On July 30, Congress pulled the fire alarm about ransomware attacks on financial institutions, issuing the “Public and Private Sector Ransomware Response Coordination Act of 2024,” a bipartisan bill directed to Secretary of the Treasury Janet Yellen. The report prompted new legislation calling for more coordination between the public and private sectors on prevention and response measures.
While this bill may be a step in the right direction, whether it’s the right one will only be clear over time, and dependent on other factors outside its scope.
Positive Elements of Proposed Cybersecurity Law
Cybersecurity practitioners will appreciate several aspects of this bill:
- It emphasizes the importance of collaboration between the public and private sectors in cybersecurity. This recognizes that threats increasingly blur the lines between nation/state actors and commercial entities.
- It highlights the need for information sharing and expertise exchange to effectively protect both public and private infrastructures.
- It raises concerns about potential pitfalls, such as the risk of cybersecurity becoming a mere compliance exercise if not executed in the true spirit of collaboration.
True and effective public/private partnerships leverage the strengths of both sectors. Government policymakers can focus on regulation, while cybersecurity experts handle the technical aspects. This division of labor ensures that each side plays to its strengths, leading to better overall outcomes.
The financial services sector is being used as a starting point for these partnerships. This is because of its critical role in the economy, which some believe justifies government involvement. The balance between government oversight and industry autonomy is a key consideration.
The financial industry has been a significant target for threat actors in recent years. A recent report from SonicWall found that ransomware is still on the rise globally, with a 15% increase within North America alone in the first five months of 2024.
The Bill’s Feasibility
In cybersecurity, where time is critical, it’s natural to want faster action. However, that’s not realistic.
For years, experts have advocated for changes, like incentivizing vulnerability patching in sectors like healthcare and industrial control systems. But progress has been slow due to the financial implications for companies. While quicker action would be ideal, taking some action is better than doing nothing.
The current emphasis on ransomware in this bill is notable. That said, ransomware is just one part of a larger cybersecurity problem. It might be more effective to focus on broader cybersecurity solutions rather than focusing solely on ransomware.
Statistics show that business email compromises (BECs) are more common than ransomware attacks. However, it’s also important to not chase the latest trend in cybersecurity, as the threat landscape always evolves.
Ransomware: To Pay or Not to Pay
The pros and cons of paying ransomware has long been debated in cybersecurity. The main argument against paying ransoms is that it funds criminal activity, encouraging more attacks. If we keep paying, cybercriminals will continue targeting industries where money is abundant, like the financial sector. Additionally, paying a ransom is risky because you’re relying on criminals to keep their word, which is far from guaranteed.
However, some ransomware groups have developed a reputation for delivering on their promises to maintain their business model. Ultimately, the decision depends on the specific situation. If a company can avoid paying, it should. But there are cases, especially for small businesses, where the financial and operational impacts of not paying could be devastating. In extreme scenarios, like those involving patient care in hospitals, the stakes are even higher. The decision then becomes a moral dilemma.
The real focus should be on businesses preventing ransomware attacks by strengthening security measures. Ransomware is a symptom of deeper security issues, and we need to address those root causes. I look forward to the outcome of this public/private collaboration and their effectiveness in getting things done. Reports and plans are fine, but real action will be the deciding factor in the success — or failure — of this initiative.
Douglas McKee is the executive director of threat research at SonicWall.
Featured image: iStock