EPISODE 82
Recommendations from the Ransomware Task Force

EP 82: Recommendations from the Ransomware Task Force

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

June 22, 2021

Ransomware is a big problem that’s getting bigger. Learn about a new set of recommendations released by the Institute for Security + Technology’s Ransomware Task Force for dealing with the growing threat of ransomware with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates. AND: Will all attorneys please join us online for a free, one-hour CLE on June 23, 2021 at 12 pm Pacific where Kip and Jake will teach you how to answer client questions about ransomware? Sign up here: b.link/cle

Tags:

Episode Transcript

Speaker 1: Welcome to The Cyber Risk Management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cyber security counsel is Jake Burnstein. Visit them at CyberRiskopportunities.com and FocalLaw.com.

Jake: So, Kip. What are we going to talk about today?

Kip: Hi, Jake. Today we are going to talk with our guest. His name's Michael Garcia. He's back again. He was here about three episodes ago and he's going to talk to us about a new set of recommendations. Previously, we talked with Michael about the fact that we're out-gunned, cyber criminals are running rings around us. And Michael came and talked to us about this report that had some recommendations for the federal government.

Michael's been very busy and now he's back to talk about something else that's totally relevant. These are recommendations that are released by The Institute for Security and Technology. He was on a Ransomware Task Force and I couldn't resist bringing him back right away because I believe that the report that they released has some really good information to help us understand the growing threat of ransomware and what actually needs to be done about it. But first, Jake, we need to mention one last time ... to tell our audience about our upcoming continuing legal education.

Jake: That's right. Please join us online for a one-hour cutting edge CLE on June 23rd, 2021 at noon, Pacific Time, where Kip and I will teach you how to begin to guide your clients whenever the topic of ransomware comes up.

Kip: That's right. This is a continuing legal education, so it's really designed primarily for attorneys, but we're going to use ordinary language so it's not going to be tech jargon, it's not going to be legal jargon so, really, anybody can join us. If you're at all interested, then I would invite you to sign up. But what we're going to do is we're going to walk you through two actual ransomware incidents that Jake and I have handled recently. We're going to tell you how the attack started, how the victim recovered and we're going to talk about the role of the attorney throughout the incident.

Jake: In addition to one CLE credit, you'll receive actionable advice that you can use right away.

Kip: All right, so how do you sign up for this amazing session that we're going to be giving? You go to B.link/CLE. That's the letter B.L-I-N-K/CLE. And again, designed for attorneys but all are welcome.
All right, let's go ahead and get back to the episode. We're talking to Michael Garcia and the recommendations from the Ransomware Task Force that he was a member of. Michael, welcome back.

Michael: Hey, glad to be back.

Kip: Even though you were here just three episodes ago, maybe some of our listeners haven't heard that episode so would you re-introduce yourself and give us a little bit of your background, please?

Michael: Absolutely. My name is Michael Garcia. I'm a senior policy advisor for a DC-based think tank called Third Way. I work in their national security program but I primarily focus on cyber crime issues. At Third Way, I spend a majority of my time doing research and writing papers on a whole host of cyber criminal activity and ransomware being one of them. I've been at Third Way now for about a year and prior to that I worked for a congressional commission called The US Cyberspace Solarium Commission, which was congressionally mandated to look at how the US can improve its overall cybersecurity posture and how the federal government can work with both international, state and local and private partners to achieve that end.

Prior to that, I spent a number of years working at an organization called The National Governor's Association, where I traveled the country advising governor's offices on how to create cybersecurity strategies and executive orders to improve their own state's cyber defenses. That's basically me in a nutshell. And like I said, I'm really happy to be back on the program.

Jake: Great. And Michael, it's great to have you back. Now, if I recall, Colonial Pipeline hadn't happened when we last had you on the show. I think the urgency of this issue is really ... It can't be overstated. This has become a national security concern, which I think Kip and I and you are well aware of before Colonial Pipeline happened but that clarifies or, I think, proves to anyone who didn't believe that ransomware is a growing threat to the US economy. I think we have to admit that the actual losses are a lot higher than what's been published in most news outlets simply because most ransomware attacks are not reported. What kind of impact are you seeing with your visibility?

Michael: Yeah. No, you are absolutely right. I think it was prescient we had that conversation back in April and then sure enough a month later we had the most consequential ransomware attack in the US at Colonial and then just this past weekend, over memorial day weekend, we saw one of the world's largest meat suppliers, JBS, get hit with ransomware. And sure enough, just how Colonial impacted the oil supply for all those who live on the east coast in the US, this will surely going to impact people who buy any kind of meat products from chicken, pork, beef. This is now directly impacting Americans where it hits the most in just basic day commodities.

But I think the interesting thing is that COVID-19 really accelerated the use of ransomware because you had cyber criminals realizing that everybody's shifting their lives to online, whether that's doing telecommunication, having video conferences like this that we're having right now, remote school learning. What we saw was an increase of 148% in these attacks with over 2,400 government entities being hit, looking at hospitals, schools, local government entities in general. And as a result, criminals know that they can get more out of their victims.

Real quick, I want to break down the numbers because I think it's really interesting when you look at this in that in Q3 of 2018 the average ransomware price was about $6,000. Only two years later in 2020 Q3, that was over $230,000. And by just a simple estimate, we see about $350 million in ransomware in 2020 alone. And Jake, to your point, that's probably just the tip of the iceberg because it's not always reported and so we're seeing a growing attack on various enterprises and it's increasingly hitting Americans where it hits the most and it's oil, their groceries as well as telehealth and schools.

Jake: Well, it's barbecue season, too.

Kip: Yeah.

Michael: Yeah.

Kip: Yeah, the biggest barbecue season.

Jake: This is just not acceptable.

Kip: Well, gosh. It's just stunning how ransomware has risen as an issue ... as a cyber issue for our country. And I think it's just another data point that is making our case; that we are just wildly outgunned by the criminals right now. And one of the reasons why this is happening ... I think a lot of people are confused about why this is happening. I think it's a confluence of a couple things. One is that the criminals are just getting more and more efficient at conducting these kinds of attacks. They've honed their weapons, they've honed their procedures. They understand how to silently slip into a network and operate in there without making any noise for days to weeks. And they can do a lot of intelligence gathering on their victims to find out what they really can pay; what their liquid assets are and what they can afford to pay in terms of a ransom.

So, there's that side. And I think, also, the other thing that has really enabled this is the availability of anonymous crypto currency transactions ... has been a huge enabler because ransomware is not new. Ransomware has been going on for years and years and years but it's the availability of crypto currency and anonymous transactions at scale globally that has really opened the door to these attacks.

Michael: Yeah. I think just to add to that point, too, is that you're seeing what's been called ransomware as a service in which you have these large criminal syndicates that operate usually out of eastern Europe or in Russia, which was in the case of the Colonial Pipeline incident, who rent out their ransomware. If you just have any access to the dark web, which is really easy ... People can Google it ... Then you can pay a small fee to access ransomware and hit any victim that you like. And all you had to do is send a small percentage back. I think that, also ... Just basically taking a criminal enterprise model, which we've seen before in various other crimes ... Putting it in ransomware, it makes it that much more impactful.

Kip: Yeah. Yeah. Absolutely. What's happening is the criminal is specializing, they're scaling, they are trying to figure out how to bring in affiliates. Here's the thing that most people don't understand even if they've heard about what you just said, Michael ... Is that if you want to be an affiliate to a ransomware gang ... Some people think, "Wow, you must really have a lot of skills." No. If you can open up a Netflix account and figure out how to find a movie you like and play it, you have all the skills you need to become an affiliate. It's a really, really low bar. And guess what? If you know how to steal credit cards, you don't even have to pay anything. The barriers to entry are super, super low.

And in case anybody's wondering, the most recent statistic I saw is only three out of every 1,000 reported cyber crimes of all types actually result in any kind of an arrest. I'm not even talking about a conviction. I'm just talking about an arrest. And not every arrest results in a conviction. So, the consequences here of getting caught are ridiculously low. Anyway, so that's why Michael's been on the podcast before, that's why he's here again, because we need to figure out what to do about this.

Michael, you are on a Ransomware Task Force as part of The Institute for Security and Technology. I wanted to ask you to share with our audience first of all, who is the institute? Why did they form a task force and decide to write this report? And then, would you also talk about who the target audience is?

Michael: Yeah. Absolutely. I'm going to refer to the institute as IST because it's a very long mouthful and I think it'll be easier. But IST is basically a nonprofit that helps other companies or organizations with their cybersecurity needs. They have a whole host of offerings. They're a really good organization. Provide a lot of good products. In my previous jobs, I've known Bill Briner, who is the executive director for IST. And he reached out back in December 2020 seeing these trends of ransomware becoming a big issue yet realizing that back then we were reporting on it but it seemed like government still wasn't paying much attention to it. And he saw a need to convene those in academia, in think tanks like myself and other international organizations and law enforcement officials in general to talk about these issues.

From January through April this year, IST convened 60+ members where we had robust conversations about ransomware and we ended up developing 48 policy proposals to achieve four overarching goals that I think your audience will be very familiar with, which is, essentially, deterring, disrupting, preparing for and responding to ransomware. And within those four goals we then have the 48 recommendations that fell within them. And to give your audience a sense of who is on this, it was really high profile. I, honestly, was very honored to be in their presence, frankly. But we had Michael Daniel, who used to be, essentially, President Obama's cyber czar and oversaw all cyber activities within the federal government. We had the first, basically, cyber diplomat, which is Chris Painter, who worked in the state department for a number of years in the Obama administration. We had high profile organizations like Microsoft on there as well as FBI, Secret Service, DHS and other international federal entities who are on there, as well.

And our target audience was, actually, a multitude. Unlike the report that I talked about the first time I was on that tailored to US congress and fellow government, this was really focused on, in addition US government privacy partners as well as international partners. And so, if you look at the report they did a really good job of saying, "This action should be implemented by X timeframe and is directed at US government or is directed at private partner. Here's the outcome it would have."

Kip: How would you, at a high level, compare and contrast the Third Way report that we talked about a couple episodes ago and this report, here? It seems like there's a little bit of conceptual overlap. But for practical purposes, they are different.

Michael: Correct. There is some overlap because our Third Way report was much broader, looking at a high level of what can we do in cyber crime in general? And really, talking about the tackling and blocking. For example, we were talking about information sharing last time. Very general. This report is really focused on ransomware, so looking at information sharing, what kind of information do we have to share when it comes to ransomware? How do we incentivize people to report ransomware incidents? Because as Jake opened up, there is no mandate they have to report a ransomware incident or that you paid a ransomware or that insurance companies are facilitating those payments.

This report in different in that it touches on how, exactly, do we take that overarching framework that we talked about but then conceptualize it for ransomware in general? And also, what can private sector entities do in that regard?

Kip: Okay, got it. Just to be clear for our audience, we've got Michael back again but this report was created as part of a different organization and specifically focused on ransomware. But I think it's interesting that we've got two organizations and obviously, there's ... If we just go looking around on Google we'll probably find a lot more ... Trying to spur government into action and then also the private sector, as well, which I think the future of dealing with these cyber crimes is going to involve way more private sector cooperation and coordination. Would you say so, Michael?

Michael: Absolutely. And that's why I was really honored to be part of this task force. And like I said, I was only one of 60 members and a lot of the members were private sector partners who were talking about what they do. You mentioned earlier about crypto currency. We have crypto currency experts and we have a whole section about crypto currency, which in our report we did not talk about. It was really interesting conversations and the report really delves into those kind of issues that our Third Way report did not.

Kip: Mkay. I just want to make one more comment and then I think Jake's going to want us to actually start looking at the recommendations of your report. But I wanted to share with the audience that it struck me ... And this is something that I thought of a few years ago ... That because the criminals are running amuck, I thought, "Well, when has this happened before? Because this sounds vaguely familiar." And so, I thought about in the United States in the 1920s and the 1930s. I thought about armed gangsters robbing banks. So, the Bonnie and Clyde movie that came out of Hollywood kind of epitomizes this. And so, I was really interested to know how long did it take law enforcement and government to get their arms around this robbing a bank branch? When did that not really become a thing anymore? When was that really under control?

As I did the research I found something that was absolutely stunning to me, which was it was not until the 1990s. Something that started in the 1920s/1930s, it wasn't until the 1990s that bank branch robbery really got so under control that it ... Yeah, it still happens but it's really not a thing anymore. We've really got everything really screwed down as much as possible to where if you do end up in a bank branch with a gun, you're not going to get much money and the money you do get is going to be marked, it's going to have a dye pack in it and so on and so on and so on. So, we've got it all figured out.

I was wondering why did it take 60 years to actually get this figured out? And one of the big reasons why it took that long is because the banks were very, very reluctant to follow the lead of law enforcement and do things like put barriers between customers and tellers and so on and so forth because banking had been a very relationship-driven industry. It still is. And the banks really did not want to put barriers between their staff and their customers. And it took a long, long, long time for private industry to figure out how to cooperate and how to come along with what the government was encouraging.

I can't help but wonder what's it going to be like in this situation where we need a lot of private industry compromise and support to try to make a dent on this? Michael, did you guys talk about this? About the fact that we're breaking new ground and that it's going to be difficult and what's going to be done about that?

Michael: Yeah. No, I think you raise a lot of interesting points. And I think we can't wait 60 years for this. This past weekend we saw JBS go down, Colonial went down. I think what's interesting is if Colonial Pipeline were shut down for another five days, if it was 10 days in total, the Atlanta airport would have shut down because airplanes have no more fuel. That is going from banks to shutting down one of the largest airports in the country, so we had to figure this out.

Kip: Yeah, that's ...

Michael: And I think what's interesting is that, to your point, that prioritize each other's involvement, this is a nonprofit. It's not necessarily private but it's still not federal government that operated and ran with this task force. And that's the kind of involvement that we need when it comes to cybersecurity. And I think a lot of the recommendations we had was all about how can the government work in tandem with private sector and also improve that relationship? Because we know we need them because at the end of the day its crypto currency, which is all private sector run, and it's ICT networks that is all private sector run. So at the end of the day, the government needs to rely on the private partners to really get at this issue.

Jake: It's true. And I think that one of the big challenges here is that we ... In a lot of ways, this is the preventative health dilemma for government, just with citizens. How do you force people to take care of themselves so they are less of a burden on society later on? There's obviously not a real good answer for that. I do think, though, that whereas it might be considered a little tyrannical to mandate that everyone exercise for 30 minutes every day or face jail time or something, it is not, I think, anything like that in terms of mandating that companies take certain steps to protect themselves from ransomware or, if it comes down to it, that it's illegal to pay ransoms.

And we've kind of seen that. The October first OFAC memo was sort of along those lines. Not precisely. And there's a lot of issues with enforcement and identifying the attribution, identifying the actor. But because of the sudden ... Not even the sudden but the pandemic-driven explosion in significant ransomware events ... I think what we need to see is ... Kip and I can talk and have talked until we're blue in the face about this is what you can do, this is how you can do it, from a cyber risk management perspective. What are the actions that the Ransomware Task Force is recommending? What types of things are you really looking at to help people to do? And I imagine it can't be a real long list, so what do you ... How many are there? What's the idea?

Michael: What's funny ... People can't see my face. I was laughing a bit because last time the report that talked about was 100+ pages and that was a lot to get through. And even this one is 80 pages, which is really long to get to with 48 recommendations. But the task force did a good job of identifying spies, key recommendations. And I think I want to touch on three of them, which is coordinating international dualmatic and law enforcement efforts with private sector. An emphasis on with private sector. Second being establishing a cyber response recovery fund, which I'll get into the nuances of that. But essentially, how can we make sure that we can provide financial grants or funds to victims, including private sector victims. And then, lastly, and I think probably the more interesting conversation ... I think they're all interesting but this is the one that's been really hot in the news is regulating crypto currencies that enable ransomware.

To go back to Kip's earlier point in terms of how can we maybe ... Is this a new thing? Or maybe we could take existing law. This is an area in which we have anti-maundering laws that we can use and implement on cryptocurrency. After that, maybe we need something else but that's a scenario in which we could talk more about in terms of what that kind of regulation would look like.

Jake: That's really interesting. We should definitely talk about that. And I think these are interesting actions. These aren't actions that we're recommending that individuals companies or potential victims take. These are broader societal-scale actions. Is that intentional? What do you think about that?

Michael: Yeah. I think this is how can we make sure that we raise the sea level for all boats? And these are large government actions that can do that. To be sure, we have recommendations in there for private sector companies such as ... And these aren't necessarily groundbreaking but it's interesting when you see when ransomware attacks happen that they're not in place, such as do you have backup servers? Do you have paper plans? Because once a ransomware attack hits, you don't have access to your computers and so it's funny that you can have a really robust ransomware plan of what happens but if you don't have to print it out, then it's no good for you.

We have those kind of recommendations as well, but the ones I think I'm raising here, and the ones that the task force raised, is that these are ones that would do a giant leap forward in terms of diminishing the impact and the prevalency of ransomware incidents whereas the other ones are more ... You're going to get hit, so what can you do to improve and bolster your systems for the day that you might get hit?

Jake: Interesting. Yeah. And I do want to talk about these. I believe there's five core actions in the Ransomware Task Force recommendations. Please mention the fourth and fifth, even though I don't think we'll have time to discuss them in any detail.

Michael: Yeah. Top of my head, they're escaping me. But I can pull them up here in a bit. But I do know that they were really focusing on how we can do disruption operations. So, how can the FBI, Interpol, as well as, say, Microsoft, team up together to take down those types of international actors and in a legal way? And we can get into this a little bit later but it was interesting because I was looking through an earlier podcast ... I was talking about how, say, AT&T can go down and shut off access to servers to clients who are abusing their terms of service. That is totally within the right of AT&T and other providers to do that. However, there may be some concerns of ... Jake, you mentioned earlier about attribution. Am I really sure that this person I'm going after and tackling is actually an actor or maybe they're part of a bot net system. That's really difficult.

And I think the fifth one, really, was more about international engagement at large. How can we ensure that we help our allies and partners that their law enforcement capabilities are up to snuff when it comes to pursuing actors either within their own borders and also teaming up to ensure that inaudible actors that either abet or actually help cyber criminals like Russia and China ... How can we impose consequences on them that are meaningful and that would change their behavior?

Jake: Yeah. I think those are all very important, interesting concepts. Let's talk a little bit about the three that we mentioned. I think coordinating international diplomatic and law enforcement efforts speaks for itself. It's fairly clear. It's an ongoing battle. There've been plenty of success stories. Interpol, that's what it's for. I think that's probably the easiest one, in a sense, to make real progress on just because there's so many ... There's a lot of history there amongst at least the cooperative countries.
And maybe that's the is ... If the criminals are housed or living in countries that aren't cooperative, you can't get coordination across international boundaries. I don't know if that's something that we should spend a ton of time on because I don't think we can solve it. But I am ...

Kip: That's one thing, though, that I want to point out and I want to ask Michael about. It's one thing to say, "Here's what we need to do. We need more international and diplomatic law enforcement cooperation." Fine. But how do you do that? How do you do that with people who have not historically been cooperative and have no current incentive to become cooperative? How does that ... The how part. I think that's what stymieing us from making progress and moving forward is there's no clear ... I haven't seen a clear how do you do it? A clear road map for how do you do this?

And I think just as much as when criminals were robbing banks in the US in the 1920s and 30s and exploiting gaps in our law enforcement and legal system, this is what we have on an international level. But we don't have a single government ... We had a federal government in the US that could intervene and assume some authority on these interstate manners but there's really nothing comparable for us on the world stage. I don't know, Michael. What do you think?

Michael: Yeah. No. It seems kind of all for naught, right? Biden issued economic sanctions against those responsible for the SolarWinds attack and then you had Colonial happen and, again we put out statements saying this is unacceptable and then you had JBS happen. It sees like we're not having a big deterrence effect and deterrence is the real question here.

One thing that we've written about and it comes up a bit in the Ransomware Task Force paper as well, is we need to identify what are the characteristics that will actually work? Sometimes economic sanctions that is jointly issued by not only the US but also the EU and other allies will be very, very impactful. However, we haven't really done that in the past and we're just starting to do that.
Coordination in that level will be really impactful. Sometimes it's withdrawing or upholding military and other humanitarian assistance. That could be very impactful, as well. Other times, it might be some kind of a carrot and we have to identify those carrots.

But I think, as well, that we're gradually seeing success in terms of bringing together folks in a coherent manner to take down infrastructure and criminals. And I think one story that did not gain as much attention as I think it should have is Emotet. Emotet was one of the largest malware distributors for the past decade and it took us a decade, which is far too long, to finally shut down the infrastructure. And it was the multi-national with private sector involvement to take them down. And we actually arrested criminals.
So, this can happen. And I think ...

Kip: Yeah. Yeah.

Michael: ... inaudible in those case studies to show that is worthwhile. It's useful.

Kip: But we're still in the ... What I would call the heroic acception phase. In other words, yep, we had a major victory there but look what it took. It took a decade and it took a lot of heroics. We don't have a systematic, scalable way of dealing with this. And I also strongly suspect that once that Emotet was disassembled that the actors that did not get arrested regrouped and probably just spun up a new operation.

Michael: Absolutely. I think you're spot on. But I don't think it ... What I worry about is that that's seen, then, as an excuse to not keep trying to do something. And it's more what's the lesson learned?

Kip: Yes.

Michael: And how can we do it?

Kip: Yeah. I'm definitely not offering that ...

Michael: Right.

Kip: ... As an excuse to not do anything. I'm just simply offering it as an explanation to help people understand why this is so dang difficult.

Michael: Right. And I think this is the ...

Jake: It's so hard.

Michael: And I think .... Just this real quick point because this is actually a really fascinating point of this ... is that we have to make the decision. Is it worthwhile to try to identify where the bad actors are and let them continue to launch attacks so we can get the TTPs to identify them? Or is it hurting so badly that we just got to shut it down? You shut down the infrastructure and you just ... It's kind of whack-a-mole. And those are two equities we have to balance. And we do need a coherent matter and forum to make those decision rather than ad hoc basis. I completely agree with you on that front.

Kip: And I think the incentives are not well-aligned, even on the side of people who are trying to extinguish this force. You talked a moment ago, Michael, about, "Well, AT&T can go down to their data center and disable servers that are being operated by people who violate their terms of service." Yes, they can. However, it is not in their best interest to do that because why? They're going to take a revenue hit. And we've seen it. You can study it. You can study the links that you have to go through in order to take down a server that is known to be causing trouble.

Let's say spam. A server that sends a ton of spam. Well, that server is consuming a lot of resources and paying a lot of ... typically, a lot of money to the hosting provider. This is based on actual behavior in the past, but they're typically going to let that thing run as long as they possibly can get away with it to generate revenue for themselves. Not every hosting provider. I don't want to overgeneralize. But I just want to point out that there are some definite conflicts of interest, even on the side of the people who are trying to do the right thing. And those incentives have to be changed, as well.

Jake: Indeed. We're going to get close on time here and I would love to talk about the Cyber Response and Recovery Fund for just a little bit because that, to me ... That's a truly outside the box proposal, at least compared to the other things that we're talking about. I'm curious what the thinking is behind that. Is there any concern that having that fund available will maybe dis-incentivize people from taking care of themselves and just relying on that fund to get back up and operational or to recover damages? What's the idea there?

Michael: Yeah. I think avoiding tragedy comments is very important here. And I think with the fund ... And this is something that in President Biden's budget he actually put $21 million to do a pod program of this ... That there needs to be some strings attached. If you're going to receive this fund, you need to report that you got hit with ransomware and give us some information to US government, to a non-regulatory agency, to ensure that we're not victimizing the victim, which is very important. But also, maybe it's you receive the fund the first time but the second time you're going to have to show us what improvements you made or you're going to have to implement the missed cybersecurity framework in order to receive the first batch of funds.

There's definitely going to be strings rather than a slush fund approach. I think one thing that I'll point to is that we're already do this in the public sector when it comes to hurricanes. A hurricane comes along and destroys some businesses and some schools. There is a FIMA program to give grants out and as part of that, you have to show that you're building back and improving what you've lost. This will be something very similar except you can open it up for both preventive and recovery efforts for private sector businesses.

But I agree. I think the devil's in the details in terms of what's going to be required and incumbent upon those who receive those funds because last thing we want to do is for folks to say, "Well, I can just use this. I don't have to worry about getting cyber insurance or getting some kind of cybersecurity vendor to do my firewalls and network monitoring." Those are really good, excellent points.

Kip: And we don't really have good answers for those yet, so we ...

Michael: inaudible

Kip: ... Got to figure that out as well. Gosh, it's discouraging. I feel like this is a good report. I've read it and I think it reflects some very, very good thinking. But we're just still so far away from having this sorted out. And I hate to say it because I know a lot of people are going to be very unhappy to hear this, but it might end up being that the fastest way out of this mess is to just seriously increase our regulation of crypto currency.

Jake: Oo, that's going to be an ...

Kip: Because that ...

Jake: ... Unpopular thing to do.

Kip: I know.

Jake: Given ...

Kip: But that is the ...

Jake: Given the entire point ... Actually, just an interesting question as we talk about this ... Just to think about it ... Is it even possible to regulate crypto currency? Or isn't the point of crypto currency to be somewhat immune to government regulation?

Kip: Yeah, I know. This is not an easy answer, either. But I think it's more tractable. If I was a policy maker in government and I was asking myself, "Where could I get the most traction quickest?" I would seriously be thinking about crypto currency, regulating it. And I don't know what that regulation looks like but if you think about it, the availability of anonymous transactions at scale is a key enabler. And I think without it, I don't think ransomware would be as prevalent as it is today.

Jake: I agree that that's the case. My question is ... Yeah. It's a big issue. It's going to be interesting to see ...

Kip: It's a huge issue, right?

Jake: Yeah.

Kip: And I get it. Your point is well-made. But I just wanted to take a moment and speculate about maybe the real answer is someplace different than all this stuff we've been talking about on the episode.

Anyway, so we are running out of time and I want to respect our listener's time, so Michael, the report from the task force. How should our listeners be thinking about this report? We've talked about it, but how should they really be thinking about it? And is there anything they should be doing with it?

Michael: Yeah. I think two things. I think in terms of thinking about it, you can track to see what the government is doing. And we've actually been seeing some good movement on that front. For example, the recovery fund we just mentioned, that was in President Biden's budget. There is a law that has been ... Or a bill, I should say, that's moving through Congress. In terms of the cryptocurrency thing you were just talking about, the IRS just came out saying that they're going to impose a regulation that if you receive $10,000 in cryptocurrency you have to report it. It's baby steps but I think we could follow that to see if the needle's moving forward at all.

And second, in terms of what they can do, again, it's going back to the blocking and tackling but ensuring you have a ransomware plan of what happens if you were to get hit. And make sure that's printed out. And also, reaching out to government partners like DHS or Secret Service or FBI, which, if you don't have previous relationships, I know that's kind of daunting. But they are actually very useful and can be there to help. And also, join your local either ISAL or ISAC or some kind of information sharing body because there's so much information that could be shared and you can identify trends and tactics that adversaries are using to defend yourselves and you just get involved in a huge community that could be very, very helpful.

Kip: All right.

Jake: Agree on that completely.

Kip: Okay. Thank you, Michael, so much for being our guest, for bringing this report to us and helping us unpack what's going on with ransomware, what could be done about it, what should be done about it. We really appreciate you being here today.
As we wrap up, do you want to tell everybody how they can find you on the internet? And anything else that you want to mention?

Michael: Yeah. No. You can find me ... If you just Google Michael Garcia Third Way I'm on there. If you want to read the report, again, IST Ransomware and it'll pop up. Give it a read. And there's a lot of good articles out there. Yeah. Just pay attention to this issue because it's not going to go away and I think increasingly it's going to be on top of the agenda from the administration and other international governments.

Kip: Yeah. I think that's right. All right. That wraps up this episode of The Cyber Risk Management podcast. Today we talked about the recommendations that were released by The Institute for Security and Technology's Ransomware Task Force because we've got to do something about the growing threat of ransomware. And I want to thank Michael Garcia for helping us to do that. And we will see you next time.

Jake: See you next time.

Speaker 1: Thanks for joining us today on The Cyber Risk Management podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR and IT for full effectiveness. So, if you want to manager cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at Cyberriskopportunities.com and FocalLaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.