To stop the ransomware pandemic, start with the basics
TTWENTY YEARS Some time ago, this could have been the plot of a trashy airport thriller. These days, it’s routine. On May 7, cybercriminals shut down the pipeline supplying nearly half of the oil to the U.S. east coast for five days. To revive it, they demanded a ransom of $ 4.3 million from the Colonial Pipeline Company, the owner. A few days later, a similar ransomware attack crippled most hospitals in Ireland.
Enjoy more audio and podcasts on ios or Android.
Attacks like these are proof of an era of heightened cyber insecurity that will affect everyone from tech companies to schools and the military. A threat is disaster: think of an air traffic control system or a failed nuclear power plant. But another is harder to spot, as cybercrime hampers the digitization of many industries, hampering a revolution that promises to raise living standards around the world.
The first ransomware attempt was in 1989, with a virus spread via floppy disks. Cybercrime is getting worse as more devices are connected to networks and geopolitics become less stable. The West is at odds with Russia and China, and several autocracies give refuge to cyber-bandits.
Billions of dollars are at stake. Most people have a vague sense of a near miss: from the Sony Pictures attack that rocked Hollywood in 2014, to Equifax in 2017, when details of 147 million people were caught. been stolen. Big hacks are a familiar but confusing blur: remember SoBig, or SolarWinds, or WannaCry?
A forthcoming London Business School study (KG) captures trends by examining comments made to investors by 12,000 listed companies in 85 countries over two decades. Cyber risk has more than quadrupled since 2002 and tripled since 2013. The business model has globalized and has affected a wider range of industries. Workers logging in from their homes during the pandemic almost certainly added to the risks. The number of companies affected is at an all-time high.
Faced with this picture, it is natural to worry the most about the spectacular crises caused by cyber attacks. All countries have vulnerable physical nodes such as pipelines, power plants and ports whose failure could cripple much of economic activity. The financial industry is a growing hotbed of cybercrime: bank robbers these days prefer laptops to balaclavas. Regulators began to worry about the possibility of an attack causing a bank to collapse.
But the threat to new technologies is just as costly as confidence in them decreases. Computers are integrated into cars, homes and factories, creating an industrial ‘internet of things’ (IOT). Information gleaned from the oceans of data promises to revolutionize healthcare. In theory, all of this will increase productivity and save lives for years to come. But the more insecure the digital world is, the more people will turn away from it and the more potential gains will be lost. Imagine hearing about ransomware in someone’s connected car: “Pay us $ 5,000, or the doors stay locked.”
Dealing with cyber insecurity is difficult because it blurs the lines between state and private actors and between geopolitics and crime. The victims of cyber attacks are companies and public bodies. The authors include states that practice espionage and test their ability to inflict damage in wartime, but also criminal gangs in Russia, Iran and China whose presence is tolerated because they are an irritant to the West. .
A cloud of secrecy and shame surrounding cyber attacks amplifies the difficulties. Businesses cover them. The usual incentives for them and their counterparties to mitigate risk are not working well. Many businesses overlook the basics, such as two-step authentication. Colonial hadn’t even taken simple precautions. The cybersecurity industry is full of sharks that bamboozle customers. Much of what is sold is little better than “medieval magic amulets” in the words of one cyber official.
All of this means that financial markets find it difficult to assess cyber risk and that the penalty paid by poorly protected companies is too low. the KG One study, for example, concludes that cyber risk is contagious and begins to factor into stock prices. But the data is so opaque that the effect is unlikely to reflect the actual risk.
Setting the incentives for the private sector is the first step. Officials in the US, UK and France want to ban insurance coverage of ransom payments, on the grounds that it encourages further attacks. Better to require companies to publicly disclose attacks and their potential costs. In America, for example, the requirements are vague and involve long delays.
With more accurate and consistent disclosure, investors, insurers, and providers could better identify companies that are underinvesting in security. Faced with higher insurance premiums, a falling stock price and the risk of litigation, managers could raise their game. Manufacturers would have more reason to set and adhere to product standards for gadgets connected that help stem the tide of insecurity IoT devices.
Governments should watch the line between the orthodox financial system and the dark world of digital finance. Ransoms are often paid in cryptocurrencies. It must be made more difficult to recycle money from these to regular bank accounts without proof that the money has a legitimate source. Likewise with cryptocurrency exchanges, which should face the same obligations as established financial institutions.
Cyber insecurity is also a matter of geopolitics. In conventional warfare and cross-border crime, there are standards of behavior that help contain risk. In the cyber domain reigns novelty and confusion. Does a cyber attack by criminals tolerated by a foreign adversary justify retaliation? When does a virtual intrusion require a real world response?
A starting point is for liberal societies to work together to contain attacks. During recent summits of the G7 and NATO, Western countries have promised to do so. But taking on states like China and Russia is also crucial. Obviously, they will not stop spying on Western countries which are their own weasel. But a third summit, between Presidents Joe Biden and Vladimir Putin, has started a difficult dialogue on cybercrime. Ideally, the world would be working on a deal that would make it harder for broadband to threaten the health of an increasingly digital global economy. ■
This article appeared in the Leaders section of the print edition under the headline “Broadbandits”