Most of us have become distressingly aware of the phenomenon of ransomware: when hackers freeze an information system and extort a ransom payment in return for its release. The few millions paid out in well-known incidents, like the Colonial Pipeline hack in the United States, are but a fraction of the $20 billion that global ransomware attacks will cost this year, as estimated by Cybersecurity Ventures, reflecting a sharp upward trend. There are three times as many attacks in Europe in the first half of 2021 compared to the same period in 2020. Ransoms paid out in the United States have doubled in the past year. Asia is slightly less alarming: Attacks increased by only 50% over the same span.
Ransomware attacks and other hacks that aim at having economic effects all form part of an emerging mode of “strategic crime,” an aspect of cyberwarfare that can have pernicious effects on the prosperity and power of nations, large and small. While the malefactors aim for financial gain, it must be noted that the same types of exploits used to freeze data for extortionate purposes can also be used as a form of strategic attack in wartime, crippling critical infrastructures and slowing military operations—sometimes even stopping them in their tracks.
Clearly, something has to be done. But to date virtually all responses have been reactive. They are of two types: One is technically focused on assisting with data decryption and system restoration; the other is about urging governments to take retaliatory action, either in the form of economic sanctions or cyberattacks on those nations thought to be harboring cybercriminals.
Neither of these remedies will halt the rapid spread of ransomware attacks. Cleaning up after these incidents does nothing to prevent them, while retaliation risks sparking an escalatory spiral of cyberwar that will hurt open-market societies more than the closed-up authoritarian regimes commonly thought to be allowing, if not actively supporting, these crimes.
The central challenge now is to go beyond developing reaction protocols and instead think through how to defend against these forms of cyberattack. Crafting an ability to thwart determined efforts to intrude into and/or lock up critical information systems is the only way to reduce this form of crime. And doing so may require commercial enterprises, social and governmental institutions—even militaries, who should see these data-freezing attacks as potentially crippling to their operational capabilities—to take a very surprising action: move sensitive information out from their own hardened, firewalled systems.
Where should information go to be safe? The best places are in the cloud and “the fog.” Cloud computing is about putting data on someone else’s system, and it is a practice on the rise. Growing comfort with the cloud should encourage a willingness to put even the most sensitive information out on it. The fog is a form of “edge computing” and consists of those structures between systems that produce data and the cloud. Because it is outside the servers in one’s own data center, the fog offers yet another hiding and storage space that hackers will find hard to access. Both are far better than simply keeping key information close.
While secure, the cloud has also been hacked on occasion, the most infamous case of which was the leaking of private photos from celebrities, grabbed from their iCloud accounts. But there’s a way to further improve cloud- and fog-based security via a process I call “data mobility.” It looks like this: Begin with a strict regimen of strongly encrypting data; break items into parts; place them in different parts of the cloud; and, finally, keep moving the data. I have a very simple mantra worth remembering: “Data at rest are data at risk.”
This solution takes a bit more effort than regular storage and security practices. But it is infinitely superior to existing approaches and will quickly reduce the frequency and effectiveness of ransomware attacks.
In addition, this approach to cybersecurity can and should be applied to other thorny issues of the digital age, such as the protection of intellectual property, which currently hemorrhages out of companies, worldwide, trillions of dollars each year in the form of counterfeit or pirated products.
By learning to thwart ransomware attacks in the first place, rather than just cleaning up after them, the health of the world economy can be better protected in this cyber age, and nations’ defenses will also be significantly improved. A classic “twofer.”
John Arquilla is distinguished professor emeritus at the U.S. Naval Postgraduate School and author, most recently, of Bitskrieg: The New Challenge of Cyberwarfare. The views expressed are his alone.
More must-read commentary published by Fortune:
- A tale of two governors: COVID outcomes in Florida and Connecticut show that leadership matters
- With A.I., business leaders must prioritize safety over speed
- $15 an hour isn’t enough: U.S. workers need a living wage
- Paid family and medical leave is a civil right
- Why investors are turning toward psychedelic health care companies
Subscribe to Data Sheet, a daily brief on the business of tech, delivered free to your inbox.
