A swing and a miss by the 50 member countries of the International Counter Ransomware Initiative (CRI), headlined by the US, who have confirmed a commitment to collectively address ransomware.
Ransomware, as predicted, is growing at tremendous rates and focusing on critical infrastructure sectors that can impact vast numbers of citizens. It is such a blight that countries are banding together to see what can be done.
Everybody is looking towards the United States for leadership, yet the only tangible actions coming from the CRI are responsive in nature. The most powerful direction to address ransomware is little more than a feeble suggestion.
The CRI has recently trumpeted a collective plan to fight ransomware and outlined several pillars to combat these cyber-attacks. The actions are focused primarily on how best to react once an attack occurs, by reinforcing communication and enforcing collaboration, in attempts to respond to ongoing incidents.
Ransomware prevention is what they should be striving for
The only proactive approach that could stop ransomware from happening is being gently offered as a discretionary path.
The CRI recognizes that paying attackers only makes them stronger and incentivizes them to attack more, while severing payments, no matter how painful, weakens and greatly discourages attackers, and will ultimately grind their attacks down to insignificance.
But instead of instituting a ban on digital extortion payments, the coalition has instead opted to discourage “paying ransomware demands and leading by example”.
This non-binding advice is worthless, and no match for attackers “encouraging” victims to pay via threats of loss and a lure to get back up and running. This is not a war of words, but of actions.
Without regulations prohibiting payments following digital extortion, the ransomware threat will continue to accelerate, undoubtedly to the cheers of cybercriminals and aggressive nation-states across the globe. The path of obstructing ransomware payments is not easy, but it is achievable, and it will deliver enormous longstanding benefits.
The CRI was so close, but it has failed to do anything but apply rhetoric to a practical problem.
Sadly, the CRI knows what needs to be done – and it’s even recommending it. So, act already!
The international community is inches from winning. Yet they cede to the enemy and thereby allow a tremendous and growing victimization of the people, businesses, and economy which they seek to protect.
I am disappointed. I hope that more cybersecurity assertive countries like Australia, Singapore, Finland, and New Zealand will step-up and go that one step further. The ransomware threat can be systematically crushed in a highly economical and effective manner, but leadership is needed.