Colonial Pipeline Paid the Ransom. Bad Move.
(Bloomberg Opinion) -- Colonial Pipeline paid the ransom.
Lesson: Don’t pay the ransom.
Law enforcement authorities and other experts have been advising as much for years. Professional hostage negotiators regularly try to observe that maxim, too (though specialists who negotiate with terrorists have unusually complex dynamics to consider, and paying ransom may be the safest strategy for them).
When lives aren’t directly at stake, the guidelines seem to be clear. Here’s the Federal Bureau of Investigation’s advice:
“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illegal activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
There’s also a boomerang effect that arises when companies give bags of money to extortionists deploying ransomware. It seems to convince thieves that a target is an easy mark, and they will most likely circle back later and thump the same company or institution again. A particular willingness among U.S. companies to pay, combined with a porous and lackadaisical approach to cybersecurity in the private sector in America, may explain why the U.S. appears to draw a disproportionate amount of ransomware attacks in the developed world.
Hackers also may be shaking down U.S. companies more often simply because they’re following the basic wisdom attributed to a bank robber, Willie Sutton: “Because that’s where the money is.”
Companies confronted with “double extortion” — the unhappy reality of having to pay hackers to unlock a digital network and then pay them again to recover stolen data — should remember that a significant portion of ransom-payers never get their data back anyway.
So what might an alternate approach look like? Consider Baltimore and Atlanta.
Atlanta got hit in 2018 when hackers asked for $51,000 in Bitcoin to revive municipal computers crippled as part of the broader GoldenEye attack. Atlanta refused to pay and chose, instead, to upgrade and secure its networks for $9.5 million.
Hackers laid siege to Baltimore’s municipal computer networks in 2019 and demanded $76,000 in Bitcoin to go away. Mayor Jack Young told them to kiss off and then ate a $10 million fee to overhaul the city’s networks and $8 million to write off unpaid taxes and other fees while computers were down. “We’re not going to pay criminals for bad deeds,” Young told the Baltimore Sun. “That’s not going to happen.”
There’s a lot to be said for Young’s perspective. A vulnerable network is going to need upgrades regardless of how ransom negotiations proceed, and there’s no telling if paying a bribe will forestall all of the problems that come with a significant intrusion — so why not eat the costs upfront and move on?
Companies and other public and private institutions have many factors to juggle when hackers shake them down for money, of course. The Institute for Security and Technology, a private cybersecurity consortium, said in a recent report on ransomware that chief concerns include whether companies have cyber insurance policies and high-quality data backups. They also worry about the anticipated expense of paying for a prolonged system shutdown.
One obvious conclusion from that observation: All institutions in the digital era should have appropriate backups in place. That’s not a complex fix. Also, companies should think about the expense associated with a shutdown the same way Atlanta and Baltimore did — proactively rather than reactively.
As for cyber insurance, well, that feels a lot like the disaster insurance that companies keep giving to homeowners who rebuild in flood and hurricane zones. Sure, it insulates against disaster, but it also encourages risk-taking. If an insurer is going to foot the bill for your ransomware payment, maybe you just find it easier to pay up rather than making your networks more resilient? That’s certainly not lost on insurers. At least one top insurer, AXA S.A., is reportedly planning to stop underwriting new policies for that reason.
Companies and other institutions can avoid all of this by practicing good cyber hygiene in the first place, and they should bear that in mind when they demand that the federal government do a better job of protecting them from hackers. But once they’ve been burglarized, the last thing they should consider doing is paying off the burglars.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
Timothy L. O'Brien is a senior columnist for Bloomberg Opinion.
©2021 Bloomberg L.P.