Ransom payments are swiftly becoming routine aftermath of cyber attacks. Whether companies should pay cyber ransom or not has continued to be a topic of intense debate among security experts.
Although numerous businesses struggle with deciding whether paying such ransoms would effectively halt the attack or worsen the situation, federal cybersecurity agencies firmly oppose ransom payments.
As countries worldwide participate in dialogues regarding the prospect of reevaluating their approach to ransom payments, Australia, having experienced a significant surge in cyberattacks over recent years, leading to profound repercussions on its security and various sectors, is deliberating the implementation of a comprehensive prohibition on ransom payments.
Nonetheless, Michael Rogers, the former director of the US National Security Agency, holds a contrary opinion on this matter, deeming it unfavorable. Instead, he proposes adopting a risk-based strategy that takes into account a specific set of essential criteria.
“Australia should not impose a blanket ban on paying cyber ransoms but instead adopt a risk-based approach that considers a set of key criteria”, said Rogers as reported by The Australian Financial Review.
Australia’s cybersecurity posture and approach to ransom payments
Recently, Australia has seen an increase in hacker activity, giving rise to a variety of ransomware attacks. According to the Australian Cyber Security Centre (ACSC) Annual Cyber Threat Report, roughly 76,000 cybercrime incidents has happened between 2021-2022, making Australia a prime target of hackers.
The discussions around the legality of cyber ransom payments have gained momentum in Australia. Home Affairs Minister Clare O’Neil has consulted with industry stakeholders, recognizing the complexity of the issue.
While the government’s forward approach to cybersecurity places Australia in a favorable position, questions remain about the best course of action regarding ransom payments.
Retired Admiral Michael Rogers, a seasoned security expert, advocates for a paradigm shift in approaching cyberattacks. He cautions against measuring success solely by the ability to prevent penetrations, asserting that a determined adversary can often find a way into even the most secure systems.
“This is what I used to tell the two presidents, ‘Sir, if the metric you’re going to use it anytime we have a significant penetration that is a failure, then you are going to be incredibly frustrated,'” Rogers told The Australian Financial Review.
Instead, Rogers proposes a new metric: evaluating how effectively an organization responds to attacks and mitigates their impact.
Rogers’ argument prompts us to consider the fundamental question: Should companies be permitted to pay cyber ransom payments, or should such payments be unequivocally discouraged?
Rogers advocates for a risk-based approach that weighs key criteria before considering ransom payments. Factors such as loss of life, health, national security, and economic stability should be carefully evaluated against the risk of ransom payments.
The former NSA director suggests that this deliberation should be a partnership between government and industry, avoiding unilateral decisions that could lead to negative consequences.
“With a determined adversary who is focused on you as a target and who was prepared to commit resources, it is very difficult to ensure 100 percent that they will not penetrate your system,” added Rogers.
The two sides of ransom payments
The ongoing debate over whether companies should pay cyber ransom payments features compelling arguments on both sides. The allure of swift data recovery must be balanced against the potential pitfalls of emboldening cyber adversaries and funding illicit activities.
Beyond legal implications, cyber ransom payments raise ethical concerns. Succumbing to extortion demands may embolden cyber adversaries, prompting them to target more organizations and fuel ransomware distribution.
Moreover, there is the potential for ransom payments to fuel illicit activities, as highlighted by a US Department of the Treasury’s OFAC advisory.
Lowers Forensics International emphasizes that opting to pay cyber ransom payments can expose organizations to unforeseen legal challenges.
Mirroring the stance of government bodies, including the FBI, these organizations discourage ransom payments. The crux of the legal predicament lies in the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA).
The allure of ransom payments is evident: a possible path to swiftly regaining access to crucial data and systems. The State of Ransomware 2021 report by Sophos shows that paying a ransom doesn’t guarantee complete data restoration.
On average, only 65% of data is recovered, and a mere 8% of organizations successfully retrieve all their data. Encrypted files might remain irrecoverable, and the promised decryption tools could fail or even lead to further complications.
Cybersecurity advocate Fortinet asserts that while no explicit law prohibits ransom payments, a consensus discourages such actions from both US government authorities and cybersecurity experts. Influential organizations like CISA, NCSC, the FBI, and HHS urge victims to exercise caution despite the temptation to regain control over compromised data.
The fundamental uncertainty lies in the unpredictable outcomes of ransom payments, as retrieval of files remains far from guaranteed.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
