US government rejects ransom ban to spur disclosure


To pay or not to pay – it’s the issue of ransomware that has obsessed the US government as it debates whether to ban payments to attackers, raising moral dilemmas along the way.

Ultimately, U.S. officials decided not to outright ban Anne Neuberger, deputy national security adviser for cyber and emerging technologies at the National Security Council, told the National Security Council earlier this month. Code Conference.

“It’s so difficult and there’s still a lot of work to be done to improve the security of the technology, to improve the cybersecurity of the systems, that we would essentially be pressuring victims to have their payments undercover,” Neuberger said. .

The US government would rather organizations reach out, seek help and recover quickly, as the Los Angeles Unified School District did earlier this month after being hit by what Neuberger described as a “crippling ransomware attack.”

A moral dilemma remains over ransomware payments, especially when the human context is considered, she said. This goes against a desire not to incentivize the next act by making a payment.

Even though there is no outright ban, authorities actively discourage ransomware payments.

Instead, the advice is to follow what Neuberger described as basic cybersecurity practices: consistent backups stored offline, multi-factor authentication, and data encryption.

“Our first, really strongest request is to do these practices, because then you’re only really protected against the most sophisticated attackers,” Neuberger said. “Beyond that, if anyone is affected, contact the FBI, as the Los Angeles Unified School District has done. [earlier this month]and we will increase support to help you recover.

Federal authorities also discourage insurers from paying ransoms, but insurers can play an important role in reducing the overall rate of ransomware occurrences, according to Neuberger.

Insurance companies should encourage good cybersecurity practices by imposing higher compliance thresholds for underwriting approvals and offering lower premiums to organizations that meet those goals, she said.

“This makes it much more difficult for attackers because many attackers are using known vulnerabilities where patches are available,” Neuberger said. “If we could raise the bar so that a striker has to come up with something new every time, we would see the number of attacks drop dramatically. It’s far too easy today.

Source link

Elaine R. Knight