery. The hope would to create something as easily adaptable and globally validated as the NIST cybersecurity framework.
The RTF report is broad, but the solutions work best in concert with each other, said Shank. And emphasizing a whole of government approach domestically and whole of world approach globally, incorporating both public and private sector action, is critical to success.
“It’s a paradigm shift,” said Shank. “What you start to see is that the collective whole behaves differently than what anyone can really wrap their arms around and get control of. [on their own] And when you’re looking globally and trying to solve problems, it’s best to to do that in a multi-faceted way.”