US tech pushes for ransomware to be designated a national security threat

Big US tech companies and officials are urging governments to designate ransomware as a national security threat in a push to combat a hacking epidemic that has cost businesses tens of millions of dollars. 

Tech groups including Microsoft, Cisco and Amazon, cyber security companies such as FireEye and officials from the FBI and US Department of Justice have published a report calling for a number of measures to tackle the lucrative criminal enterprise.

Ransomware involves hackers seizing control of organisations’ computer systems or data by installing illicit software, and returning the assets only after a ransom has been paid.

The public-private Ransomware Task Force argued that such attacks should be deemed a national security threat, pointing to the risk to citizens from a relentless assault on hospitals, local authorities and critical infrastructure.

It called on governments to create international coalitions to tackle the problem and to “exert pressure on nations that are complicit or refuse to take action”, for example through sanctions or by withholding aid or visas.

The calls came two weeks after the US Treasury accused one of Russia’s intelligence services, the FSB, of “cultivating and co-opting” EvilCorp, one of the most notorious ransomware groups. Many cyber criminals operate outside of the jurisdiction of US authorities. 

“Ransomware, in particular, is a tremendous collective action problem for a lot of reasons,” said Michael Phillips, chief claims officer at cyber insurance group Resilience and a co-chair of the task force. 

He cited “the increased nation-state competition in the digital space, and nations that are either unable or unwilling to enforce laws preventing sophisticated cyber criminals from launching these attacks or creating an ecosystem that supports them”.

Last week, the US justice department set up its own initiative for tackling ransomware.

Ransomware attacks have become increasingly prevalent as criminals have used cryptocurrencies such as bitcoin to collect payment without being tracked. Hackers have also begun hiring out their expertise in what is known as “ransomware as a service”.

Attacks have also proliferated in part because of a culture of silence among cyber crime targets, with companies nervous about reputational damage and hesitant to disclose when they have been hacked, experts said.

Estimates of the damage from attacks vary, but the US justice department said that ransom demands averaged more than $100,000 and in some cases were “up to the tens of millions of dollars”.

This week, the Metropolitan Police of DC confirmed that it had been hacked after a ransomware gang said it had stolen 250 gigabytes of data from the force and were trying to extort it and its informants.

Among its recommendations, the task force report called for a government-created “ransomware recovery fund” to support victims as well as more targeted efforts to disrupt criminals’ digital infrastructure, such as the servers they might need to operate. 

It also recommended greater government oversight of cryptocurrency exchanges, kiosks and over-the-counter markets to ensure they followed “know-your-customer” and anti-money-laundering laws.

Kemba Walden, assistant general counsel at Microsoft’s Digital Crimes Unit and a member of the task force, said that authorities and the cyber security community needed to move from a “disjointed, parochial” stance to target bad actors “as the criminal syndicates that they are” in a lucrative industry. 

“The tactic for countering it has to really be able to shift that balance — making it less profitable and more costly to enter,” she said.

Daily newsletter

#techFT brings you news, comment and analysis on the big companies, technologies and issues shaping this fastest moving of sectors from specialists based around the world. Click here to get #techFT in your inbox.