For cybersecurity experts, an attack on critical U.S. infrastructure was always the doomsday scenario. Now, less than a week after hackers managed to knock an essential East Coast pipeline offline, that fear has become reality.
The attack against the operator of the system, Colonial Pipeline, led the company to announce Saturday that it had shut down 5,500 miles of pipeline carrying roughly 45% of fuel supplies for the entire East Coast. Colonial said Wednesday that it had "initiated the restart of pipeline operations" but warned that it would take several days for supply to return to normal. In the meantime, governors in at least three states have already declared states of emergency, and fears of fuel shortages have resulted in lines of panicked drivers at gas stations across much of the southeast.
"This threat is not imminent," said Secretary of Homeland Security Alejandro Mayorkas on Tuesday. "It is upon us."
Colonial has acknowledged that its computer networks were hit by a ransomware attack — in essence, an attack in which a hacker or criminal group breaks in and encrypts the contents of a victim's computers until a ransom is paid. And while the company has declined to say whether it has offered a ransom, the attack is focusing new attention on a potentially radical proposal to stem the growing threat posed by ransomware: making it illegal for targets to pay their attackers.
It's an idea that has stymied experts across industry and government alike as they race to confront a challenge that Chris Krebs, formerly the top cybersecurity official at the Department of Homeland Security, described as a looming "digital pandemic, driven by greed, a vulnerable digital ecosystem and an ever-widening criminal enterprise" during testimony before Congress last week.
"Prohibiting ransomware payments is the quickest and most effective way to end ransomware attacks," says Brett Callow, a threat analyst with the antivirus firm Emsisoft. "Attacks happen for one reason and one reason only: They are profitable. If you make them unprofitable, the attacks will stop."
It may not be so straightforward, though.
In late April, a public-private task force composed of members from Amazon Web Services, Microsoft, the FBI and the Secret Service, among others, delivered to the White House an ambitious set of recommendations for a whole-of-government approach to fighting the ransomware threat. In it, they laid out a framework calling on business and government to join forces to develop a coordinated strategy for deterring attacks, disrupting the ransomware business model and better equipping organizations in preparing for and responding to cyber-assaults.
On the issue of prohibiting payments to attackers, the group of more than 60 members was split.
On the one hand, they said, because ransomware is motivated by profit, a ban on payments would help choke off a prime driver of attacks. It might also help combat an array of other crimes that profits from ransomware attacks are often used to fund, such as human trafficking and child exploitation.
On the other hand, they wrote, there's a risk that a ban might only make the threat more pernicious.
"Ransomware attackers require little risk or effort to launch attacks, so a prohibition on ransom payments would not necessarily lead them to move into other areas," the task force wrote. "Rather, they would likely continue to mount attacks and test the resolve of both victim organizations and their regulatory authorities. To apply additional pressure, they would target organizations considered more essential to society, such as healthcare providers, local governments, and other custodians of critical infrastructure."
Supporters of a ban say that even without a prohibition in place, that bleak scenario has already arrived. While the attack on Colonial Pipeline has dominated the headlines, attacks on everything from airports and hospitals to schools and local governments have been quietly escalating.
Last September, for example, an attack against United Health Services cost the Pennsylvania-based hospital chain $67 million before taxes. In 2019, a ransomware attack shut down the operations of a U.S. Coast Guard facility for more than 30 hours. Airports in Cleveland and Albany, N.Y., have been forced to confront attacks, as has the Metropolitan Police Department in Washington, D.C., which on Tuesday saw the personal information of 22 officers released by hackers as part of an extortion effort.
In all, almost 2,400 U.S.-based governments, health care facilities and schools were the victims of ransomware attacks in 2020, according to Emsisoft, but that figure is likely a vast undercount since many victims are reluctant to report break-ins to begin with. The corresponding hit to the economy is considered massive, with estimates ranging from $57 billion to $109 billion annually, according to a report by the Democratic think tank Third Way.
"Things are already as bad as they can get," says Callow. While he concedes that prohibiting payments would create challenges "in the short term" for companies left with no clear way to recover their data, allowing ransoms to continue will only make the problem worse.
"The alternative to that is for hospitals to continue to be targeted, for critical infrastructure to continue to be targeted, governments, law firms, attorneys general, police departments," he says.
It is hard to say how often ransoms are being paid out. The FBI and other law enforcement agencies discourage victims from paying their attackers, but an estimate from the cybersecurity firm Palo Alto Networks put the average payment in 2020 at more than $312,000 — an increase of more than 171% over the year before.
Chris Painter, formerly the top U.S. cyber diplomat at the State Department and a contributor to the Institute for Security and Technology task force report, says he supports prohibitions on ransom payments but warns that a rush to implementation could cripple many organizations.
"No one in the task force had the opinion that ransomware payment should be encouraged," says Painter. "The challenge is how do you make that work practically?"
Painter, who now serves as president of the Global Forum on Cyber Expertise, says the targets of ransomware attacks run the gamut, from large organizations with well-funded cyber units to mom-and-pop shops with few if any safeguards in place.
"Many don't have the resiliency and backups that they need. So if you just say like tomorrow, 'OK, we're going to prohibit ransomware payments,' that's going to be an almost impossible transition for those victims. You're going to victimize the victims more because ... if they get hit by a ransomware attack and they can't pay and they can't recover their data, you know, they could be in a situation of essentially shutting down."
Callow says a ban is just part of the answer, and in its report, the ransomware task force said governments would need to ease the transition before moving to a world where ransom payments are prohibited. Changes would need to be phased in, it said, and allow time for governments to set up protection and support programs for victims. A bipartisan bill introduced last year in the Senate, for example, called for study into the creation of a federal fund to help support the recovery and response to significant cyber-incidents.
The clock may already be ticking — at least for some. In what is likely a first, the global insurance company Axa announced last week that it would stop offering policies in France that reimburse customers for extortion payments made to cybercriminals.
"That may be the trend," says Painter.