Earlier this week the UK National Cyber Security Centre (“NCSC”), a wing of GCHQ and one of the world’s leading repositories of expert knowledge about cyber-attacks and cybercrime, published a White Paper on the ransomware cybercrime ecosystem. It provides fascinating insights into the rapidly evolving nature of the threats, with recommendations on preventive and protective measures that organisations can take to increase their resilience. This publication was quickly followed by a Memorandum of Understanding between the NCSC and the Information Commissioner’s Office, about how they will work together to help improve cyber security.
Both publications, like countless others before them, demonstrate that there is a significant effort being made by public authorities to address ransomware attacks and other cyber risks. This pattern is mirrored around the world and rightly so: cybercrime in all its forms is a matter of utmost public importance and ransomware attacks are among the most disruptive of its variants, in terms of the effects felt, which is due in part to the seemingly indiscriminate nature of these attacks – any organisation can be effected, either directly, through an attack on its systems, or indirectly, through a supply chain attack – and because the express goal of the attacker is for their crime to be highly visible, unlike other forms of cybercrime where the goal is to remain hidden, such as surreptitious espionage.
However, a basic question remains: if ransomware is so problematic, why are organisations still allowed to make ransom payments? Surely, a ban on payments would make ransomware attacks pointless, leading to a significant reduction of the problem?
Before dealing with that question, let’s look at some of the factors in the cybercrime ecosystem that have enabled ransomware and other cybercrimes to grow in volume, severity and, insofar as law enforcement is concerned, intractability, some of which are discussed in the NCSC White Paper.
Criminals, victims and law enforcement
When we think about cybercrime, perhaps our minds turn immediately to the technical and technological issues that are involved, but a critical preliminary point to note is that the growth of cybercrime depends as much upon key “human factors” as it does the technical and technological ones. The human factors relate to the three principal actors involved in crime, namely the criminals, the victims and law enforcement personnel.
There are many theories in criminology that can help to explain why people turn to crime, such as Rational Choice Theory which suggests that the issue is one of risk versus reward. If the risks of identification, detection, apprehension, prosecution and conviction are low in comparison to the rewards of crime, people may choose to take the criminal path, as a rational choice. There are other theories that provide complimentary or alternative explanations that relate to social and situational circumstances and ones that concern personality, character, beliefs, norms and culture.
Similarly, there are an array of theories that explain why people are susceptible to crime. For example, behavioural theories suggest that low levels of self-control can lead to risk taking online, which creates exposure to cybercrime, while low self-efficacy (belief in one’s abilities to deal with a problem) or an external locus of control (reliance on others, rather than self) can aggravate the overall impacts and effects of cybercrime.
As far as the effectiveness of policing and law enforcement are concerned, there are myriad issues in play, covering availability and quality of resources issues (skills, capabilities and number of personnel), challenges with reporting and recording of cybercrime, and problems concerning legal jurisprudence and the operational effectiveness of the criminal justice system. Thus, if there aren’t enough trained police to deal with cybercrime, or if people will not report cybercrime, or the law does not support arrests and prosecutions, this will directly impact the risk-reward calculation performed by cybercriminals.
Human factors applied to the technical and technological issues within cybercrime
Some of the technical and technological issues within cybercrime are as follows:
The Internet has globalised cybercrime
Let’s start with the Internet and the Darknet than runs over the top. These technologies have enabled cybercrime to be conducted remotely, from anywhere in the world. This means that a cybercriminal can be in a jurisdiction where laws are weak, or where they are safe from arrest and mutual legal assistance in transnational criminal matters. The macro, geo-political problems within the criminal justice system – e.g., extradition challenges – are compounded by case-specific ones, such as difficulties encountered by law enforcement in gathering forensic evidence: leaving aside the question whether the legal powers are sufficient to enable evidence to be gathered, often critical evidence is destroyed by cybercriminals as they clear their tracks, or it is simply out of reach and unobtainable due to physical remoteness.
Increasing connectivity and time online
Increasing connectivity – e.g., due to the increasing penetration of The Internet of Things and ready availability of smart personnel devices – and time spent online – e.g., due to the transition to hybrid working after the Pandemic – puts more people and organisations at risk of cybercrime, due to the increase in the number of available targets and the size of the attack surface. Concentrations of people and organisations in online environments, such as multi-tenanted Clouds, amplifies the potential “blast zone” for attacks, which is why ransomware has focused recently on things such as Cloud-based file sharing systems.
Anonymity preserving and enhancing technologies
Anonymity preserving and enhancing technologies also aid cybercriminals, because without an identity a crime is hard to attribute to a particular person and without identification and attribution you cannot arrest a person to bring them before the courts. These anonymity preserving/ enhancing technologies span the misuse of legitimate technologies such as TOR, VPNs, Virtual Machines, End-to-End-Encrypted communications and Cryptocurrencies and the use of grey infrastructures and services, such as “bullet-proof” hosting.
Darknet markets and criminal fora
The Darknet and Darkweb can provide secure environments for cybercriminals to interact, do their business and to evolve their business models. Some of the new business models are outlined in the NCSC White Paper. Examples to note are Crime as a Service (CaaS) and the cybercrime Gig Economy. These enable new, would-be cybercriminals to enter the world of cybercrime, or more established cybercriminals to expand their activities.
For example, where criminality once needed technical hacking skills learned over many years, CaaS gives relatively unskilled persons the opportunity to rent and buy ransomware attack kits, access services and credentials, so that they can be up-and-running as soon as they have established their trustworthiness in the eyes of their cybercriminal peers who supply them. The Gig Economy means that cybercriminals can market their services and gain placements within organised crime groups, looser criminal networks and in affiliations. This means that a hacker might be engaged by an organised crime gang one day, followed by a Nation-State actor the next.
Crime as a Service and the Gig Economy also mean that identification and attribution is made even harder, because the use of a particular attack method is not necessarily a unique or distinguishing identifier and because previously unique and distinguishing attack methodologies are blended into new ones. Another consequence of these new business models is that cybercrime strategies can be developed, because the outsourcing of particular attack and support functions frees up time for the criminal mastermind to hone their thinking and approach.
Cryptocurrency to launder proceeds of crime
Related to the idea that cryptocurrency is an anonymity preserving/enhancing tool is the fact that it has enabled money to be laundered at industrial scale. Before the invention of cryptocurrencies, money had to be laundered through the official, State-regulated financial services system – which in many countries is subject to strict Know Your Client (“KYC”) legal requirements – or as cash in very small amounts often involving money mules, which amplified detection risk and increased overheads. Cryptocurrencies bypass the established mechanisms of financial services regulation and this is perhaps the single most important technological driver of Ransomware attacks. Add in mixers, privacy coins and the like and you end up with a launderer’s paradise.
You cannot have an article about technology without mentioning AI and, of course, cybercriminals have just as much interest in this topic as anyone else. Sure, the leading AI models have been designed to bypass criminal and deviant use, but it is possible to bypass them with clever questioning and patience, as my crude example in the accompanying screenshot seeks to illustrate (I’m the guy with his thumbs up). So AI will add rocket fuel to cybercrime growth, just as it will for any other form of growth.
Moreover, in ten years’ time, perhaps we might add Quantum Computing into the mix.
All of these technological developments tip the balance in favour of cybercriminals, in contrast to victims and law enforcement. Plus, we also need to keep in mind that cybercriminals only have to be successful once, whereas would-be targets have to be successful in their defences all of the time.
Against this backdrop, let’s talk about the elephant in the room.
The elephant in the room – ransomware payments are allowed!
Paying ransoms is not illegal in most countries. In the UK, if you are not paying a ransom to an entity that is on an economic sanctions list or a proscribed terrorist list, you are safe to pay, and the criminals know that, which is why they keep on coming.
Essentially, the way it works in the UK – which is a formula applied by victims of ransomware attacks, cyber security experts, law firms and insurance companies – is that you begin with attribution, in the sense that you seek to establish an identity for the attacker, utilising indicators of compromise, threat intelligence and other evidence. Then you run the name that you have alighted on through the various official sanctions/terrorist lists published by the government, then you take legal advice on the results of these searches. I won’t go deeper into the legal formulas that are applied, but it is very rare for an organisation to have reason to believe, suspect or conclude that they are dealing with a banned entity and part of the reason for this is the attribution problem.
The more you think about this, the weirder it all seems, because what we have in the UK is a situation where payment of a ransom can be indirectly illegal – due to infringing sanctions/terrorism law – but not directly illegal. So we seem to have our feet in both camps: ransom payments are legally not ok and ok, with an arbitrary distinction between them based on accurate attribution that is nigh on impossible to achieve. The law suffers from a split personality and it sends out mixed messages.
This is further evidenced by another publication that involves the NCSC and The Information Commissioner, namely a joint letter to the heads of the Law Society and Bar Council, the professional organisations for lawyers in England and Wales. The letter says that:
“Law Enforcement does not encourage, endorse nor condone the payment of ransoms. While payments are not usually unlawful, payers should be mindful of how relevant sanctions regimes (particularly those related to Russia) – and their associated public guidance – may change that position.”
This letter recognises that ransom payments are “not usually unlawful” (or, removing the double negatives, “are usually lawful”), but while it states the position of “law enforcement”, it’s important to appreciate that it does not address the position of lawmakers, i.e., the legislature, which in the UK enacts government business. This distinction is critical, as I perceive the position of the lawmakers to be the crux of the matter, and I would argue that when seized with an issue of such massive public importance, there is at least a condoning of ransom payments by them, by dint of their willingness to leave the law as it is.
When we look at things in this way, the split personality in the legal system is clear: it is represented by critical, highly respected bodies like the NCSC and ICO taking one position (which adopts the position of a third party, law enforcement) about the condoning of payments, while the lawmakers take another. This is very unsatisfactory.
The challenge to this observation is that the lawmakers are not condoning ransom payments at all, which brings us to the heart of the matter.
Why are ransomware payments allowed?
It would be a simple process to draft legislation that bans ransomware payments. The Act of Parliament would not need to be long, perhaps just one section. There are many ways that this could be approached, such as:
“The payment of money or moneys’ worth in response to a demand with menaces within the meaning of section 21 of the Theft Act 1968 where such demand is preceded or accompanied by any offence within the Computer Misuse Act 1990 is prohibited. A person who makes a payment in contravention of the prohibit shall be guilty of an offence.”
I do not pretend that this is a perfect formulation, as I spend only a few minutes on it, but it should illustrate the point.
So why hasn’t a ban been introduced?
There a range of arguments against a ban, with the main ones being:
- Criminals won’t respect the ban. They will simply refocus their time and effort on different types of attack. In other words, crime will be displaced, not eradicated.
- The ability to pay a ransom provides a safety-valve, as it can help to de-escalate tensions in high-risk situation. Examples that are often cited relate to attacks on critical infrastructure and services, including healthcare where a life-or-death situation might be imagined.
These arguments can be analysed and challenged in many ways. The first argument seems to presuppose that there is a finite amount of crime, which will be channelled in particular directions and that the best, or least bad, option is keep a particular volume of it channelled into ransomware attacks on a better-the-devil-you-know basis. However, we know that there isn’t a finite amount of crime, or at least it’s not topped out yet, because it is on a continual growth trajectory. The argument also ignores the issues of motivation and incentives: despite the Gig Economy and the ability it gives for a cybercriminal to work for different criminal paymasters who themselves will have different motivations, it would be unrealistic to think that everyone who is motivated by financial gain will turn their attention to attacks with non-financial motivations, such as ideologically-driven wiper program attacks, if there was a ban. Moreover, we need to recognise the very real disincentives to escalating from ransomware attacks to more destructive attacks, such as wipers. NATO has recognised since at least 2014 that cyberattacks can constitute armed conflicts – i.e., war – and basic research about The Colonial Pipeline case will provide insights into how persuasive some of the disincentives can be.
On balance, I would expect there to be some displacement of crime volumes to another area if ransom payments were banned, but I would also expect that some cybercriminals would leave the market. There will also be natural displacement in any event, regardless of a ban, because financially motivated criminals are opportunistic and agile.
Also, with regard to the displacement argument, a causative factor for that outcome would not simply be a ransom payment ban. Security hardening must also operate as a displacement factor, because as we improve resilience to attacks, we reduce the options and targets available to the attacker. Thus our policy on resilience against ransomware attacks, as represented by the NCSC White Paper, causes displacement, from the hardened entity to the softer one. Therefore, if we are going to stand on displacement risk as a reason not to ban payments, it is only fair that we test the logic of this by reference to the displacement consequences of other security policies. The underlying effect of this might be that we regard some displacement factors as being ok and some not. If so, does that make sense?
In conclusion, measuring a displacement would be difficult and if the worry about displacement is connected to the-better-the-devil-you-know argument, we should be mindful about the quality of its evidential basis.
The safety valve argument suffers from similar problems. Sure, if an attacker that is angry at the loss of their ransomware revenue stream was to lash out with a destructive wiper program attack that could be catastrophic if the NHS was hit, for example. Likewise, for utilities, food and banks etc. However, the concern is a variant of the-better-the-devil-you-know argument.
Of course, these arguments – call them speculations, if you like – might not be representative of the ones operating behind the closed doors of the lawmakers. There might be other better ones, built on compelling evidence, which we are, or cannot, be privy to.
Whatever the basis of argument, what seems to be incontrovertible is that lawmakers condone ransomware payments. They may have very good reasons to do so, and we might all be supportive if we understand them, because condoning is not a nasty word.
Nevertheless, if ransom payments are to remain lawful, the incentives to demand them will not reduce and so the attacks will continue, creating an unbreakable, perpetual loop of cause and effect.