Jen Easterly Clarifies Stance on Possible Ban of Ransomware Payments. Says it may do more harm than good.
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), recently commented on the possibility of banning ransomware payments in the United States. She was interviewed at the recent Oxford Cyber Forum where she clarified that such a ban is “off the table” for now.
Easterly’s response came during an interview with Ciaran Martin, the former head of the United Kingdom’s National CyberSecurity Centre. In an article for The Times newspaper earlier this year, Martin had called for an outright ban on all ransomware payments. However, in discussing this proposal, Easterly said “I don’t see it happening” within the current US system based on practical considerations.
Her remarks suggest this was not a random or spontaneous comment, as the issue of ransomware and how to address the growing threat is a top priority for cybersecurity leaders and organizations like CISA. For the time being, it appears making ransomware payments a criminal offense punishable by law has been ruled out as a viable strategy by the top US cyber defense agency.
The Potential Downsides of Banning Ransomware Payments
Easterly and other cyber experts have pointed to several concerns about banning ransomware payments in the US. The Ransomware Task Force established some of these downsides in their analysis of options.
One issue is that prohibiting payments could end up harming ransomware victims more than helping. Small businesses in particular may not be able to withstand an extended disruption to operations if encrypted by ransomware and unable to pay to restore access. This could force some to permanently close due to the financial losses.
Law enforcement efforts could also be hampered if companies feel obligated to keep ransomware payments secret for fear of penalties. With less transparency and data about the criminal groups and their behavior, it becomes much harder for authorities to investigate and disrupt the ransomware problem at its source.
There are also worries about fake “data recovery” firms trying to exploit any ban on payments for their own profit. These scammers claim to decrypt or recover files without paying but really just negotiate secretly with the cybercriminals and charge large fees to victims.
CISA Favors Focus On Prevention, Reporting and Proactive Measures
Instead of prohibiting ransomware payments directly, Easterly and CISA favor continuing initiatives focused on proactive security strategies. Secure software development practices aim to drastically reduce vulnerabilities that attackers exploit.
The new Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) also mandates stricter incident reporting standards. By getting more comprehensive data about breaches and ransomware incidents, defenders can gain valuable threat intelligence to share.
CISA’s pre-ransomware notification program generated over 1,200 warnings in 2023 alone by detecting early signs of infiltration before ransomware is deployed. And law enforcement operations against ransomware groups like the takedown of the “LockBit” affiliate network show the effectiveness of collaborative investigations.
In the assessment of the US government agencies responsible for cyber defense, a blanket ban on ransomware payments is not the most prudent approach at this point. Instead the priority remains on prevention through improved security practices and response through reporting, intelligence and criminal deterrence. Only time will tell if this strategy succeeds in weakening the rising threat of ransomware.