But it is clear that this is a landmark attack: It shows how vulnerable a nation’s energy infrastructure is and how profitable online extortion can be. Even though the Biden administration has just issued new rules on cybersecurity, it hasn’t yet offered ransomware victims any guidance about what to do or how to recover.
Ransomware is on the rise
We don’t have good data on how common ransomware attacks are or how much money is involved. Businesses in the United States are not required to report most ransomware attacks. But evidence suggests that online extortion has become more frequent and more lucrative for criminals in recent years. Now, ransomware has become well established enough that other criminal businesses provide ransomware-as-a-service, renting their tools to the criminals who actually carry out the attacks.
The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a joint statement attributing the Colonial Pipeline compromise to a group called DarkSide that provides ransomware-as-a-service products to other criminals. If you don’t have the technical skills to develop your own “malware” (harmful software), you can go to a provider like DarkSide, which will effectively rent you the code and infrastructure you need.
DarkSide wouldn’t be making that service available and people wouldn’t be paying for it if there wasn’t money to be made. Several factors make ransomware profitable and easy to get away with. Unlike stealing payment card numbers or other personal information, the perpetrators of ransomware schemes don’t have to find buyers for their stolen information on the black market. Instead, they can sell it right back to their victims. They don’t need to worry about whether the information is valuable to anyone else, or whether there’s so much similar information — as with stolen credit card numbers — available on black market forums that they can’t get a good price. And since their crime doesn’t involve payment card or identity fraud, it’s unlikely to be stopped by the banks or government agencies looking for financial fraud.
Now cybercriminals are hitting critical infrastructure
Ransomware has been a significant problem for nearly a decade, hitting targets including hospitals and local governments. But the Colonial Pipeline incident has had a far greater impact than most previous attacks. A possible exception is the NotPetya attacks of 2017, which have been attributed to the Russian government. But the Colonial Pipeline attack appears to have been carried out by a criminal organization.
People familiar with the investigation have linked the attack to Russian cybercriminals. They suggest that Russia’s willingness to turn a blind eye to cybercrime is emboldening cybercriminals to begin targeting “critical infrastructure,” meaning the essential infrastructure that allows the economy and society to function, without worrying about consequences. If, as seems likely, the perpetrators of the Colonial Pipeline attack don’t get much more punishment than a slap on the wrist for their actions and some harsh words from the United States government, they and others may conclude that the Russian government thinks the U.S. energy sector is fair game.
The U.S. has no clear ransomware policy
Russia may encourage attacks by its refusal to bring the criminals responsible for the Colonial Pipeline shutdown to justice. However, the United States government also has some responsibility. It provides very little clear guidance to ransomware victims about how to respond to these attacks. The FBI website on ransomware states that “the FBI does not support paying a ransom in response to a ransomware attack.” But it doesn’t actively discourage victims from making those payments — the one thing that might actually make ransomware less profitable and a less viable business model for cybercriminals in the long term.
Last year, the Treasury Department’s Office of Foreign Assets Control warned that some ransomware payments might violate economic sanctions against cybercriminal groups or state-sponsored hackers. But it is hard to imagine how helpful that warning could be for ransomware victims who may lack the time or capabilities to figure out who is targeting them when deciding whether to pay the ransom. After the Colonial Pipeline compromise, Biden this week signed an executive order focused on strengthening the federal government’s cybersecurity, which includes requiring that certain types of incidents be reported to DHS. But that order does little to clarify how nongovernmental infrastructure should be protected or how ransomware victims should respond to cyberattacks.
It is not surprising that the United States does not want to take a stronger stance against ransom payments. There isn’t much data on these attacks. Making ransom payments illegal — or even just strongly discouraging them — could effectively discourage organizations from reporting incidents to law enforcement, leaving us even more in the dark about the scale of the problem. Sometimes the potential impact of a ransomware attack (damage, disruption, nonfunctioning hospitals) is so serious that it would plausibly make short-term sense to pay the ransom. But if high-stakes ransomware attacks like the one on the Colonial Pipeline lead to big payouts, other criminals may be encouraged to target similarly important organizations.
The United States faces difficult choices. Unless countries such as Russia start cooperating, driving down the frequency of ransomware attacks requires lowering the expected profits — in other words, preventing victims from paying the ransoms. But as ransomware attacks become more common, more daring and more consequential for critical infrastructure and people’s daily lives, the trade-offs will become even more painful.
Josephine Wolff (@josephinecwolff) is an assistant professor of cybersecurity policy at the Tufts Fletcher School of Law and Diplomacy and the author of “You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches” (MIT Press, 2018).