A Clever Strategy to Minimize the Damage From Cyberattacks
A Clever Strategy to Minimize the Damage From Cyberattacks
(Bloomberg Businessweek) -- Ransomware is hard to stop, but the cybercriminals who use it do have one Achilles’ heel: Who trusts an anonymous crook?
The criminals invade a victim’s computer system, encrypting files or wreaking some other kind of havoc, and promise to reverse the harm if, and only if, a ransom is paid, typically in untraceable Bitcoin. (More from Bloomberg here, here, and here.) The risk for the criminal is that the victim, such as a company or a government agency, will refuse to pay the ransom because it doesn’t trust the criminal to hold up his or her end of the bargain after the money is paid. So the criminal has the tricky task of appearing scrupulously honest about undoing the damage while also being clearly unscrupulous for launching the attack in the first place.
That suggests a clever, though only partial, defense strategy: Make it harder for cybercriminals to establish their bona fides, so no one will be willing to pay them big ransoms. That’s the concept in a new draft paper by Andrew Whinston, director of the Center for Research in Electronic Commerce at the University of Texas at Austin, and Xiaofan Li, a doctoral candidate at the school.
Cybercriminals typically use public-key cryptography to carry out their crimes. The public key—a long string of digits—identifies them to the world. A criminal can build a reputation by using the same public key for multiple crimes, each time undoing the damage when the ransom is paid. Information security directors tend to share this kind of info with one another. Whinston and Li propose that the government should in some cases prohibit victims of ransom attacks from telling other potential victims which public key their attackers used. That would prevent the criminals from building their reputations and would limit how much victims would be willing to pay them. It might even cause some of them to quit their attacks.
“It’s just an idea to limit the number of effective attackers,” Whinston says in an interview. He and Li worry that cyberattackers could go after health-care systems and autonomous vehicles. “When such systems are compromised, the victim’s life can be threatened by a drug overdose or a car crash, and the victim will therefore want to pay a significant ransom to save his or her life,” they write.
It’s not always a good idea to block the sharing of information about cyberattackers. Whinston and Li say victims should share information about “highly reputable” attackers—i.e., those who’ve already established a reputation for reversing damage when a ransom is paid. New victims may decide to pay a ransom to those attackers.
At the other extreme, they write, the government should prohibit communication about attackers who don’t yet have a reputation—as a way of ensuring they never acquire one. It would be up to the government to set the cutoff point separating those attackers whose public identities are shared and those whose public identities are blocked.
A problem with the Whinston-Li plan is that it helps the most harmful cybercriminals by essentially endorsing their effectiveness. While Whinston admits that flaw, he says that stopping some cybercrime is better than stopping none at all. He says their strategy is in the mold of the late University of Chicago economist Gary Becker, who said criminals should be treated as economic beings who respond rationally to incentives.
Says Whinston: “We’re saying, as Gary Becker says, you can’t eliminate crime. You just try to manage it.”
To contact the editor responsible for this story: Eric Gelman at egelman3@bloomberg.net
©2020 Bloomberg L.P.