The Ever-Increasing Menace of Ransomware in 2021

I attended the MAPLE-SEC conference this week which I thought was quite good to provide a good overview of the state of cybersecurity and cybercrime, in Canada, in 2021.

On thing we learned during the conference was that a majority of businesses faced with a ransomware incident during the last year, ended-up paying the criminals, to get their data back and/or to avoid its disclosure to third parties. Not too surprisingly, this type of crime is pretty consistently on the rise, as the typical victim ends-up capitulating and rewarding criminals, by paying some sort of ransom.

We also learned recently that a 2021 report by cybersecurity firm Sophos revealed that about a third of businesses were the victim of some sort of ransomware attack during the last year. That makes for ALOT of businesses and data!

With stats like these, it’s not surprising that insurers offering cyber-insurance products are now feeling the pinch. Cyber-insurers are now apparently losing considerable money because of this type of policy. Because of this, an expert in insurance law who spoke at the MAPLE-SEC conference warned everyone that cyber-risk insurance coverage is about to get substantially more expensive for businesses everywhere. His advice as to this was to get the best cyber-insurance you can afford, right now.

Recent stats clearly show ransomware is unfortunately here to stay, as we’re now seemingly paying the price for collectively minimizing the importance of cyber-security for so long.

Allowing Insurers to Pay Ransoms from Ransomware Attacks: A Bad Good Idea

Faced with a seemingly endless series of cyberattacks through ransomware, some businesses are now turning to insurers to make sure they are in a position to pay eventual ransoms. Insurers indeed realized a while back that some companies would pay to insure against the risk of facing cyberextortion and having to pay to recover their own data. Once insured with such coverage, a business can essentially have the insurer pay the ransom that cybercriminals are requesting once the business falls victim to ransomware that encrypts its data.

Recently, the European insurer AXA decided to stop offering this type of coverage, in France, including because of certain comments from French authorities about the fact this type of coverage was essentially counterproductive and, as such, may be something that France would soon prohibit. Indeed, according to many (including the FBI), the existence of insurance coverage of this type in fact encourages the ransomware industry, because it increases the odds of managing to convince the typical victim of such a cyberattack to pay a ransom.

In what may be a clue that not offering this type of coverage does play into the hands of criminals, shortly after its announcement, AXA’s Web servers were the object of a DDoS attack from criminals, in what may be seen as retaliation. It seems criminals do want insurers to keep paying ransoms, which may be a reason to rethink allowing it, in the future, if you ask me.

Even though forbidding payments by insurers is not likely to stop ransomware, many are now calling for a global strategy that may allow us to collectively fight the problem, including by stopping  to throw oil on the fire, so to speak. Sure insuring against this risk is convenient but is it the right thing to do in the grand scheme of things? The question stands.

Corsairs and Cyber Pirates: Should We Consider Bringing Back Letters of Marque?

The Wall Street Journal recently published an article entitled A Maritime Solution for Cyber Piracy which grabbed my attention. The author, a lawyer who used to work for the Air Force, suggests we may want to look into the concept of letters of marque so as to shore-up the U.S.’s cyber-defences.

Such “letters of marque” (also called letters of permission or of commission) involved a license (permission) granted by the U.S. government empowering certain citizens or groups to participate directly to the defence of commerce or of the nation itself. Though common a few hundred years ago in Europe (and later around America), such permission largely disappeared in the 19th century, as countries acquired navies capable of policing sea lanes without having to resort of privateers to do so. For a time, though, the idea of “privateers” (or “corsairs”) sinking or capturing enemy (or pirate) ships in exchange for reward was fairly commonplace. Faced with security issues they could not deal with themselves, many countries compromised by asking private parties to do what they could not, often with the promise of a bounty or rewards to get the job done.

Recent high-profile cybersecurity incidents seem to indicate we may collectively be faced with a situation somewhat akin to that faced by the U.S. in the 19th century, at a time when the government was unable to itself deal with the nation’s security. Could it be that rampant cybercrime has brought about a similar situation? An argument to that effect can certainly be made.

Interestingly enough, the fact that the NSA is prohibited from watching domestic networks too closely may militate in favour of this idea, so as to fill the gap, so to speak. If the main watchdog cannot act once cyberpirates have penetrated targets in America, one might argue we need help that private parties may be especially well positioned to provide.

Given the growing threat of cyberpiracy, including to some important infrastructure (such as the pipeline recently shut down by a ransomware attack), the author argues that we may want to start looking at the concept of letters of marque. Given the apparent inability of the U.S. government to stop the threat, one might argue it may be time to try and incentive private citizens and businesses to report and go after cybercriminals.

Interesting idea, no doubt. One has to admit we definitely seem to be in need of a new set of solutions if we hope to manage to tackle the issues relating to cybersecurity in a proactive manner. Though I’m not sure how this may work in practice, I think it may indeed be time to start incentivizing private parties to help our collective efforts to thwart cybercriminals.