Ransomware attacks: How should the U.S. respond?

“The 360” shows you diverse perspectives on the day’s top stories and debates.

What’s happening

Ransomware attacks are increasingly targeting companies’ computer systems, demanding money in exchange for returning access and data.

Last month, hackers breached Colonial Pipeline — which supplies 100 million gallons of fuel daily along a 5,500-mile pipeline — and gained access to its business networks. In response, Colonial shut down pipeline operations, which led to nearly a week of widespread fuel shortages along the East Coast.

The CEO of Colonial Pipeline testified before a Senate committee last week, explaining his decision to pay a multimillion-dollar ransom to regain access: “I made the decision to pay,” Joseph Blount told members of the Senate Homeland Security Committee. “I put the interests of our country first.” The Department of Justice ultimately recovered $2.3 million of the $4.4 million cryptocurrency ransom that Colonial paid to the group DarkSide.

Other companies hit with attacks include meat supplier JBS, insurance company CNA Financial, McDonald's, hospitals and transportation providers. The Teamsters were targeted in 2019 but reportedly refused to pay a seven-figure ransom.

Why there’s debate

The United States suffered 65,000 ransomware attacks last year, according to one cybersecurity firm, and hacks like these are now considered a risk to national security. Attacks on businesses and government networks have led to concerns about the safety of U.S. infrastructure, utilities, food supplies, medical care and personal and financial information.

The FBI’s guidance is that victims shouldn’t negotiate with or pay their cyberattackers. Supporters of this stance say ransom payments encourage criminal behavior by creating a business model for it. Some argue there even should be an official ban on paying off the attackers.

However, critics say a ban could also discourage reporting of ransomware if some companies still pay. They argue that if crucial infrastructure or medical systems are breached, those institutions cannot simply stop operations. Smaller companies, local governments and schools can be particularly vulnerable without the clout or financial resources of larger firms.

Some also point to cryptocurrency as a big reason attacks have proliferated. Anonymous digital payments mean hacking can be easier and more profitable than before, they argue.

What’s next

The attacks on Colonial Pipeline and JBS have been linked to Russian-based groups. President Biden is scheduled to meet with Russian President Vladimir Putin in Geneva on June 16, and the topic of ransomware attacks is expected to be discussed.

The proliferation of these crimes has given rise to an industry to help businesses respond to online threats, while insurance carriers are rethinking whether to offer cybercrime policies. In the meantime, cybercriminals are evolving their tactics and targets.


Cyberattacks need to be treated as a national security issue

“Russia and China can be counted on to assess how our relatively weak cybersecurity posture can be exploited, either directly or through cooperative criminal proxies, to inflict very real and very dangerous damage to existential services such as power, finances and transportation. We are at a pivot point. Cybersecurity is becoming a greater national security imperative.” — Kevin R. Brock, The Hill

Payments for ransomware should be illegal that will deter attacks

“If it were illegal to pay any ransomware demands, insurance companies and victims of these hacks would stop doing it. If no one paid to satisfy the hackers’ demands, eventually the ransomware would stop, at least in the U.S.”

— Richard A. Clarke and Robert K. Knake, New York Daily News

Banning ransomware payments will make things worse

“In the world we do live in, banning payments would almost certainly result in a pretty horrific game of ‘chicken,’ whereby criminals would shift all their focus towards organizations which are least likely to be able to deal with downtime — for example hospitals, water-treatment plants, energy providers and schools.” — Rapid7 community and public affairs vice president Jen Ellis to BBC

There’s no guarantee that paying hackers will let firms get all their data back

“There are plenty of reasons why security experts say you shouldn’t pay the ransom to get them back. A particularly compelling one that high-profile victims have learned lately: Decryption can be so painfully slow that it doesn’t offer a practical path to recovery.” — Lee Mathews, Forbes

U.S. government needs to create an organization to address cybersecurity

“We need an approach within the government — specifically, one organization, headed by the new national cyber director, with three separate units: one focused on strengthening public-private partnerships, one focused on offensive and defensive operations, and one focused on intelligence-collection, analysis and sharing.” — Sean Joyce, Washington Post

Public-private partnerships are needed to deal with cyber threats

“Private sector entities will benefit from early warning and intelligence from government partners to see threats over the horizon, which will allow them to shore up defenses in advance of an attack. In turn, the U.S. and allied governments can benefit from increased transparency from the private sector when attacks materialize.” — Christopher Roberti, CNBC

Cryptocurrency is fueling rise of these attacks and should be banned

“There is a simpler and more effective way to stop the ransomware pandemic: Ban cryptocurrency. Ransomware can’t succeed without cryptocurrency. The pseudonymity that crypto provides has made it the exclusive method of payment for hackers. It makes their job relatively safe and easy.” — Lee Reiners, Wall Street Journal

We need a ‘whole society’ approach

“We need a national response strategy that facilitates signal sharing, reduces likelihood of payment, and clarifies reporting channels and support options for affected entities. The strategy would build resilience by supporting organizations of all sizes in preparing for ransomware attacks, promote good digital security, and provide incentives for minimum cybersecurity for critical infrastructure.” — Camille Stewart, CNN

Regulation is needed to protect critical infrastructure

“America’s critical infrastructure cybersecurity must be regulated by trained and knowledgeable cybersecurity experts in the same way that environmental concerns are regulated by the EPA’s trained and knowledgeable environmental scientists or pharmaceutical safety is regulated by the Food and Drug Administration’s trained and knowledgeable health professionals.” — Anthony J. Hendricks and Jordan E.M. Sessler, Dallas Morning News

Cybercriminals are evolving their types of attacks

“What this means for the average person is that you should start preparing for occasional disruptions in your daily life, from supplies at the grocery store to energy, water, banking services, and any connected device you rely on.” — Jason Glassberg, co-founder of cybersecurity firm Casaba Security, for Yahoo Finance

Is there a topic you’d like to see covered in “The 360”? Send your suggestions to the360@yahoonews.com.

Read more “360s”

Photo illustration: Yahoo News; photos: Getty Images