Redefining CyberSecurity

A Path to Banning Ransomware Payments | A Conversation with Ari Schwartz | Redefining CyberSecurity Podcast with Sean Martin

Episode Summary

In this episode of Redefining CyberSecurity, host Sean Martin connects with Ari Schwartz to explore the complex issues surrounding the banning of ransomware payments and the potential paths toward achieving it. They delve into actionable strategies, nuances of insurance involvement, and potential legal aspects, providing listeners with a profound understanding of this pressing cybersecurity challenge.

Episode Notes

Guest: Ari Schwartz, Managing Director of Cybersecurity Services and Policy at Venable LLP [@VenableLLP]

On Linkedin | https://www.linkedin.com/in/ari-schwartz-484a297a/

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin

____________________________

This Episode’s Sponsors

Imperva | https://itspm.ag/imperva277117988

Devo | https://itspm.ag/itspdvweb

___________________________

Episode Notes

In this episode of Redefining CyberSecurity, host Sean Martin speaks with Ari Schwartz about the momentum to ban ransomware payments and the path to achieve it. Schwartz, a cybersecurity expert with three decades of experience, discusses his recently published blog post titled "The Path to Banning Ransomware Payments", and unpacks the ways not just businesses, but also governments can respond to this growing threat.

Martin and Schwartz delve into significant issues, including the moral, national security, and economic imperatives for banning these payments. The duo further discuss four potential strategies to make not paying ransoms the rational thing to do: requiring victims to report ransom payments, to submit to oversight by a government regulator, to pay fines or face potential criminal charges for refusing to comply.

Addressing the practicalities of such a ban, Schwartz believes it’s likely to happen within the next 3 to 5 years but notes the need for passing laws to successfully enforce it. He also examines the critical role of insurance in this scenario and emphasizes the importance of risk mitigation strategies and robust cybersecurity measures.

The episode also explores potential exceptions to the ban like potential life-or-death situations or major economic harm, and the need for government intervention during ransom situations. Lastly, they discuss how targeting ransomware can help internal corporate security teams highlight the threats to their leadership and drive investment in robust cybersecurity.

Episode Transcription

A Path to Banning Ransomware Payments | A Conversation with Ari Schwartz | Redefining CyberSecurity Podcast with Sean Martin

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new episode of redefining cybersecurity here on the ITSP magazine podcast network. This is Sean Martin, your host, where I get to talk to all kinds of cool people who are much times, many times, much smarter than myself, thankfully. And, uh, do a lot of research and have a lot of insights into things that help us run our businesses, uh, more securely.

So we can not just protect the revenue that we generate, but to actually help business grow and reach their. growth objectives. And, uh, bottom line is one thing. And if you're spending money paying ransomware, you're not, uh, you're not helping the bottom line, even if you do help things grow. Uh, and that's we're gonna be talking about today is the state of ransomware and kind of the culture around that.

And Maybe some trends that we're seeing that might change how we, how we view and address and respond to ransomware [00:01:00] attacks. And I'm thrilled to have Ari Schwartz on. Ari, thanks for, thanks for joining me today. Thank you for having me Sean. And this was, uh, as many of my conversations seem to be these days, uh, is driven by a post that you made, uh, which was a result of.

Article or blog that you wrote, uh, the titled the path to banning ransomware payments, I thought it was an interesting topic. Let's see if Ari is willing to, uh, join me for a chat and you agreed. So thanks for, uh, thanks for joining me for this. I'm, I'm excited to get into the nuts and bolts of it. Um, Before we do a few words from you kind of view of your background, some of the things you've been involved with, and we'll go from there.

Ari Schwartz: Sure. So I, uh, started working on tech policy, um, probably around, you know, uh, um, about almost, uh, 30 years ago and then, uh, came to [00:02:00] Washington a couple of years after working in Boston for a while with a bunch of nonprofits. And then, uh, Uh, my first, uh, work that I did, uh, led to some work on privacy and security, worked at the Center for Democracy and Technology for 12 years and then, uh, moved into government and worked, uh, at NIST for, uh, several years.

And then, uh, from there was, uh, detailed to the, uh, secretary's office to be the tech advisor to the secretary. Uh, came to, uh, uh, from there was moved to the White House and National Security Council staff and was there for 2. 5 years. Um, and when I left there, I moved, uh, I got, I was contacted by, uh, an old friend of mine who was at a firm called Venable, which is a law firm, uh, and, uh, asked me to build a consulting team there.

Uh, here of non lawyers. So we're a bunch of non lawyers at a law firm, [00:03:00] uh, that we do policy and we do some operational work as well. And, uh, you know, really pulling together lots of other companies and trying to come up with solutions in this space is part of what we do, um, as well as working with the clients of the firm and individual companies on their policies or, uh, or processes.

Um, and so, uh, we You know, one of the groups that we worked with, uh, is it is the Institute for, um, security and technology. They built this, um, ransomware task force, um, in 2020. Um, well, it started around then, and, uh, we were active in that from the beginning. Um, and one of the issues that came up there was ransomware payments.

We had had obviously working somewhere with working with a bunch of clients, um, in this space, uh, already. knew a good deal about ransomware. Uh, at least how the payment side work and how people negotiated it and what insurance companies how to work with insurance companies on it. Um, almost [00:04:00] everyone in that at that point, I mean, that was like, you know, as things were changing with everyone at that point, uh, Uh, was paying ransoms, and, um, there was a viewpoint, uh, well, from I think most of the people in the task force, like, we're not at the point where if you ban payment today, like, that would be a disaster for everybody, uh, and I was certainly of that camp, but I did suggest that, you know, it should be the goal of governments to get to the point where we could ban ransomware, right, like payments of ransomware and ban ransom, you know, so that people wouldn't be paying, um, and that should really be the goal.

And, uh, really we have to build a path there and the first steps of that are what the ransomware, the original version of the ransomware task force focused on, um, with some point saying basically at some point governments are going to have to ban it. So one of the things and then and I found. This year that really we've gotten to a point where a lot less people are paying, you know, it's a in fact, if you read some of the reports, it suggests it's under [00:05:00] 50%.

I would say it's probably right around 50 percent from what I've seen in the in the field. Um, you know, a lot of those payments now are about more about extortion than about, uh, locking, just locking down computers. But instead of, you know, uh, we have this information on you and we're gonna send it out is what more of those payments are about.

So, Yeah. Um, so the, the kind of the, it has changed, uh, what the, the types of payments we're seeing. Um, I think we're at a point now where we can kind of have a conversation of what it might look like. And that's really, and, and a lot of, there's, there, there was a, uh, in November, December, I, I was contacted several times by people talking about, Well, maybe we should ban ransomware now.

And I think, um, I wanted to kind of lay out in this paper a little bit more of how we get there, um, and what, and thinking about having thought about it for the last three years, you know, knowing that we're going to need this path eventually. [00:06:00]

Sean Martin: Yeah, absolutely. And I had the pleasure of, uh, speaking with Sean Tuma, uh, the other day, he's also at a law firm looking at this, uh, operationally speaking.

You know, he, he and I were talking more around. broader risk management and security operations and incident response and the connection to cyber insurance. And he, he confirmed your point and also a stat that that's in the article or the blog that you wrote, uh, that less, less, less entities are paying.

Um, we didn't talk about the amounts, but. The amounts seem to be going up, even though people are paying. Yeah. Um, so it was interesting that those things jive. Um, what I want to do is maybe kind of talk through why maybe, but what Sean suggested is that organizations are better prepared, right? So, uh, they have the backups to recover.

They have some technologies and controls in place to mitigate. The likelihood [00:07:00] of of compromise. I'd like to get your perspective. What? Why fewer are paying? Are they more prepared? And then what about the other?

Ari Schwartz: I think they are more prepared. I think if people are more prepared, I think there has been a new focus from government and from, uh, private sector on combating ransomware.

So there's a lot more information being shared about the threat actors and about their techniques. Um, a lot more tools being built to stop the specific techniques that we saw in the past. So that's why you see a shift in, in the way that the, uh, what the, what the actors are doing, um, that we've seen some lot less reputable people or people who.

Um, in, in, in the bad where the bad guys are, um, basically not honoring, not coming back or so if you pay them, they can just come right back. Right? And so we've seen some of that. We've seen cases where the keys don't work when you get them, even though you paid for them. Um, which may or may not be the fault of the [00:08:00] bad guy.

I mean, they might think they're giving you a key that works, but because of the changes that they've made the technology over time, it doesn't work. So, um, you know, I think we've seen some of that and that kind of it plays into the decision making as well. But I do think there is better prepare. better preparation, there's better backups, there's better segmentation, which plays into it too, where we see sometimes, uh, um, cases where, uh, customers say, well, it's, I'm finally be losing all my old mail.

I don't really care that much. Right. I'm not going to pay that much money and run the risks of that for, um, for just that, just my, you know, archive mail. Um, so if you have segmentation, you get a little bit better results out of that. Um, so, but backups obviously are key there too. And that's what, uh, uh, Covert says in their report about this, uh, is that the backups play a key role.

Um, and I think that's true too. So, um. Yeah, so I think that those are the main reasons, but, you know, again, people are still paying, so it's not as though it's 100 [00:09:00] percent there, but it's gotten much better.

Sean Martin: So I think those two points, there's the economic, which kind of touched on, and there's the one thing we really Said it directly, but the moral, and I'm looking at your imperatives that you wrote about really economic as a driver.

Um, people might just say I have the backups and I'm not going to pay, or even if I don't recover, I'm just going to figure a different way out. Then there's the middle one of the national security imperative, which I don't know how many people care about that. Clearly there's still

Ari Schwartz: why government? Cause I think that from the private sector point of view.

Um, but it's kind of like, well, we'll just work this out over time over time. It'll just drift down slowly. Um, you know, let us continue to pay. We've basically got it. We're moving in the right direction. It might take a while. We might never actually get to zero, but we can keep it at a low level. And I'm trying to say with those with this argument, like the governments [00:10:00] are always going to feel the need to want to ban the payments.

And there's three reasons for that. So, um, the first one, I'll go. The first one that I have listed is the, um, is the moral imperative, right? And that idea is, you know, um, as you pay, you're actually funding other people. You're funding, you're funding the criminals, other people to be victims of the crime, right?

You're paying the bad, you're paying the bad guys to increase the crime. Um, and so, uh, it is better for society to stop it. Um, in, in that way. And so if you think of what governments are there for, it's like just a basic tenant of what governments exist for is to stop situations where we have that kind of, uh, um, uh, moral imperative.

This is like, goes back to manual cont, right? So I got to use some, uh, things, things you learn in undergrad, right? Like, uh, there you go. We're going to talk about the Ocantian Morella [00:11:00] Imperative, right? Uh, this is just a classic case of that, right? Where, um, uh, do you want, you want, when we, when we, when government, when the rational act in a situation is to do the thing that's wrong for society and everyone has to do that, it's government's job to come in and step in and make sure that Uh, it is not the wrong thing to do that.

The rational thing to do is the right thing for society, right? So is the way to put that. Um, so, uh, that's, uh, where we see that, um, you know, some people might make that determination on their own that they shouldn't do it. But for the most case, that's not gonna be their driver. They're gonna make the rational decision, which in which in 2020 always was to pay.

Now there's a little bit more of a choice in the situation. Um, but that's the moral imperative still exists in a lot of cases, then the national security imperatives from a government's point of view. And so, and this is why governments didn't care. Right. A lot of governments didn't care [00:12:00] until, uh, 2021 or so when they started to see that this was funding government actions, uh, in particular.

And so, uh, particularly we saw that there was discussion about this with North Korea, that North Korea, um, North Korean actors were involved, um, and looking to make money off of ransomware. Um, but we, we've also seen it from some of the actors that work with Russia. Even if the Russian government isn't actively using it to fund the Russian government, they might be using it.

The actors that spend most of their time in Ransomware can come over and help the Russian government with something else on the side or the Chinese or the Iranians. We've seen flair with it. So, uh, I think there, it is, uh, you know, something that has come up quite a bit and that got governments a lot more interested and it gets, uh, national security side of the house, uh, more active on the issue.

And they're always looking, you know, If we can come in with a law to solve the situation, they're going to, they're going to be in favor of that. And then the economic one, [00:13:00] which I think is the more straightforward one for most people, which is just a total drain on the society. It's all black market, you know, no, no upside for most legitimate economy.

So all three of those things, I think, play into the way the government thinks about it. Now, from, again, the rational thing to do in 2020 was to pay, right? Even despite all those things, right? And that's really, I think, the driver that where the tension comes in is, you know, people are thinking about this from a rational perspective, uh, totally rational perspective.

I mean that from a philosophical sense of the word. Um, Not the crazy, not crazy sense of the way it's generally used in society, right? So, uh, but the rational act is, was to pay. And now we're getting to the point where that may or may not be the case. And then the question is, how do we tip it a little bit more so that it's not the rational thing to do anymore so that more people start doing it.

And then we can get that number down, uh, with gov, with some government action involved faster than it would just on its own.

Sean Martin: Let's talk through, there are four [00:14:00] points there, um, that you suggest lead us to A place where, where it becomes rational, right? We we, can we reach a point where the right and expected and comfortable, we'll say thing to do Yeah.

Is to not pay. And, uh, the, the government gets involved helping

Ari Schwartz: ransomware bans, right? They think, well, you're gonna go to jail if you pay the fine. Right? And I think, and, and some people have suggested that directly, like, yeah, if you pay a fine, if you pay, I mean, or you pay the ransomware, you, you, you should go straight to jail.

Uh, um. for paying the ransomware, that would solve the problem we've made it a criminal act. Um, I don't like the idea of criminalizing, uh, the way a victim has to respond and even for the government to kind of make that determination, especially when it has been the rational thing to do for until now, right?

Sean Martin: Like Another choice except the, except the one that now is unlawful and I can, [00:15:00] one can be penalized for it. . That's right. Both, both, both. Situations are bad.

Ari Schwartz: Yeah. I think, uh, if we think of it more of as a civil situation, right? Where we can come up with actions where it's a fine or it's a, uh, or, or other things that we, uh, people have to do if, um, there, you know, there so that there's other downsides.

to their action, um, then they might weigh it differently. Right. And, and especially, uh, let's, so we'll start with reporting, which, um, you know, the U S government has already decided to move towards for critical infrastructure, at least, um, that people have to report ransomware payments. So, um, we're already moving in that direction.

Um, and then, uh, the second one that I have there that I don't think has gotten had people hadn't heard before this, but has come up in other contexts is to have government security oversight [00:16:00] for companies that pay. So if you pay a ransom, that's fine, but then you also enter into a, um, 20 year agreement with the federal trade commission as they do for, uh, finding, you know, binding decisions, binding, uh.

agreements that they come into with companies that have had big security problems in the past, um, have a pattern or practice of, uh, lack of security, right? Um, so I give the Federal Trade Commission as an example. There could be some other government agency probably and, and, um, but I like the idea of having it be an independent regulatory body that is the one that's kind of overseeing that, uh, effort and, um, you know, have them make that determination and run that program, especially one that has had product, um, has had success doing that in the past.

Um, then the other one is when I raised before where you could give fines, right? We could just add in, you know, some flat amount or it could be the same amount [00:17:00] that you pay the criminal. You have to pay to the to the federal government, and that's used into the program for helping, uh, Companies turn around their security and put back into security, etc.

And then for criminal charges, uh, is the last one I have on there. And again, I don't like the idea of victimizing people. What I would say is if you purposely tried to subvert this system, you weren't reporting it, and you were purposely trying to shove this underground, then it becomes a criminal case.

So, uh, we're trying to get this all above board as much as we can, turn it more into a civil act. And, uh, et cetera.

Sean Martin: I'm going to raise this point. It's not in your list. Um, I believe all four. Let me double check it. All four of those are victim reports. Victim gets oversight. Victim pays fines. Victim, perhaps, has criminal charges.

I'm going to bring up a [00:18:00] point that I've heard, I don't know, probably 15 years ago, maybe. Yeah, at least 15 years ago that, uh, I don't know if you know, Jeremiah Grossman, uh, pitched this idea or presented this idea or concept of, of security warranties. I think he calls it software warranties, but where the vendors claiming to provide the protections are liable to some extent for the failure of their systems to protect against.

What they're supposed to protect against, in this case, ransomware. I'm wondering what your thoughts on that. I know it's not part of what you wrote about. Any thoughts on how that fits in, perhaps, as a way to incentivize?

Ari Schwartz: There's actually an interesting effort right now in the federal government where they're having contractors that sell software to the U.

S. government self attest that their security is Uh, does what they say it does, right? And, and, and, and meets certain security [00:19:00] standards based on the nist, uh, SSDF, right? So, um, and so they're gonna self attest to that, and then that puts them on the hook for being liable just by saying, for under the fraud act to of selling it to the government.

You've said that this thing does what you say it does. If it doesn't meet those standards and you, uh, you get it to me, that's probably, uh, moving more closer in the right direction. That's something we could do on ransomware payments. Um, because on the ransomware payment side, I think it's, it's going to be hard to figure out what failed and why it failed.

whether it's whose error it was. And if we have to do that for each case, um, we're going to end up with a lot of litigation around that front, right? As opposed to, um, uh, you know, so, so I don't think you get quite to the answer that you'd hope you would. Um, even though I understand the desire to move more [00:20:00] liability to the vendors themselves.

Um, so I think, uh, you know, I would like to see more of a move towards Um, That's coming up with this, what the, what the standards should be for software and having the companies commit to those standards and then, um, holding them accountable for that separately from what happens to victims on the side of that.

So the victims might be able to, you know, have liability standards against the companies that as well, but you know, we're just trying to stop payments, right? That is the point is. You know, why don't you take the, you have a choice, you have, you should have a choice to protect yourself better and have levels of resilience and you have a choice of, uh, once you get hit, like, do you, do you fight or do you not fight?

We're just, we're just trying to tip the balance a little more towards the, you should fight, right? And then, so it's, it's, it's somewhat of a different, uh, Set of discussions even though it's a related [00:21:00] fee area, right?

Sean Martin: Right. Yeah, so I have two two burning questions One is on in relation to the standards and perhaps audits and certifications and whatnot Which I think might fit into the last point of your article and in terms of exceptions And there's probably more to it than than what I'm thinking of there And then the other is the role Cyber insurance in this equation on.

Do you have any thoughts there?

Ari Schwartz: So on the standard side, well, yeah, um, on the standard side. Um, the, uh, I think, um, I look, you know, you look at the cyber security framework and what the profile would be for each sector and then have them work off of that. Like we've seen the FTC promote that idea in the past in these kind of situations.

Um, I think that's probably the direction that I would put it toward, but I think we want to leave it open, you know, as [00:22:00] time goes on. If these these change. So I would leave it open to the FTC to kind of make that determination. But I personally lean towards the idea of continuing down the path that they've already started on working with the NIST cybersecurity framework, which has generally been embraced for these kind of situations.

And then, uh, you know, we also actually, they actually have a ransomware profile under the NIST cybersecurity framework. So you could just focus on the NIST on the ransomware profile, right, which it works for any industry. Um, and then, uh, on insurance, I mean, I, I did leave that question out. Um, I, uh, I think that it's still a very good one.

I, I, I sort of, um, uh, the more talk in the insurance company that some of the insurance companies after I published it, um, I've, I've, uh, sort of gone back and forth a little bit about What the role should be. So I think, um, there is a question as to whether you say, I think, well, one thing we want to be sure of is that insurance doesn't cover [00:23:00] everything involved here that the government insurance isn't paying the government in particular.

Right? So maybe like I was thinking, my first thought was we could have the insurance. You could still get insurance to cover the payment to the bad actor. Right? Right. Even though we consider it to be, um, illegal in a civil sense, um, you could, you could still get a coverage to do that if you need it. Um, I think we could also, but I think there's another approach to it too, where you say, um, that the exemption is given in a case by case basis and it's based on loss of life or major economic harm, right?

And the government is making a determination about whether you have, you would have loss of life or major economic harm. And then you could say, well, in those cases, companies that would might be in those situations could get insurance and, but they would have to get the approval of the government in order to get the insurance.

Um, which I think would be, you know, that makes that insurance rarely [00:24:00] used. Um, but it does give people, you know, in super terrible situations, the ability to get it paid for. Um, so I'm still between those two kind of viewpoints on like, how does insurance fit into this discussion? You don't want to be in the situation we were in 2020 where insurance was actually fueling, uh, ransomware growth.

Um, I think later on and that stopped and now we're working, we don't see that as much, but um, you don't want to be, I think we do worry about ransom all, everything being paid for by. being able to be paid for it by the insurance company. The insurance company made it harder to pay to get paid back recently.

And that's just another reason people have gone away from paying. So

Sean Martin: yeah, yeah. Now this, this wild idea. I don't know if you have thoughts on it or not, but perhaps the direct payment where the, the decision to make the payment by the organization or by the victim might, [00:25:00] to our, to your points earlier, it's, right now it's the rational thing to do to make the payment to get out of the mess.

Perhaps if there's an immedi Intermediary that helps make that decision. I don't know if that's a commercial entity. I don't know that I want to suggest that, but perhaps there's a government entity that, that, that's the intermediate intermediary, at least then they can see what's going on and what the, who the actors are and what the impact might be and help make the decision.

Uh, any thoughts on that?

Ari Schwartz: Yeah. I mean, so there have been these, um, these intermediaries that have worked. To negotiate the payments, and there's been some concern about those intermediaries. There's been some that have thought to have been too close to the bad actors and like grown too close to them and like worked out deals with them.

Um, I haven't seen that from my side. The, the ones that we work with, um, are very professional and actually. Um, definitely help bring down the prices in the ransoms and, uh, tell [00:26:00] people, you know, give people a lot of comfort about the steps that they're taking. 'cause they see so many of these and they know who the app bad actors are.

Um, so I actually think they help. But there has been some discussion about Cut sort of. Um, certifying those kind of actors, making sure that they're, that they're actually working on behalf of the people, the folks involved, which I think is part of this, um, but

Sean Martin: I was thinking more from the, if the government, I'll just say the government, having a view into all of that.

So more than just more than we made the payment and now we have to report, I'm thinking if they can be involved during the process, during negotiation, or even before payments made, they can learn a ton perhaps.

Ari Schwartz: To help drive. Yeah, that's true. That's true. I think, um, uh, that's a possibility. Uh, I have to, it would have to be spelled out a little bit more what kind of cases to get involved.

'cause there are a lot of them. And then the question is, if they're forced to respond to all of them, you're gonna, you're ending up with a very large [00:27:00] bureaucracy round, uh, something that we're hoping to make go away . So, uh, uh, which it's hard then, and then. Bureaucracies, like look for things to do after , they exist.

You know, you don't wanna zombie, uh, bureaucracy around there for trying to put them out.

Sean Martin: Yeah. To keep our jobs and keeps our, keep our budget.

Ari Schwartz: Yeah, exactly. So, uh, so I think that, uh, I'd prefer, I like the idea of the, the, of them responding to the reporting afterwards using the reporting to do that. But if, if we really feel that the, that the best way for.

to stop it. And that might be a good approach. So

Sean Martin: what? Um, what are some of the cases where an exception might be made? Assuming we get to a banned state?

Ari Schwartz: I think something like we saw, um, you know, we've seen in some of these cases with hospitals, um, where you've had hospitals that, uh, where it seemed like there was, they're making a life or death decision Uh, involved.

I think, you know, colonial pipeline [00:28:00] might be an edge case there where we felt like the economy was really at risk. Um, on that one in the past, you would, uh, I don't think the government wanted to be involved in making that decision and they left it all to the company to make that decision. Uh, if you're forced the government to give all might actually be a better decision made.

Uh, so, um, whether, whether they should pay or not. So, um, um, I would prefer it to be the, One of the reasons I like the idea of an independent regulator doing it is because I'd like to have a, you know, a commission vote on it rather than the FBI making that determination. Because what I've seen of the FBI making determinations in these kind of cases is that they don't want to get involved at all.

Like their view is, you know, we're here to investigate and solve these crimes and we're not here to make the determinate, like you have to make the decision. So they're almost never going to give an exemption for anything. They don't want to be [00:29:00] the one who's who's put on the line. It has to make the determination of exactly when they have it.

So it has to be in a totally extreme case for the in that kind of case. So I think in some ways it's more important who the, um, one is making the determination is and they can come up with sets of criteria around it. But I do think it would be a extreme case like a hospital or, uh, you know, uh, there have been cases where we've seen it.

Yeah. Um, entire town shut down or state government shut down for long periods of time. Uh, so I think that, you know, well, what's the economic harm to the, to that town and stay and make that determination. It might be worth keeping them down and have them kind of work their way out of it themselves, not pay.

Um, you know, I think we've seen, we've seen Governments successfully do that. So, but, you know, who's, we need to kind of, so I don't want to say in every one of those cases, but I think you want to have that kind of balance review.

Sean Martin: And the [00:30:00] first thing comes to mind is if it's critical and they get the exception, they become even an even bigger target because the criminals know, well, those are the only ones that get to pay.

So we may as well target them.

Ari Schwartz: You don't want to, you don't want to move it more towards the life or death. I do think at that point, when you have had that happen to you though, you bet they better like buck them up and make sure that they can withstand. Uh, attacks in the future as well as so big for that reason.

Um,

Sean Martin: so I have a three part question to, to close here. Ari, how likely and when do you think a ban might happen? And what, if any, blockers exist that need to be removed in order for it to happen? I can start with those two if you want, and then I'll move to the third.

Ari Schwartz: Yeah, I think, I think that eventually it will happen.

I think countries will do it. I mean, we ban, [00:31:00] a similar situation as we ban payments to terrorists, kidnapping payments to terrorists, right? And pretty much Most countries do that at this point. So I think once you see one country start to do it and come up with a successful approach to it, it's going to be dominoes.

Uh, other countries will pick up on that. Um, so the question is more like, you know, how long will that take? And I'm not totally sure, but I think probably within the next 3 to 5 years, I'll start to see countries come up with approaches on that. Um, and then I think we need a law passed in this case. For it to happen because there's no one that really has the authority to do some of the things that I'm spelling out here.

Um, even, even if it were, they, they did take the criminal ban. You would have to add it to the list of things that were already existed in that criminal statute. So I think we probably, you probably need legislation and go through congress.

Sean Martin: You see that at a federal level versus a state. I know some of the states have been [00:32:00] aggressive for other things.

Ari Schwartz: Yeah, a state could do it. I think it would be sort of weird. Like, you can pay this in California, but you can't pay it in Oregon, right? Right. That would be weird. But, uh, it is. I think people probably push, you know, uh, interstate. Uh, you know, so there was unconstitutional because it's interstate commerce involved here.

Um, if they're more involved based in more than one state. So, um, but I think, uh, Uh, they could do it. The state could do it. So, but I think generally speaking, the federal would be a lot more successful, especially for the types of things I'm talking about, about building a program, because these programs already exist in the federal level and most states don't have something like that.

Sean Martin: Makes sense. So a two way question before I get to three. And you mentioned other countries and one flips, the other would likely follow. Have you seen the actions in other countries on this front?

Ari Schwartz: I mean, I've heard folks from the [00:33:00] UK talk about it. I think Australia has talked about it. Um, yeah, those are the two I think that have been the most active.

I've heard where I've heard politicians talk about it in those countries. Um, I'm sure there have been some others as well that have raised it, though.

Sean Martin: Yeah, makes sense. All right. The third question, uh, For my, for my listeners and watchers, what, uh, what should they prepare for? I mean, obviously better protection, but three to five years, let's assume this happens.

What should they start preparing?

Ari Schwartz: Yeah, I think, I mean, one thing is that's obvious is don't assume that the insurance that your insurance is going to save you on this front. Um, we've seen a lot of people who, um, where where insurance isn't paying now as much as they used to paying out as much as they used to.

So even if you've seen cases where insurance is paid in the past, like the rules have changed and the fact that less people [00:34:00] are paying now means insurance probably gonna start paying less, which is, you know, in the, uh, larger society sense is a good thing. But for your company, it means you gotta do more risk mitigation beyond insurance, right?

So, and I think getting a message out to folks that, you know. You need to like look for, uh, uh, ransomware protection and then also exercise for it. Um, I think, you know, and exercise your backups, right? People forget back up front that uh, yeah. You know, you actually have to, uh, make sure that it works. You have to restore, right?

That you have to be able to restore, uh, and not just make that it, it copied over somewhere, . Um, so that, uh, we've seen a lot of failures on that front too. So I think those are the main. Uh, sets, but, um, you know, segmentation, obviously, as I said before, to being a big one in this in this regard, too. So, um, uh, I think those are the kind of mitigating factors.

And then the just. [00:35:00] general, uh, set cyber controls out there. Uh, that they're the same for ransomware is everywhere else. I mean, credential, uh, having good identity management procedures and credentials, credential protection. Um, and segmentation there too is really a key in this one too.

Sean Martin: And I'll toss in, I mean, we all want this to diminish, if not completely go away, so whatever we can do to help do our part to help drive that, I think we should figure out what that is.

I don't know what it is. Hopefully somebody else does. But don't fight it, right? Or don't just, don't just go with the flow because everybody else is, or it seems the easiest. It might cost a few extra bucks, it might take a little extra time, but I think the goal is to get this done. to go away somehow. So,

Ari Schwartz: yeah, I mean, in some ways, I think it's been helpful for security companies that have not been for security entities [00:36:00] inside companies that have not been hit to raise it because someone like they know someone, someone, almost everyone has been hit by ransomware in some bios or at least some kind of extortion attempt that it's easy to kind of get it demonstrate the potential harm from it.

To your organization. So in that way, I think we should still use it and, uh, try and use that to get the attention of leadership around it and get more money to, uh, get more resources towards towards this. So there's almost an, you know, uh, it's, it's a good way to get people capture people's attention.

Sean Martin: Yep.

Yep. Pay me now.

Pay me later.

Ari Schwartz: Yeah.

Sean Martin: It's better, better to take care of it ahead of time. Well, Ari, uh, really appreciate, uh, the conversation and your time, uh, talking to me about this topic and, and for putting that, that article together to, uh, to help drive it. Of course, for folks listening and watching, I'll put links to your LinkedIn post down the, in the blog post as well.

So they can all [00:37:00] follow up and read that and, uh, perhaps connect with you if they have further questions and, uh, any final thoughts, Ari?

Ari Schwartz: I appreciate you having me, Sean. Thanks a lot. Good way to kick off the new year here. So

Sean Martin: exactly, let's, let's move toward the band. So thanks everybody for, uh, for listening and watching and, uh, please subscribe, share with your friends and, uh, enemies, and, uh, we'll see you on all the future episodes here of Redefining Cybersecurity on ITSP Magazine.

Cheers.

Ari Schwartz: Thanks.