The hotel and entertainment company MGM was the target of a massive ransomware attack last September that disrupted operations for days and reportedly cost it $100 million in revenues. In February, the payments processing operations of UnitedHealth’s Change Healthcare were affected by a ransomware group, costing an estimated $1 billion per day. The increasing frequency of cyberattacks should be five-alarm warning for businesses and governments, which have squandered the last 25 years hopelessly tethered to a remarkably insecure internet. Hackers seem to have figured out what America’s executives and policymakers have been slow to conclude: data-transmission pipelines are not only ransomware gold, they are also easy pickings.
In 2021, there were reportedly 623.3 million ransomware attacks and another 236.1 million in the first half of 2022 accounting for approximately 20 percent of all global cybercrime. Even before the wide-scale use of ransomware, we seem to have been defenseless against Russian and North Korean interests that launched digital viruses and malware such as WannaCry ($4 billion in damages), NotPetya ($10 billion in damages) and Sodinokibi ($200 million in damages) that could immobilize commerce, extort money and bring some aspects of modern life to a halt. And the increasing availability of relatively cheap cyber technologies that can be used as online weapons is rapidly changing the balance of power, allowing nations like North Korea to punch above their weight in cyberspace.
Ransomware is not new. It is the modern-day mutation of a very old extortion racket. Executives of Italy’s major corporations were routinely kidnapped for over three decades until 1991, when a law was enacted permitting the government to freeze the assets of the families of victims so that they could not pay the ransom. That may have seemed harsh, but it worked. Data kidnapping began around that time, when a Harvard-taught evolutionary biologist named Joseph Popp allegedly sent floppy disks to addresses all over the world that locked up computers unless the user sent him money.
Old-world solutions have been tried in response to these new-world problems. Ransomware insurance, for example, reimburses companies for payments made to unlock their data. But this is precisely the wrong way to eliminate a business built upon the extortion of money, telling cybercriminals that there will be a pot of gold at the end of the rainbow. Making the payment of ransomware illegal would, as in Italy, undercut the reason to engage in the business. But that would make it imperative that organizations isolate their data in secure, reliable and immediately available backup systems — an aspirational goal at best. Not much will change until policymakers decide to reconfigure the internet and control the financial lubrication that allows crimes like ransomware to work: cryptocurrencies.
Digital pipelines and networks must be reconfigured into ecosystems with real authentication, governance and a police force that everyone knows how to reach. Both machine intelligence and human common sense must also work together to limit the impact of the mistakes people make that lead to network penetrations.
Dealing with cryptocurrencies should be easier. After all, to date, their highest and best use has been to facilitate reprehensible online crimes, including the distribution of child sexual abuse material and the financing of human trafficking and terrorism. But until cryptocurrencies are registered and regulated and issuers are forced to submit to the jurisdiction of any country where they are available, ransomware will proliferate and lead to even bigger and more damaging online crimes.
Congress should ask itself how — despite the collapse of crypto values in 2021, the dramatic fall of FTX’s Sam Bankman-Fried and the criminal admissions by Binance — random computer codes with no intrinsic value created by people we can’t even find and moderated by mysterious coders around the world can continue to grow. And the one thing any money or investment covets — backing by a government or central bank — cryptocurrencies despise.
Could it be that cryptocurrencies are still around because they are so vitally important to the commission of online crimes?
Bringing order to the wild west of cyberspace while regulating cryptocurrencies may seem like a heavy lift given that it will be offensive to crypto-culturists, inconvenient for users, costly for businesses and challenging for governments. The increasing blizzard of hostile cyber events seems only to further numb us to the fact that our security is in jeopardy, since many of these events may be the initial reconnaissance missions of adversaries seeking to identify the most effective way to petrify networks, steal data bases, generate billions of dollars and even prosecute cyberwar. If that is so, a little digital inconvenience and greater online costs will be a small price to pay.
Thomas P. Vartanian served in the Carter and Reagan administrations as a bank regulator and is currently the executive director of the Financial Technology & Cybersecurity Center. He is the author of “The Unhackable Internet.”