On Oct. 5, Sen. Elizabeth Warren and Rep. Deborah Ross introduced the bicameral Ransom Disclosure Act (RDA). This is the third bill, proposed over the past four months, meant to address an increasing threat of ransomware attacks. The number of ransomware attacks increased by 62 percent globally from 2019 to 2020, and victims worldwide paid nearly $350 million in ransom in 2020 alone. On Sept. 28, a few days before the Warren-Ross bill was introduced, Sens. Gary Peters and Rob Portman introduced bipartisan legislation, entitled the Cyber Incident Reporting Act (CIRA), meant to address ransomware under a broader umbrella of cyber threats. In a similar vein, focusing broadly on cyberattacks while paying particular attention to ransomware, Sens. Susan Collins, Mark Warner and Marco Rubio introduced bipartisan legislation, titled the Cyber Incident Notification Act (CINA), on July 21.
What do these three bills have in common? Their goal is to bolster the federal government’s ability to help prevent cyberattacks by building better awareness of the existing landscape of these threats and the actors that execute them. The members of Congress propose to mandate reporting of instances of cyberattacks to the federal government, arguing that such information will help the U.S. government develop a fuller picture of cyber threats and obtain a better understanding of how cyber criminals operate.
While these three bills agree on mandating cyber threat reporting, they differ in many other aspects. CINA requires federal agencies, contractors, and critical infrastructure operators to notify the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of experiencing an attack. Once notified, the U.S. government will mobilize to protect critical industries nationwide. To incentivize information sharing, the government grants limited immunity to affected entities and anonymizes their personal information. For noncompliance, the government “may assess a civil penalty not to exceed 0.5 percent of the [affected] entity’s gross revenue from the prior year for each day the violation continued.”
The CIRA requires critical infrastructure operators to report to CISA any cyberattacks within 72 hours of their discovery, and federal agencies and private-sector organizations with more than 50 employees are required to report any ransomware payments made within 24 hours. CISA can subpoena entities that fail to report a cyberattack; in case of noncompliance, CISA can refer the entity to the Department of Justice.
The RDA, which focuses exclusively on ransomware attacks, requires local governments and entities either engaged in interstate commerce or those receiving federal funds to disclose to the Department of Homeland Security the details of a ransomware attack within 48 hours of experiencing it. The RDA is quite vague about repercussions for noncompliance, simply mentioning that the department is to establish appropriate penalties.
What are the benefits of the proposed bills? First, mandating reporting by the victims overcomes the collective action problem that lies at the core of ransomware underreporting. Reporting incident details supports the public good by disclosing information that can be used in the prosecution of a ransomware gang or to defend against future attacks, such as indicators of compromise. But victim organizations often are concerned that the information they share with law enforcement may be leaked, resulting in reputational damage, while others feel that having to cooperate with law enforcement will be a distraction in the incident response process. Therefore, organizations incur private costs in disclosing information, but the benefit that results from such information is publicly available for all, regardless of whether they have shared information or not. Without any mandates, organizations would thus rather have someone else report their incident details than share their own.
Second, reporting mandates help ameliorate information asymmetry. This current information imbalance works in favor of the attackers, who can continue to use similar attack vectors for subsequent victims, slow down threat intelligence efforts by the defender, and obscure the true scale of the criminal operation. Reporting also includes details on payment instructions such as wallet numbers and transaction hashes, as recommended by the Ransomware Task Force. Such information can sometimes, though not always, lead to law enforcement being able to recover a portion of the ransom payment made and also helps track the flow of the transaction back to the perpetrators. In other cases, details provided by the victims can help law enforcement investigate and release indicators of compromise for particular ransomware gangs, such as the FBI’s recent report on Hive ransomware.
Reporting mandates also have their drawbacks. First, the quality of the reported information might suffer from information biases, introduced by the varying quality of information that victims might choose to disclose, and selection bias, introduced when certain victims are more willing than others to disclose attacks. For instance, small businesses might be more likely to over-report incidents because penalties might be a great burden for them. Large corporations, instead, might be more likely to pay the fine than to disclose private information, which, if leaked, could hurt their reputation. Without proper mechanisms that validate the accuracy of the reported information and account for possible biases, the annual reports on the state of ransomware, which the Department of Homeland Security is mandated to publish, will only exacerbate the existing problem, instead of solving it.
The second drawback relates to a change in strategies by the attacker, resulting in more suffering for the victim organizations and, by extension, their customers. Ransomware is increasingly a double-extortion scheme in which the attackers will also exfiltrate sensitive data and threaten to release the data if a ransom is not paid. Under the reporting mandate, attackers are likely to use this exfiltrated data as an enforcement mechanism to ensure the victim organization remains silent after a ransom is paid rather than using it to compel a ransom payment. This will mean that more attackers will switch to a double-extortion scheme to use exfiltrated data as insurance, and the victims will face a double-bind even after paying the ransom—either go to the police and risk having sensitive data released, or don’t go to the police but risk paying a penalty. If an organization chooses to go to the police at the expense of a data leak (especially if reporting mandates come with certain liability protections for the victim organization, as recommended by the Ransomware Task Force), then third parties who are either customers or users of the organization will suffer further costs from having their user credentials or personal information leaked.
Alternatively, the attacker may raise the average ransom demand for U.S. businesses. Ransomware attackers incur more risks by targeting victims in countries that have reporting mandates, which means they might be deterred from attacking—especially small businesses not worth the risk. Or attackers might quantify and incorporate this extra risk into the ransom demand. For example, in a case study of a REvil ransomware attack conducted by Elliptic, during the negotiations, REvil added a 10 percent surcharge because the victim asked to pay in Bitcoin rather than the privacy-focused cryptocurrency Monero. Reporting mandates may push attackers to continue targeting U.S. “big game” (companies with annual revenue of more than $1 billion). These large organizations have the capacity to pay more and have more to lose from a data leak, compared to the “spray and pray” tactic used against many small victims, which carries a higher risk that the information will be shared with the police.
The final drawback relates to loopholes that victims can exploit when paying a ransom. For instance, does an organization have to report if it pays through an intermediary? What if an organization works with an insurance company? Will the burden to report fall on this company? How will this regulation apply to a multinational corporation that can use its abroad (non-U.S.) office to transfer the money? Since legislation covers a variety of entities, will they all have the same reporting standards?
What can the U.S. government do to address the limitations of these proposed bills? We argue that reporting mandates are an insufficient solution to the right problem. The key is to change the incentives of the affected parties; otherwise, attackers will continue to search for workarounds to the new laws. Specifically, the government should consider how it can ensure that the benefits of compliance outweigh its cost and make it costlier for attackers to conduct their operations.
The government should credibly signal that it can provide private benefits to ransomware victims to induce information sharing beyond what is mandated based on negative inducements. Recovering paid ransom could be one such benefit. For instance, after the Colonial Pipeline hack, the FBI was able to recover nearly $2.3 million out of $4.4 million, tracking money flow and using other investigating techniques. Unfortunately, the July Kaseya ransomware case does not build up the agency’s credibility in this regard. During this investigation, the FBI held victims’ decryption keys for three weeks, causing the victims significant monetary and reputational loss. The law enforcement source eventually shared the decryption keys with Bitdefender, which released a universal decryptor that could be used to decrypt the victims of ransomware attacks. Even though more than 265 REvil victims have used this decryptor, multiple victims lost millions of dollars and suffered significant damage as a result of these attacks.
Policymakers can also influence attacker incentives by making ransomware less profitable. Often, the amount of ransom demanded is carefully calculated based on how much and how long the victim will suffer from a disruption in its operations. In this regard, policies and legislation that make it cheaper for companies to build up resilience and choose data recovery without paying a ransom can also help reduce the amount of ransom demanded by attackers.
For example, since the proposed legislation covers federal agencies and contractors, budgets can be allocated for federal agencies and contractors to incentivize investment in offline backups and upgrades from legacy systems that allow for better backup technologies. Having a good backup system means that the victim can resume operations more quickly and at a higher capacity and have less incentive to pay the ransom. The attacker, by contrast, can demand only a small amount of ransom for the expected small disruption in business.
In addition, many insurance companies currently provide coverage for companies to pay ransom. Instead, insurance companies should be incentivized to cover payouts for data recovery without getting a decryption tool from ransom payment. Not only does providing insurance coverage for ransom payments create a moral hazard problem for the victim, but it also incentivizes further ransomware attacks. For example, if the attackers demanded $5 million, the insurance will cover the payment of that ransom to the attackers. But the victim has the option not to pay the ransom and, instead, spend $10 million in data recovery by hiring a company like FireEye. If insurance covers the latter cost instead of covering the ransom payment itself, more companies will choose not to pay the attackers. As a result, insurance coverage for data recovery will help victims choose not to pay and, perhaps, even build up resiliency in the process of preventing a repeat attack.
Ransomware is indeed an important issue in the United States. The inability to gather sufficient data on ransomware incidents contributes to this problem. Mandating reports is one way to address the problem. We propose, instead, that the U.S. government should also work to provide the right incentives for victims who may be willing to share more information and work with law enforcement.