THE D.C. police department finds itself in a terrible situation — and also in good company. Cybercriminals have attacked at least two other police departments in the United States in the past six weeks, and now the District joins their ranks: confronting a demand that it deliver a ransom to avoid the perpetrators leaking what they claim are 250 gigabytes of data.
The District has acknowledged the breach and announced it is working with the FBI. But authorities won’t say whether they’re in conversation with the Russian-speaking group Babuk, which threatened to release officer disciplinary files, background investigations, lists of informants and more should the D.C. police refuse to fork over an undisclosed sum. Babuk said in an interview with a Polish cybersecurity website that “negotiations are ongoing,” and the set of files Babuk posted to tease its holdings, accompanied by a threat to “contact gangs,” did disappear within hours.
The D.C. police department surely fears for the safety of its employees as well as the integrity of its operations. The hospitals and other health-care facilities felled by ransomware that locks up their systems until they accede surely fear, similarly, for the lives of their patients. In October, the University of Vermont Medical Center couldn’t treat some chemotherapy recipients because their records had been rendered inaccessible. A new report from the Institute for Security and Technology says the average downtime caused by this extortion is 21 days; the average time to fully recover is 287. Cities, schools and everyday businesses are also under siege.
All the same, D.C. police shouldn’t pay, and neither should the other organizations and government agencies suffering under the onslaught of similar incursions. The best way to discourage these crooks, after all, is to make their enterprise unprofitable — which is why the government should consider prohibiting victims, at least under certain circumstances, from payment. The effect of such a ban could be to push underground victims desperate to get back online but fearful of prosecution, so it should be carefully crafted to encourage cooperation with law enforcement. And crucially, any rules against compliance with hackers must be accompanied by meaningful aid to help potential targets make themselves less vulnerable as well as to recover from any trespasses that do occur.
The Institute for Security and Technology report offers a few places to begin, including by designating ransomware as a national security threat and forming an interagency task force devoted to its disruption. New response authorities that victims can easily access might also be necessary, as might a fund to prop up those who refuse to pay. Another way is to enforce the same anti-money-laundering and “know your customer” rules that apply to the banking industry on cryptocurrency exchanges. And critical organizations should be required to adopt basic security measures; never should the password to an essential system be “password.”
There’s much Congress and the federal agencies can do to make situations such as the one D.C. finds itself in today more unthinkable than inevitable. They must start right away.