CEOs of Apple, Amazon, Microsoft and other top American companies went to the White House on August 25 to brainstorm about the burgeoning problems of ransomware and other types of cybercrime. The Biden administration is aggressively pushing for better cooperation between the public and private sectors to stem the surge of digital attacks from Russia, China and elsewhere.
But businesses are leery of some measures that experts say would be sensible ways to improve U.S. defenses against the types of cyberattacks that recently disabled big firms such as Colonial Pipeline and meatpacker JBL. One simple change would be requiring businesses to report cyberattacks to the government—especially if they make a ransom payment. Since many cyberattacks remain secret, the government lacks a full accounting of the problem and of many details that could aid in defense. Bipartisan legislation in Congress would require any company involved with critical infrastructure to report hacks.
Some policymakers would go further and ban the payment of ransoms, to eliminate the profit incentive that drives the whole underground ransomware industry; if you can’t collect a ransom, there’s no point holding anybody hostage. Former U.S. ambassador to Russia Michael McFaul said in June that the United States and other western governments should “criminalize ransom payments” to hackers and indict cybercriminals, as a way of raising pressure on Russia and other nations that harbor them.
Businesses, however, have pushed back against measures that would increase regulation and raise costs, even if such measures would save some companies millions of dollars in ransom payments. Business interests helped defeat a 2012 bill that would have set cybersecurity standards for key industries. The U.S. Chamber of Commerce, the biggest business lobby, wants the government to shoulder the burden for a cybercrime victims’ fund and tougher enforcement, but it does not support tougher standards on businesses themselves.
[Been involved in a ransomware attack? We’d love to hear about it.]
One reason American firms are vulnerable to cybercrimes is reluctance among some businesses to spend what it takes to defend themselves. “Companies basically treat it as a business loss,” says Scott Bethel, CEO of cybersecurity firm Integrity ISR. “They don’t want to spend the money to meaningfully defend against it. With ransomware, we don’t have a strong enough set of firewalls. Whatever they’re asking, we’ll pay it.”
Many firms have insurance that covers the cost of cybercrime, which is both a defense and a problem. While insurance helps firms cover losses, it can also create a false sense of security and a disincentive to establish tough digital defenses. An April report from a tech-industry ransomware task force cited evidence that hackers specifically target firms with ransomware insurance, since they’re more likely to nab a big payout. Colonial tapped insurance to pay at least some of the $4.4 million ransom it paid to a hacking group in June. The task force recommended better coordination among insurance firms to set security standards for companies buying coverage and share data on hacking organizations.
Whether governments should ban ransomware payments is a thornier issue. The argument in favor of a ban is pretty simple: if companies can’t pay, hackers will stop targeting them. In practical terms, however, the consequences of a ban could be ugly. Hackers could shut down some companies unable to pay, harming customers, employers and shareholders. Attacks might dry up eventually, but only after collateral damage that could be considerable.
Governments could create funds to assist ransomware victims, but that would raise questions of fairness if funds went to firms with weak security against attacks. The ransomware task force argued that before banning ransom payments, the government should establish standards for cybersecurity and provide liability coverage for businesses that suffer an outage due to hackers. Any ban should be phased in, starting with critical industries and businesses first.
Biden signed an executive order in June requiring businesses that provide IT services to the federal government to report cybercrimes. It would take Congressional legislation to insulate this order from legal appeals and extend it to other companies more broadly. The August 25 gathering of CEOs yielded some further developments. Microsoft and Google said they’ll spend billions of dollars during the next five years to improve cybersecurity. Amazon said it will open its in-house cybersecurity training to the public. Coalition, an insurer, said it will make its cyber risk assessment tools publicly available. The government’s standard-setting body will work closer with industry to protect supply chains.
It’s a start. But it remains unclear if Congress will prioritize matters requiring legislation, such as a mandate to report attacks. Biden has said cybercrime targeted at U.S. companies has become so serious it could trigger a “real shooting war” with Russia or another adversary. America’s CEOs don’t want that, but they also don’t want a to bear responsibility for a costly and complicated problem if Uncle Sam could handle it for them.
Rick Newman is the author of four books, including “Rebounders: How Winners Pivot from Setback to Success.” Follow him on Twitter: @rickjnewman. You can also send confidential tips, and click here to get Rick’s stories by email.
Get the latest financial and business news from Yahoo Finance