Ransom payments have become a common occurrence in the aftermath of cyber attacks, causing a heated debate among security experts. While some argue that paying ransoms could potentially halt the attack and minimize the damage, federal cybersecurity agencies firmly oppose such payments. This topic has gained significant attention in Australia, a country that has experienced a surge in cyber attacks in recent years. As a result, the Australian government is contemplating the implementation of a comprehensive prohibition on ransom payments.
However, not everyone agrees with this approach. Michael Rogers, the former director of the US National Security Agency, believes that a blanket ban on ransom payments is not the solution. Instead, he suggests adopting a risk-based strategy that considers a specific set of criteria. According to Rogers, Australia should carefully evaluate factors such as loss of life, health, national security, and economic stability before considering ransom payments. This approach would require a partnership between the government and industry to avoid unilateral decisions that could have negative consequences.
Australia has witnessed a significant increase in hacker activity, making it a prime target for cybercriminals. The Australian Cyber Security Centre has reported approximately 76,000 cybercrime incidents between 2021 and 2022. The government recognizes the complexity of the issue and has engaged in consultations with industry stakeholders to find the best course of action. However, there are still questions surrounding whether paying ransom should be allowed or discouraged.
Rogers argues that success in cybersecurity should not be measured solely by the ability to prevent penetrations. He believes that a determined adversary can always find a way into even the most secure systems. Instead, he proposes evaluating how effectively an organization responds to attacks and mitigates their impact. This new metric would focus on the organization’s ability to recover and protect their data rather than simply preventing the attack in the first place.
The debate over ransom payments has valid points on both sides. On one hand, paying a ransom could lead to swift data recovery and minimize disruption to the organization. On the other hand, it could embolden cyber adversaries and fund illicit activities. Moreover, there are ethical concerns surrounding extortion demands and their potential to fuel ransomware distribution. Government bodies, including the FBI, strongly discourage ransom payments, citing legal and ethical implications.
One of the main legal concerns surrounding ransom payments lies in the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA). While there is no explicit law prohibiting ransom payments, the consensus among government authorities and cybersecurity experts is to discourage such actions. Organizations like CISA, NCSC, the FBI, and HHS urge victims to exercise caution and not succumb to the temptation of paying ransoms.
Furthermore, the effectiveness of ransom payments is often uncertain. Data restoration is not guaranteed, with only 65% of data being recovered on average, and a mere 8% of organizations successfully retrieving all their data. Encrypted files might remain irrecoverable, and the promised decryption tools could fail or even lead to further complications.
In conclusion, the debate over whether companies should pay cyber ransom payments continues to spark intense discussions among security experts. Australia, in particular, is grappling with the issue due to a significant surge in cyber attacks. While some experts argue for a comprehensive prohibition on ransom payments, others, like Michael Rogers, advocate for a risk-based approach that considers key criteria before making a decision. Ultimately, the decision on whether to pay ransoms or not should be a carefully evaluated partnership between the government and industry, with a focus on minimizing the impact of attacks while considering the potential consequences.