- A majority of chief financial officers say Colonial Pipeline made the only decision it could, rather than a right or wrong decision, in paying bitcoin ransom to hackers, according to the Q2 2021 CNBC Global CFO Council survey.
- Most corporate boards have discussed hacking and its aftermath as part of meeting agendas since recent cyberattacks, according to the survey.
- The government has stuck to its position that hacking ransom should not be paid, and some experts think banning cryptocurrency is the answer, but others say there is no silver bullet solution that will end the ransomware cyberthreat.
When Colonial Pipeline revealed it had paid a $5 million ransom in bitcoin to DarkSide ransomware hackers, its CEO said the company made the right choice for the nation. Most top financial officers at major companies disagree: but only because they say there was no "right" to factor into the decision — paying up was the only choice the company could make.
Ransomware attacks highlighted by the Colonial and subsequent JBS hack, which targeted key providers of energy and food in the U.S., are expected to remain the top threat to individual enterprise networks, and the majority of chief financial officers' view on ransom is a sign that the standard language from government — that ransom should not be paid — might need to be stated, but will often fall on deaf ears when a C-suite turns into the corporate situation room.
A majority (62%) of U.S.-based CFOs responding to the recent Q2 2021 CNBC Global CFO Council survey said Colonial had "no choice but to pay the ransom."
Five percent of survey respondents said it was the "right" choice.
"The reality is their hand is being forced to pay," said Derek Manky, chief, security insights & global threat alliances at Fortinet's FortiGuard Labs.
Many board level conversations are taking place, and presumably, include discussion of the ransom decision. In the CNBC survey, conducted during the first half of June, 85% of U.S.-based CFOs said their boards have had a formal discussion about recent cybersecurity incidents and the aftermath of the events.
"It's a business for the hackers and a business decision on whether to pay for the victims," said Jim Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies. For all of the concern about the critical infrastructure risk, Lewis says the Colonial and JBS hacks didn't actually pose much of a threat to national security. "Nobody died and GDP wasn't affected. That suggests that Colonial made the right decision to get it over with. If there was a threat, it was from panicky consumers hoarding gas."
Ransomware attacks can bring not only companies, but business leaders to their knees, personally.
"I've been in board meetings before where CEOs were literally in tears, crying because a 100-year-old family business is completely shut down," David Kennedy, a former NSA hacker turned founder and CEO of security firm TrustedSec, told CNBC on Monday.
One big negative of paying ransom: it effectively funds the efforts of criminal hackers to get even better at what they do, giving the ransomware groups even more capabilities to pursue ever-larger targets.
Kennedy said that is a reason his firm's general stance to clients is, 'please don't pay ransom."
But he added, "I've sat in a room with these people whose entire lives and employees lives are ruined and have no other option but to pay the ransom. ... At the end of the day, most of the time it's the only option they have to recover the business and stay operational."
Manky, who has worked with Interpol and the World Economic Forum on ransomware, said another reason there is a recommendation — though not a mandate to never pay ransom — is because there is never any guarantee that organizations see a restoration of data after paying ransom, or that the hackers won't be coming back for more once they've been in a network.
The U.S. government helped recover about half of the Colonial ransom in its own cryptocurrency hacking operation, but Manky cautioned, "a big takeaway here is recovery of funds is not always possible, and in fact, is highly unlikely. This is a fairly exceptional case. People can't have that as a backup plan."
The cyber field is divided, though, on whether banning cryptocurrency may be a potential solution to stop the ransomware wave.
Kennedy believes banning cryptocurrency would lead to a major reduction in ransomware, but it would be a painful process for companies, as hackers rush to to do even more attacks ahead of any ban.
"That would be a really bad short period of time," he told CNBC, with the attack surface spreading and many companies having no ability to recover if crypto payment was banned. "You could have 100 companies overnight ...completely shut down," Kennedy said. "It's not fair, at least right now, to say that."
The crypto ban view is contentious. In Silicon Valley, cryptocurrency firms and venture capital investors like Andreessen Horowitz, which recently raised a $2 billion crypto fund, have pushed back against the argument. And some policy experts agree it goes too far in searching for a silver bullet.
"Banning payment alone won't make a difference," Lewis said. He believes any payment ban would have to be part of a package of anti-ransomware measures, including collaborative international actions, insurance regulations, and steps to go after money transfers.
"We could help move things along by finding a way to require victim companies or their insurers to report payments. That would be a good first step towards fixing this. It also wouldn't hurt to squeeze cryptocurrency venders and exchanges. We need a package of responses," Lewis said.
The fact that some companies have cyber insurance policies does not mean they are enabled to pay ransom because they will get the money back that way. "Cyber liability insurance is a gray area, with catches and gotchas and gross negligence," Kennedy said, adding 40% to 50% of reimbursement is much more likely than ever receiving the full amount.
Mandia stopped short of suggesting a crypto ban would end ransomware, even as he noted, "Now you can commit crime from 10,000 miles away in a safe harbor."
The reference to safe harbor points to the multi-pronged approach experts believe will be required, and notably, Russia's alleged role in allowing these criminal organizations to operate freely within its geographic sphere of influence.
"There is no question organizations need to do more to protect themselves and lots of these companies are unprepared to handle the type of threats out there," Kennedy said. "Look at Russia and the high-end organized crime groups operating out of Russia. Until we hold them accountable we won't see a shift and a change in these ransomware groups out there."
Crippling the criminal sponsor programs like DarkSide that run what is now known as ransomware-as-a-service business models that extend to many affiliates is critical. And that effort should include financial reciprocation efforts such as freezing assets and being able to track and recover funds, which sends a strong message to criminals. But it's bigger than that, with organizations like DarkSide far from monolithic in organizational design or methodologies used in network attacks.
"At the end of the day, this is about the criminal kill chain," Manky said.