Ex-White House cyber official says ransomware payment ban is a ways off
A ransomware payment ban remains “the North Star” for U.S. cybersecurity experts looking to curtail hacking groups’ leverage over companies, but “real steps” remain before the country can get to that point, a former White House cyber official said Tuesday.
Kemba Walden, who served as acting national cyber director from February-November 2023, said during a House Financial Services subcommittee hearing that we haven’t come to a “place where the American economy is resilient enough to withstand” a prohibition on companies making payments to resolve an attack.
“The profits are still too high and the costs are still too low,” said Walden, now the president of the Paladin Global Institute, a division within the venture capital firm Paladin Capital Group aimed at protecting global critical infrastructure from cyber threats. “So we need to shift that balance, and there are a number of policy options that we can take in order to get to the point where profitability is no longer a motivator for ransomware actors.”
Rep. Maxine Waters, D-Calif., ranking member of the House Financial Services Committee, asked Walden whether a congressional ban on ransom payments, with limited exceptions, would effectively “starve the criminals of their proceeds,” or if a law of that kind would “cause the attacks to focus on critical infrastructure, meaning those organizations that we can least afford to lose.”
Walden and other witnesses testifying before the Subcommittee on National Security, Illicit Finance, and International Financial Institutions said that under current economic conditions, critical infrastructure sectors and smaller businesses would be especially vulnerable to the ill effects of a payment ban.
“If we banned ransomware payments today, we could bankrupt the very small- and medium-sized businesses that the American economy relies upon. Think rural hospitals that serve four or five municipalities; those can go bankrupt,” Walden said. “What we need to do is prepare for the worst — prepare those organizations to be more resilient against ransomware attacks, because a ban on payments is not going to stop the attacks from happening, but it will starve those businesses.”
Megan Stifel, chief strategy officer at the Institute for Security and Technology, echoed Walden’s comments about the susceptibility of small businesses, pushing for Congress to provide additional support for “some early term funds available through the Department of Homeland Security” and a grant program established in late 2021.
“It is unfortunately often those who are cyber poor who are targeted for these types of incidents, which oftentimes can drive these organizations out of business,” Stifel said. “And with small businesses being the lifeblood of the American economy, they do need additional support.”
Stifel and Walden are both members of a ransomware task force that released last week a road map to the potential prohibition of ransomware payments. The document details a multi-pronged approach for governments to make progress on that front, covering ecosystem preparedness, deterrence, disruption and response. But even if leaders “move aggressively” to meet the task force’s suggested milestones, it will still “take several years following the start of a process before prohibitions could be considered as one possible effective step,” the report argued.
Short of a ransomware payment ban, several witnesses called out tactics to mitigate attacks, such as widespread adoption of secure-by-design products and more formalized information-sharing between the public and private sectors.
Daniel Sergile, senior consulting director at Unit 42 by Palo Alto Networks, touted the ability of artificial intelligence to defend against cyberattacks and “clear through the clutter and be able to respond automatically.” And Rep. Young Kim, R-Calif., the subcommittee’s vice chairwoman, broached the possibility of creating incentives for small entities to adopt proper cyber hygiene practices and training, a concept supported by several of the panelists.
There are also workforce issues at play. Stifel said there’s a shortage of cyber experts in federal agencies with investigative and enforcement powers.
“It does take a higher degree of understanding to put the pieces together, to leverage capabilities that some of the [hearing’s] witnesses have to bring greater light to the activity that’s being undertaken,” Stifel said. That means hiring more agents at the FBI, Secret Service and the Treasury Department who “have the training necessary to understand how to leverage what is available.”
With China, Russia, Iran and North Korea as the dominant countries of concern in the ransomware space, Stifel and Walden both told subcommittee members that it’s important for federal investigators to be able to communicate with big tech companies and service providers, and pair that information with blockchain analysis and forensics to have a whole picture of the ransomware threat landscape.
“We have ransomware actors that are protected in safe havens around the world,” Walden said. “So we need to be able to work together in order to make sure that these ransomware criminal gangs are not operating with impunity and doing the country of concern’s bidding for them. But it does take a global effort. It is not fun to withstand ransomware attacks.”
