The writer is a former head of MI6, Britain’s Secret Intelligence Service, and a founding partner of Vega Cyber Associates
It is easy to feel helpless in the face of a threat as amorphous and apparently random as ransomware. But, like all cyber security issues, it is not so much a technology problem as a human problem. And it is one that humans can solve.
The recent ransomware attacks on the Colonial pipeline in the US and the Irish healthcare system should be a wake-up call. Things are bad and are going to get a lot worse because the incentives to mount such attacks are strong and growing.
There is no silver bullet that will make this problem go away. But there are things states, organisations and individuals can do which, together, could persuade ransomware actors to employ their undoubted skills elsewhere.
First, we have to recognise that this is not merely a criminal problem but a national security and geopolitical one, too. The people behind these cyber attacks need places to live and to enjoy their ill-gotten gains. It will not have escaped many people’s notice that most ransomware operators have a “no eating in Russia” policy. The reality is that many are in Russia, and as long as they don’t intrude on Russian interests, they will be left alone. President Vladimir Putin has made it clear that he does not believe that he owns the problem.
There are longstanding links between the hacking community and the Russian security services. And while it is not true to say that the state is behind these attacks, it is clear that the perpetrators could not function as they do if the FSB domestic security service were deployed against them.
US president Joe Biden has said this issue is top of the agenda for his meeting with Putin next week. That is where it should be. And he should use the full range of geopolitical carrots and sticks to get the ultimate exponent of realpolitik to take the problem seriously.
I was cheered by the FBI’s success in gaining access to the bitcoin wallet used by the Colonial hackers and reclaiming a large part of the ransom. The ransomware threat posed is now such that the application of high-end national capabilities is entirely appropriate.
The incentives for such criminal activity should be addressed, too. As chief of the Secret Intelligence Service, I saw first-hand the effects of the non-payment of terrorist ransoms policy adopted by the UK and our allies in the Five Eyes intelligence-sharing group. Such a policy is often heartbreaking to implement, but it is the right thing to do. The alternative is to finance the very activity that you are trying to prevent.
There is a case for bringing such an approach to ransomware. Opponents ask if forbidding payment in a life-threatening situation could ever be justified on moral grounds. They have a point. But a partial ban, which allowed payment in “emergency” circumstances, would simply incentivise attackers to create such a situation. And that would be the worst of all worlds.
If one accepts that this is a national security problem, then it becomes hard to defend the suggestion that governments should simply leave these decisions to private citizens. As a first step, I think it should be mandatory to disclose payments publicly and in detail. Attackers seek to present payment as the easy option. We have to change that.
We also need to look at insurance and the risks of moral hazard. Often attackers gain access to insurance policies in advance and know exactly how much they can get away with asking for. However, insurers now expect to see evidence of good quality cyber security before they write business.
Then there is the question of cryptocurrency. It is arguable that the problem would not exist without crypto, which allows for ransom payments to be made in a way that preserves the anonymity of the recipients. This is not to argue for a ban on such currencies, which are obviously here to stay. But it is to urge the development of robust know-your-customer and anti-money laundering laws fit for the digital age.
Cryptocurrencies are not untraceable: they sit on the blockchain and sometimes are more easily traced than cash. The difficulty law-enforcement agencies face is discovering the real identity, or at least the real intent, of the recipient or originator. The good news is that data and modern analytics can combine in such a way as to allow good transactions to be distinguished from bad.
And then, an irony. Often, the software used by attackers is based on code written with the best of intentions by penetration testers who help organisations probe their systems for vulnerability. While there are significant practical obstacles, we need to draw on our experience of counter-proliferation licensing techniques and identify ways in which we can restrict the use of such code to its intended purpose.
It follows that governments can and should do more but not to the point of absolving individuals and firms of their own responsibilities. A surprisingly large amount of this is about getting the cyber security basics right.
Ultimately, this is about human agency. Individually, we are easy to pick off and intimidate. But collectively, we are far from helpless. These attackers are bullies. And bullies come back for more, unless you bully them back, preferably in company. If anything good comes out of the recent attacks, it will be that the day that happens has come closer.