It is good to see US government leaders realize that
ransomware is a growing existential threat to our country, at the hands of our
adversaries. 

A top US national cybersecurity advisor stated
in a recent op-ed, “This is a troubling practice that must end.”  The government is looking at ways to disrupt
ransomware attacks.  One tactic is to get
cyber insurance companies to stop reimbursements for ransoms.

Undermining ransomware is possible, but the only path is to
outlaw digital extortion payments.  This
targets the root of the problem by undermining the motivation of the attacker. 

For decades, cybersecurity and insurance companies have taken
advantage of growing attacks and fears to sell their products, which have not provided
a meaningful solution to stop the widespread surge of ransomware.  It has become a self-serving profit center to
motivate customers to purchase more tools and policies for a problem they are
not solving.

Security controls are a costly tactic where the attacker
maintains a significant overall advantage because they can quickly adapt, thereby
requiring more tools to be purchased by the potential victims who are caught in
an endless spending cycle.  Insurance
does nothing to reduce attacks, as it is a mechanism to transfer risk.  In fact, paying the attacker simply motivates
them more, thereby precipitating even more attacks!

There are feasible and practical plans
that would work.  However, security and
insurance companies are the first to cast doubt on any plans that may disrupt
their revenue streams.  Their narratives
are foreboding, but when closely examined, the fears of outlawing payments are largely unfounded. 

As a nation, we are beginning to see how digital extortion is
effectively being used by international adversaries and cybercriminals.  The trend will continue, rapidly causing more
extensive harm.  Traditional measures,
like continually adding more security tools, continue to fail in fundamental
ways, and we must take a different approach.

It is time for the US government to take a serious step
forward to undermine ransomware, without creating an unnecessary financial
burden on the potential victims, by outlawing digital extortion payments.

*** This is a Security Bloggers Network syndicated blog from Information Security Strategy authored by Matthew Rosenquist. Read the original post at: https://infosecstrategy.blogspot.com/2024/10/are-leaders-ready-to-break-ransomware.html