In less than a decade, ransomware has turned from something tech people discussed at cybersecurity conferences to a phenomenon that fills news websites with tales of damage and desperation on a daily basis.
But despite this, ransomware still sometimes feels like a background war where one side takes heavy casualties but reacts with little more than a fatalistic shrug.
How was ransomware allowed to get this bad?
The traditional answer to this is that organizations failed to defend themselves at a technical level and have paid the price. Indeed, many still don’t adequately defend themselves, the argument goes, which is why ransomware attacks reached record levels in 2021.
But there’s another more interesting possibility that emerges from the pages of a recent U.S. Senate report published by the Committee on Homeland Security and Governmental Affairs—no one has any idea how many attacks are happening in the U.S., or anywhere else.
This is cybersecurity’s version of the measurement problem, which states that people tend not to take an issue seriously until they can see its effect reflected in cold hard statistics.
Measuring the size of a problem might sound like a secondary concern, but it is, and remains, a fundamental block to change. Writes the report’s chair, Senator Gary Peters:
“The government largely relies on voluntary reporting of ransomware attacks and cyber extortion demands, which only captures a fraction of the attacks that occur.”
In the U.S., gathering cyberattack data is the job of multiple agencies that lack a common methodology. But even if they had one, they wouldn’t have a clear picture, because there is no requirement for victims beyond the public sector in some states to report successful attacks or ransoms. Consequently:
“The lack of data on ransomware attacks and cryptocurrency ransom payments blunts the effectiveness of available tools for fighting ransomware attacks including U.S. sanctions, law enforcement efforts, and international partnerships, among other tools.”
The reporting gap is now so big, the report notes, that in July 2021 the Cybersecurity & Infrastructure Security Agency (CISA) estimated that only a quarter of incidents were being reported.
This lack of accurate data has had two effects. Historically, it allowed the problem to grow without anyone realizing how bad things were until attacks started affecting organizations in critical sectors. Take, for example, the Colonial Pipeline attack in 2021.
Second, going forward it makes it much harder for the authorities to track the way money is shuttled through cryptocurrency blockchains to real bank accounts. As one Committee testimony put it:
“If victim companies fail to report ransomware attacks early, or if they fail to report them at
all, it hinders law enforcement’s ability to assist them with asset recovery or to prevent future incidents.”
Progress is being made through legislation such as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, which passed into law in March. But this only affects specific sectors—beyond that, the report recommends that a single reporting standard should be implemented across federal agencies.
The fact that authorities are still playing catch up is rightly seen by some as a symptom of a system mired in complacency, where change happens far too slowly. But as the report hints throughout its pages, the real scandal is the way the financial system has failed to acknowledge, let alone control, the movement of ransoms through cryptocurrencies. As the success police have had in reversing some ransoms in the last year suggests, closing this door is long overdue.