Banning Ransomware Payments Unlikely To Happen

At a recent Cyber Forum at Oxford University, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency, mentioned that banning ransomware payments is unlikely to happen in practice. While federal agencies agree on mandating the reporting of cyber incidents, the FBI, CISA, and NSA strongly advise against organizations making ransomware payments, but it seems that banning them is not an option.

Security Intelligence reports that the recent Cyber Incident Reporting for Critical Infrastructure Act has wide support in the security community. It will help security teams learn how attackers operate and share threat intelligence, a strategy of “digital solidarity” that is said to be more effective than dealing with threats on an individual basis.

But banning ransomware payments sends the wrong message, according to security professionals. It is tantamount to admitting that the security community has no other means to thwart ransomware attacks.

The Ransomware Task Force for the Institute for Security and Technology says that banning ransom payments will force many small businesses to close shop because they cannot withstand a lengthy business disruption.

If companies were penalized for paying, they would be tempted to make payments secretly. If that happened, accurate data about ransomware variants and threat intelligence would suffer.

At the Oxford forum, Director Easterly said, “I don’t think we’re going to make ransomware a shocking anomaly without successful implementation of a Secure-by-Design campaign. We cannot expect businesses that don’t have huge security teams to be able to secure that infrastructure unless that technology comes to them with dramatically reduced numbers of vulnerabilities.”