Anne Neuberger, deputy national security advisor for cyber and emerging technology, said during a wide-ranging interview with the Silverado Policy Institute that in a world with many ransomware regulatory options, banning ransomware would be a "difficult policy position."
Banning ransom payments “is one of the toughest among all [policy considerations] and has to really be approached with a lot of careful thought, thinking second and third-order effects," she said.
Banning ransomware payments is one of the most common and most controversial mechanisms proposed to curtail the recent growth of criminal incidents and the national security problems they cause. Neuberger, a key Biden advisor, offered some insight into the conversation happening behind closed doors.
"It's pretty obvious that criminals are often doing it for the financial gain. So it's driving the increase in the number of ransomware attacks; it’s driving an increase in the size of ransom demands and the increasing targeting of larger and larger organizations who have greater resources to pay larger and larger ransoms," noted Neuberger.
"There a process that brings a company to that difficult place” of considering ransom payment, she acknowledged. “What are the incentives along the way that we can do to really reshape that process?"
While ransom payments may encourage a growing market for ransomware, banning them is not without significant potential risks and some philosophical hazards. Event moderator Dmitri Alperovitch, founder of the Silverado Institute and, before that, founder of CrowdStrike, noted that banning the payment of ransom for a company just seeking to get back online would "victimize them further." Others have noted that, due to the pressures involved, victims are still likely to pay rather than watch their companies go bankrupt, opening them to further extortion from criminals and limiting their potential for cooperation with the government.
Neuberger emphasized that the Biden administration was considering a comprehensive package of many policy ideas that would not necessarily require a ransom payment ban. That might include, she said, incentivizing resiliency, forcing companies to be more transparent about paying ransoms, utilizing law enforcement to take down the infrastructure supporting ransomware, and working with international partners for global regulation of cryptocurrencies akin to the anti-money laundering rules other financial institutions must follow.
She noted that it is important to work within the current United States framework for critical infrastructure, the vast majority of which is controlled by the private sector; the often cited challenge there is government’s inability to directly protect or monitor private-sector networks.
The former director of the United Kingdom's National Cyber Security Center, Ciaran Martin, an advocate of banning ransomware payments, chimed in during the question and answer period: "I take the point that the U.S. system means you can't compel private companies to do things, but the Biden administration is now referring to ransomware as a national security threat, clearly in an area like health care. So is leaving key response decisions such as whether to pay or not to pay in the hands of private sector executives compatible with that?"
"Ciaran always asks the toughest questions," said Neuberger.
Elsewhere in the interview, Neuberger restated the Biden administration goal is to issue cybersecurity executive orders for each of the 16 critical infrastructure sectors. So far, the administration has issued an order concerning electric grids. Neuberger said that lessons learned from that order, combined with industry-specific tailoring would go into the other orders.
Neuberger also discussed the importance of the federal contractor-facing executive order also issued by the Biden administration in setting a tone for all organizations.
"We said we in the federal government are going to show how important this is by actually doing it," she said.