Earlier this month, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory, reminding businesses that if they pay ransom to cyber hackers, they could be violating OFAC regulations. At first glance, it puts businesses that are already in an incredibly difficult situation, in an even harder one.
The Cipher Brief is bringing you expert perspective on what this could mean for businesses all week. Today, we hear from Cipher Brief expert and former Assistant Secretary of the Treasury for Intelligence and Analysis Leslie Ireland for her take on what this means for business.
The Cipher Brief: What is your biggest concern if the U.S. government imposes sanctions on companies that fall under the recently released OFAC advisory?
Ireland: I see the advisory as a statement of fact. The US Government has these sanctions and companies need to be aware that they can extend to ransom payments because the payments could be going to a group that the US has designated because of the kind of activity they’re undertaking. In that regard, I wouldn’t say I wasn’t alarmed, but to me it seemed like a statement of what our policy is and what we can do.
My biggest concern is that this will be difficult for the small to medium-sized companies that get hit by a ransomware attack. They probably don’t have the resources that a large company has to thwart such an attack or prepare for such an attack. They also may not have the kinds of relationships that a large company has with a regulator.
For a financial services firm, determining the recipient of a transaction is business as usual. You’re always checking your activity against a sanctions list, because you’re going to come into direct contact with OFAC if you make a transaction that you shouldn’t be making. Smaller companies without connections to this part of government could be caught by surprise with this. I don’t know what kind of monetary penalties they are implementing, but it could be prohibitive for a small or medium-sized company.
When you get into a ransomware situation, you’re really between a rock and a hard place. Which do you choose? You might end up making a choice that you don’t understand, and that could lead to a penalty from the U.S. government. I think I would go a step farther and say, “An ounce of prevention is worth a pound of cure.” Take the necessary steps to limit the possibility of a ransomware attack from the very start.
The Cipher Brief: Does the specter of this force companies and boards to adjust their strategies for dealing with cyber-attacks like these, especially for smaller and medium-sized companies?
Ireland: Ransomware attacks have gone up during the pandemic. There is an increased threat surface because so many people are either working from home or working in a slimmed-down environment in the office. There is an increased susceptibility to a ransomware attack. I think what the boards and companies need to do is understand what their most important information or capabilities are and what they’re doing to protect them and make sure they have backups when possible.
Companies need to remain vigilant about understanding current threats and how they are evolving. With so many employees still at home, CISOs and their teams need to regularly update employees about these evolving threats. They also need to ensure employees continue proper cyber hygiene, which may degrade as employees face greater distractions working from home.
If they haven’t done so already, Companies and Boards need to have to have tough conversations about what their policy is going to be on ransomware and whether they will pay it or not. I don’t believe that will be an informed conversation unless cyber strengths and vulnerabilities are known. Companies and Boards should understand the state of their relationships with law enforcement, OFAC, and DHS.
I thought the advisory was very helpful at the end when it provided contact information for OFAC, FinCEN, FBI, and CISA at DHS. Those relationships need to be built now. You don’t want to try to forge them in the midst of a crisis.
The advisory also made a good point that maybe a company has contracted services that will handle ransoms for you. You have to figure out what kind of due diligence those groups use when they are looking at paying the ransom. What kind of resources to they have or use to determine the identity of the recipient?
Part of the problem with any cyberattack is attribution. At the time of the ransomware attack, you may not know exactly who the entity is that you’re paying off. I think that may be why the advisory says, ‘If you’ve called in law enforcement and alerted us, and it turns out that you do end up making a payment to one of these sanctioned entities, we’ll use that to mitigate whatever response we have.’
The Cipher Brief: Do you think there are additional things that the federal government could be doing to help support companies that find themselves as victims of ransomware?
Ireland: I will go back to the Solarium Commission and the urge for more information sharing. There needs to be more information sharing that goes beyond identifying and sharing a bad IP address.
Ransomware actors are much more sophisticated and professional now. Companies have to understand what they’re up against and what they’re trying to protect against. I believe part of the employee training for cyber hygiene has to include what is out there and how to protect against it. Employees have to understand that even when it is a pain in the neck to try to get through a company’s VPN, they can’t just jump over to a personal computer. We need greater information sharing and education.
I thought the Solarium Commission made an excellent point that the companies that are coming under attack are critical to our national security, but they’re outside the purview of the U.S. government. Our national security is dependent on the ability of these companies to protect and defend their networks.
The government needs to help more, and companies need to find a way to accept that help.
The Cipher Brief: Do you have anything to say to those small and medium-sized companies who may be at risk of both ransomware and U.S. action based on paying a ransom to a sanctioned entity?
Ireland: Cyber security is a team sport. Somebody else is depending on you and if you go down, you will impact somebody else. The financial sector has found that its third-party providers were getting hit with ransomware attacks. In the moment, the third-party providers were focused on what that meant for them, but there are all these other counter-party relationships involved. We are so interconnected. The pandemic has demonstrated the vulnerability of the way we are linked. If you lose capability, companies who depend on you may be left scrambling.
I think this advisory came out because of the increase of ransomware and an increase in payments. I encourage companies to focus on what they’ve said in the advisory about notifying law enforcement — they don’t want companies trying to handle this themselves. OFAC aren’t trying to bring down the hammer. They want to work with you, but you’ve got to demonstrate that you’ve tried to do what you could to be on the right side of this.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
