Israel is a small, but powerful nation that wants to stop attacks before they get to their door, and indeed, their lives depend on that. We can learn from Israel’s military doctrine of deterrence through overwhelming strength, unity, and disincentivizing the attackers to inform other security issues, such as ransomware attacks. I believe that the answer lies in a public-private security partnership financially backed by the government.
Ransomware is a malicious cybercrime whereby attackers lock up the target’s computer systems until they pay a ransom, typically in hard-to-trace cyber currency, such as Bitcoin. These attacks are on the rise, resulting in an estimated $20 billion in damages in 2021, a figure projected to reach $265 billion in ten years.
Just this last year, in May and June 2021, Colonial Pipeline, a major American oil carrier, and JBS Foods, the world’s largest meat processor were attacked with ransomware attacks, jeopardizing our food and oil supply. That is, until Colonial paid $4.4 million and JBS paid $11 million to their cyber attackers. Ransomware attacks are devastating to companies and nations because they paralyze business operations and much needed outputs and services to citizens.
From a corporate perspective, I completely understand the pressure to resolve the cyber-attack that holds their business operations at a costly standstill. I can only imagine the customers, suppliers, and board of directors all screaming to resolve the situation as quickly as possible.
From a broader national security and critical infrastructure perspective, these attacks can be devastating to our nation when they strike our military industrial base, energy, utilities, banking, transportation, food/water, etc. Imagine, no gas, no lights, no ATM machines or credit cards, no phones, and so on. Moreover, for companies that are coming to resolve the situation at the end of the game (i.e., once attacked), they are at a distinct disadvantage. At the same time, if they try to plan all by themselves, they are out-schemed and out-gunned by cyber attackers that are doing this day-in and day-out. Yet, the more we reward the criminals or terrorists when they strike, the more incentive they have to keep doing it.
This is a lesson that Israel learned many decades ago in suffering under an endless barrage of terror attacks, which were perpetrated not only to inflict painful injuries and deaths on the Israeli civilian population, but also to try to force the Israeli government to negotiate and free terrorist leaders and those with “blood on their hands” that were in Israel’s custody. However, because rewarded terror begets more terror, Israel instituted a policy of not negotiating with terrorists. This was a sound and strategic policy that was echoed by former U.S. Presidents Richard Nixon and Ronald Reagan, as well as British Prime Minister Margaret Thatcher.
If the terrorists can’t get what their after in terms of releasing their cohorts or some other ransom perhaps like increasing their leverage in negotiations with Israel for their own Palestinian State, then that takes away, in part, the incentive for them to carry out the terror attack to begin with. Of course, in Israel’s case, the terrorists are also theologically motivated to inflict the maximum harm on Israelis because they don’t recognize Israel to begin with, they want to drive the Jews into the sea, and they see their attacks as part of some sort of warped religious war (or Jihad) whereby Islam and its adherents are shown to be supreme.
Despite Israel’s policy of not negotiating with terrorists, they have at times deemed it necessary to negotiate and give in to terrorist demands in order to get what the public demanded, such in 2008 and 2011, when they gave up terrorists in Israel’s prisons in order to secure the return of the bodies of two IDF soldiers kidnapped at the Northern border, and for the return of Gilad Shalit taken prisoner near Gaza in 2006. Similarly, with ransomware, we are human and we can’t stand seeing our systems and organizations “locked up,” inoperable, and our citizens being hurt by it.
With ransomware attacks, however, the crime is generally wholly financially-driven, and therefore, if you dry up the payments to the attackers, you deplete their motivation to ransom any systems to begin with. In other words: no ransom, no ransomware!
How can we stop the payments of ransom by companies that are in a terrorist’s cyber stranglehold? I have a notional approach that I think could be a framework for addressing this vital security issue. The two key elements are a public-private security partnership and a government financial backstop.
- Companies Join Public-Private Partnership
First, companies voluntarily join a public-private security partnership in which they adhere to higher security standards and oversight as well as pledge not to pay ransomware. Additionally, these companies are placed on a public list and given a badge or seal of approval/logo like Brink’s Home Security or ADT to display that indicates they are “fortified,” and in this case, that they won’t pay any ransom, and are backed by the government. An example of the voluntary higher security standards is what happened after 9-11, when companies shipping goods signed up for the Customs Trade Partnership Against Terrorism (CTPAT) to facilitate the safe flow of cargo to the U.S. in a time when everyone feared weapons of mass destruction being smuggled in.
- Government Backstops Any Costs
Second, the government provides an incentive for companies to participate in the public-private partnership and not to pay ransomware. The incentive provided is that the companies are backstopped (insured) by the government in the event of a ransomware attack to them. This is similar to ransomware insurance, but the difference is that the cost to companies would be a fraction of what they would otherwise have to pay. The benefit to the taxpayer is that the market for ransomware dries up with companies that have pledged not to pay. As the program become universal, there is no one left for the ransomware attackers to target.
In short, as long as ransomware is a lucrative endeavor with little to no risk to the cyber attackers who stealthily get away with their cryptocurrency payments then the ransomware attacks will not only continue but increase as a threat to our companies and nations. However, once we say—like Israel and other world democracies—that “we will not negotiate with terrorists”—and we back this up by a government financial guarantee then a major and growing security threat can be finally neutralized.