The pressure is mounting on the White House to produce some kind of coherent action plan to tackle the ransomware epidemic sweeping the US and the world. But while we wait for the details on that, news emerged over the weekend that the government may unwittingly be providing another incentive to victim corporations to pay-up when confronted by a breach.
According to the Associated Press article, the Internal Revenue Service (IRS) may allow these companies to deduct any payments from their annual tax bill. It’s exactly the opposite to what needs to happen.
A growing menace
We all know the incredible pressure organizations are under today from a highly motivated, well resourced, and growing number of threat actors. Trend Micro detected a 34% increase in new ransomware families in 2020 versus the previous year, and that’s not counting the large number of affiliate groups that have sprung up over the past few months.
They’re using increasingly sophisticated tools and techniques to get what they want: multi-stage APT-style attacks using legitimate tools to move laterally and exfiltrate data, and quadruple extortion tactics. There will always be a chink in the corporate cybersecurity armor for these actors to penetrate. The challenge for many up until now has been to find the right detection and response tooling to spot and react to breaches before the bad guys have had a chance to do any damage.
Time for action
Attacks on Colonial Pipeline and JBS brought home to senior policymakers the reality that many critical supply chains may be at risk. To its credit, the Biden administration has already begun to ramp up a response to the growing menace of ransomware. So far it has:
- Issued a letter from the National Security Council’s chief of cyber urging companies to take the threat more seriously
- Set up a DOJ Ransomware and Digital Extortion Task Force to centralize and coordinate investigations
- Reportedly moved to treat ransomware as national security threat, unleashing the power of national intelligence agencies on foreign cyber-criminals
- Listed 16 critical infrastructure entities to President Vladimir Putin that should be off limits to cyber attacks
However, we’ve yet to see these policies bear fruit. Trend Micro stands with the FBI in urging victim organizations not to pay their extorters. Doing so has in many ways led to the situation we’re in right now. Seeing the opportunity for easy money, threat actors have piled in to steal corporate profits. They know the victims will usually pay up, if they choose private companies with hundreds of millions in annual revenue. And they know they will be protected by living in jurisdictions where such attacks are tolerated, as long as they’re directed outside the country at “rival” nations.
The bottom line is that we need more disincentives for organizations to pay their ransom. It’s already happening in the cyber-insurance industry, where AXA was recently reported as halting the reimbursement of ransom payments for its French clients. We can also hope that, over time, insurers get more prescriptive about policyholders’ existing security measures, which will hopefully drive up best practices across the board.
In the meantime, removing the tax incentive would seem like a quick win for the government. It does nothing but further encourage payments, which in turn perpetuates the ransomware threat. It’s not the only thing that needs to happen. Better threat detection and response would also help. But it would be a start.