Why making companies disclose ransomware payouts may be a good idea
It costs just $10 to hold a company hostage.
That figure, reported by cybersecurity startup Recorded Future, may be why that firm estimates there were 65,000 ransomware attacks worldwide in 2020. Anyone with an Internet connection, a Bitcoin wallet, and some spare change can hire hackers to deploy malicious software to freeze up a target company’s computer systems, lock them out of it, and demand a nearly untraceable payment of millions of dollars in order to get their information back. No technical knowledge, or even a gun, is needed.
The prevalence of these heists has led to a push to take them out of the shadows and require companies to publicly disclose when they’ve been targeted, or even paid the ransom. Lawmakers and federal agencies like the Securities and Exchange Commission are examining what kinds of reporting, if any, it should impose.
There’s a need for “real-time” disclosure when companies are hit with ransomware attacks, Sen. Angus King, (D-ME) said on CNN’s State of the Union last month. “The Colonial Pipeline, my understanding is, it wasn’t reported to the government for four or five days. I think they’d already paid the ransom.”
Updating disclosure laws may not be so easy, however. Each state has its own disclosure requirements, and while some require transparency when data is “inaccessible,” others are tailored more for attacks that steal data, said Anton L. Janik, Jr., a cybersecurity lawyer at Mitchell, Williams, Selig, Gates & Woodyard in Little Rock, Ark.
While ramping up disclosures could backfire and end up exposing more weaknesses in companies and governments, transparency does have the benefit of informing consumers about how their data is being used, he said.
“That choice about who owns, controls, and processes your data are important things to discuss,” Janik said. “There’s room for consumers to have knowledge and understanding and ability to gauge cybersecurity practices of the entities that they come into contact with in their daily life.”
Increased disclosure could help tamp down ransomware and create a better understanding of the problem’s scope, according to a recent report by the Institute for Security and Technology, a think tank with connections to the Obama administration and former U.S. military officials. As it is, states and the federal governments all have different, and sometimes overlapping, rules around disclosing cyber breaches. Equifax, for instance, took more than two months to disclose a hack that ultimately exposed more than 160 million people’s private data. In the end, many companies that pay off ransomware gangs never say so because of the bad publicity that comes with it.
“Updating breach disclosure laws to include a ransom payment disclosure requirement would help increase the understanding of the scope and scale of the crime, allow for better estimates of the societal impact of these payments, and enable better targeting of disruption activities,” the report said.
More disclosure can also empower law enforcement to cut the flow of ill-gotten cryptocurrencies, the Institute for Security and Technology added. Authorities could issue “freeze letters” to cryptocurrency exchanges, which handle the ransom transactions, so they can stop ransom payments before they’re made, IST recommended.
SEC regulators are looking at requiring the disclosure under its rules related to so-called ESG, or environmental, social, and governance. For the regulator, cybersecurity largely falls under “social”, said Jina Choi, a partner at law firm Morrison & Foerster, and former director of the Security and Exchange Commission’s San Francisco office.
“Under the federal securities laws, for public companies the legal standard regarding disclosure to its shareholders is materiality – and the SEC has set forth guidance regarding the costs, including reputational damage, that a company can incur if they are breached,” she said.
Ransomware is one of the thorniest problems on the Internet today — one so pernicious and complex that Homeland Security Department officials have called it a “national threat.” President Joe Biden recently pushed Vladimir Putin to stop attackers — they tend to be situated in Russia or in the ex-Soviet Union — and offered a $10 million reward to anyone who can uncover the identities of these attacks.
The consequences of the problem came into sharp relief earlier this year following the attack of Colonial Pipeline, the company that transports about half of the East Coast’s oil. It paid 75 bitcoins, amounting to $5 million, in order to get its systems back online, but the damage was already done: Gas prices jumped, the airlines rerouted flights, and the federal government had to warn people not to hoard gas in plastic bags.
The idea of requiring companies to disclose attacks does have its critics, however. Nick Merrill, a postdoctoral fellow at director of the Daylight Security Research Lab at the University of California at Berkeley’s Center for Long-Term Cybersecurity, said he was concerned that ramping up disclosure, without strengthening other security measures, may not be enough.
“It’s tempting because it’s simple. And the real answers are much bigger and much broader than that,” Miller said. “I just worry that it’s a box checking exercise. And once it’s done, where would we be?”
One problem, he added, is that hackers could change their tactics so their attacks wouldn’t qualify as “ransomware”. He cited an attack on the Washington D.C. Metro Police that threatened to out its confidential informants, which he called “extortionware.”
Another potential problem is rooted in ransomware’s ubiquity. Miller compared it to European data disclosure requirements on just about every web page — which users typically ignore. “These reporting requirements can go awry to such a degree that people just learn to ignore them,” he said, “and that would be worse than where we are now.”
But even informing consumers about some of a breach’s scope could better inform consumers.
“I don’t think you need to disclose the dollar value of a hack, but you can disclose that there was a hack,” Janik said. “You could disclose the size of a hack — this is 600,000 patient records. I think those parameters are helpful to a customer in the marketplace to evaluate, ‘where do I feel comfortable?’”
Subscribe to Fortune Daily to get essential business stories straight to your inbox each morning.