Rethinking Ransomware: We Can Win If We Want To

June 29, 2021

I’m sure everyone reading this blog knows that about 2 months ago, Colonial Pipeline was hit with a ransomware attack and paid $4.4 million dollars. Just a few weeks later, the FBI announced that it had recovered about half the ransom.

What does that prove?  It proves our law enforcement agencies can achieve significant successes against cyber criminals when they can devote the time and resources to the effort. In short, we can win substantial victories in the fight against cybercrime – if we want to. President Biden is famous for saying, “Don’t tell me your priorities; show me you budget and I’ll tell you what your priorities are.” Based on current budget expectations, we simply don’t value fighting the $2 trillion dollar cybercrime problem. The FBI’s budget for cybercrime is a little over half a billion dollars.

However, the evidence shows that with adequate resources our law enforcement teams can achieve substantial victories. According to the Wall Street Journal, “Law enforcement officials in recent years have established a track record of tracing cryptocurrency and at times seizing it.”

Justice Department officials in November said they had seized roughly $1 billion in cryptocurrency associated with the Silk Road online black market. In January, law enforcement officials said that the Justice Department had seized more than $454,000 in crypto from a ransomware group known as NetWalker.

Federal officials have previously dismantled illicit crypto networks operating abroad, including the August seizure of accounts and funds tied to al Qaeda and the Izz ad-Din al-Qassam Brigades, the armed wing of Palestinian militant group Hamas. An Internal Revenue Service agent traced transactions intended to fund the groups to Turkish money launderers who had additional customers based in the U.S. or were using U.S.-based exchanges, court records show.

This is obviously noteworthy and highly commendable work. However, there are still thousands upon thousands upon thousands of victims of ransomware and other cybercrimes who are receiving no such recovery and assistance.”

Fighting cybercrime is not impossible. It is, just like most areas of cybersecurity, not being prioritized. For example, when Attorney General Merrick Garland testified before the House Appropriations Committee earlier this year, cybersecurity was not on his list of priorities.

If Colonial Pipeline delivers one positive impact, it would be to fuel an increased push for cybercrime law enforcement resources so that every cybercrime victim gets equal justice to what Colonial got – a concerted effort to recover the criminal payments and an increased effort to track down the cyber criminals.

A great place to start would be to double the FBI’s cybercrime budget, which is currently smaller than some financial institutions cybercrime fighting departments.

Of course, just throwing money at the cybercrime problem will not suffice. The nation’s new Cyber Director ought to seriously investigate restructuring the law enforcement strategy and operations to better reflect the digital age. This would include rethinking cyber defense and better sharing among law enforcement both local and federal as well as far better coordination with the military as many cyber criminals operate overseas.

State and local law enforcement agencies can often be the first point of contact for a business but lack the level of resources as other federal agencies leading on cybersecurity such as the FBI. There are already several models being developed in the private sector that could be adopted. For example, alternatively, the RAND Corporation has proposed a model for how to address the cyber threats more holistically in the defense sector through a DIB Cyber Protection Program (DCP2). RAND proposes the use of a cloud service to disseminate essential cybersecurity tools and information to smaller firms in the DIB supply chain.

The DCP2 would provide tools such as vulnerability scanning and software patching, as well as advanced email security, data filtering, and data loss prevention software. DIB firms also leverage security information and event management (SIEM) tools to track malicious attackers and eradicate malware from their networks.

A similar model including the development of a centrally managed working environment that would help defend the entire cyber ecosystem – both small and large entities could be adapted to the law enforcement community. Larger federal law enforcement agencies could create a similar type of working environment that would provide state and local law enforcement agencies access to the tools, tactics, and services to investigate cybercrime on a smaller scale.

These models could be further tailored based on recommendations in the 2018 Collective Defense White Paper developed by DHS and the IT Sector Coordinating Council. That white paper suggests additional outreach to large and small businesses, as well as smaller state and local law enforcement agencies and organizations such as the International Association of Chiefs of Police to expand capabilities and share information across jurisdictions. This includes increased coordination, development and updating of best practices, promoting use of cyber insurance, and communicating protocols for reporting cybercrimes and requesting law enforcement support.

There are well documented issues with smaller law enforcement agencies lacking the funding for cybercrime initiatives that larger ones possess.

Proposals such as these should be used as a model and applied to law enforcement with the FBI taking the role of establishing a scalable cybersecurity service and tool for smaller law enforcement agencies. The Pentagon could even serve as a conduit for the provision of tools and information directly to law enforcement, in some cases with costs on a sliding scale for private as opposed to public entities. The goal would be to, through cooperation, share cybersecurity infrastructure and techniques for the public benefit and lower costs by expanding scope and scale.