A ransomware attack will deploy malware, to encrypt data held on the victim's system. A ransom attack will avoid the encryption part all together, as the threat actor simply "steals" data, by exfiltrating it from a network, which is then held to ransom, with the threat being that unless a payment is made, something else will happen with the data, such as a sale to other criminals, or publication of it online, or a follow-up attack on the original victim or others. Of course, an attacker can deploy encryption malware and exfiltrate data within the same attack, which is done for the purpose of a "double extortion", i.e., a ransom is demanded to decrypt the data and to prevent the further misuse of the exfiltrated data.
So what is the CISO's role in all of this? Do they have a say in whether it is appropriate to pay a ransom?
The first issue, of course, is whether a payment is lawful or not. Where they are lawful, the question arises about whether they should be banned. A good overview of the key issues is provided in this research paper by Adam Clark. Stewart Room, Head of Technology, Media & Communications Sector, looks at the issues from a criminology perspective here.
The basic lay of the land is as follows:
- In major jurisdictions such as the UK and USA, ransom payments aren't banned per se. However, there are indirect routes that create tantamount bans, such as where the proposed beneficiary of the ransom payment is on a sanctions list, or a terrorist, or similar.
- The arguments against a ban, include the "safety valve", crime displacement theory, and ones about insurance. Clark (linked above) covers these and you can form your own view of how persuasive you feel they are.
If an organisation is contemplating paying a ransom, as well as understanding the legal framework that applies, key considerations include:
- Expectations and requirements for transparency after a breach.
- The reason for making a payment.
- The process within which a decision is taken to pay.
- The identity of the decision makers.
Keeping those considerations in mind, we can start to chart a course for CISOs, with these points acting as beacons and pathfinders:
- Organisations should work on the basis that the payment of a ransom is information that sits in a "quasi-public" domain, thus it should not plan on being able to keep a payment secret. For example, the fact that a ransom is paid might be leaked.
- Furthermore, there are many circumstances where a legal duty to disclose a ransom payment can arise. Consider the situation where you asked about this by a regulator or a judge, for example. What would you say?
- The reason for making a payment needs to be clear and understood and, where possible, substantial when viewed across the full spectrum of possible reasons for paying. Paying simply to protect the reputation of the organisation is arguably the weakest reason. Protecting lives would be at the other end of the spectrum.
- A decision to pay a ransom might need to be defended a long time after the event, perhaps even years after the event, when the decision makers have departed the organisation. The decision may need to be of a good enough quality to survive changing mores and morals in society.
The above rubric then points the CISO in the direction of the process itself:
- The process for determining whether a ransom can or should be paid needs end-to-end rigour, which bakes in all necessary checks and balances, with full documentation of actions taken, decisions made and reasons.
- Of course, the checks and balances include ensuring that the executive mind of the organisation is the decision taker, that legal advice runs through the process and that necessary consultations with third parties take place.
There are many other components to this, which can be presented as "dos and don'ts", or as vignettes and analogies – but the key recommendation is that the CISO should avoid becoming an advocate for ransom payments. The CISO's job in all of this is to explain and manage the security risks, but that can be viewed as a very different role to advocacy.
The problem with advocacy is that it is a process of persuasion and we should keep in mind that all human beings suffer from "bounded rationality". This means that the advocate's though processes, reasoning and arguments might be questionable. Furthermore, an advocate can persuade a person to take a course of direction that is contrary to their instincts, with the risk being that over time they may consider that they took the wrong direction, which can make for a volatile situation.
Bringing this together, the CISO's role in the overall ransom payment decision process has obvious limitations and boundaries. For example:
- Determining whether a payment is lawful is not part of the CISO's role.
- Attributing the identify of the attacker is not usually part of their role, but they can provide assistance to others in the process, such as by supporting efforts to identify and understand indicators of compromise.
- Negotiating with the attacker does not fall naturally within the scope of the CISO's role. This is best dealt with by other professionals.
- Determining whether it is a good idea, or not, to pay a ransom is not part of the CISO's role – but they can provide assistance to others with understanding the nature of the security situation and the incident response. Furthermore, CISOs often have valuable knowledge and experience to bring to the table, for example, the modus operandi of cybercrime, the technical issues involved in deploying decryption keys and the technical issues that impact on the level of assurance that can be given about a threat actor's activities (e.g., assurance of destruction of exfiltrated data), which may assist the decision taker. At all times the CISO needs to understand the boundaries of their knowledge and competences on these issues however, so that they do not provide misleading information, or fall into advocacy.
- Deciding whether to pay is not part of the CISO's role.
- Handling the processes of paying the ransom is not part of the CISO's role.
Our author also recommends that CISOs try to keep up to date with the general trend of case law, regulatory developments and public policy. In the UK, some positions of the ICO and NCSC are found here, which actively discourage the payment of ransoms. Similarly, the Joint Statement of the International Counter Ransomware Initiative 2023 records an international commitment for governments and their institutions not to pay ransoms. See also this guidance published by HM Treasury, which confirms that UK goverment does not condone payments. You may think that the failure to introduce legislation to ban ransoms is at odds with those positions – this simply draws attention to the complexity of the issues. Making a ransom payment is never a zero sum game.
For a flavour of some of the issues in the US, take note of the SolarWinds case – which is concerned with the issue of transparency after a security breach, and the issue of ransom payments (but note that the case is still ongoing, so the outcome should not be pre-judged). Note also the Cyber Incident Reporting for Critical Infrastructure Act 2022 (CIRCIA), which will require the reporting of ransom payments by critical infrastructure owners and operators; the SEC Final Rule on cybersecurity risk management, strategy, governance and incident disclosure; the FTC's positions on ransomware and other cyber-related attacks; and the New York Department of Financial Services guidance.
There is a lot of other information out there, so to repeat an earlier point, a ransom payment should never be made without taking legal advice.
Please note this was originally published in a blog series with Security.Law.
If you need any advise in relation to the above, please contact our author Stewart Room.