About the talk
We know based on conversations with our community that ransomware attacks are increasing for a variety of reasons and that payments have been increasing accordingly. The FBI discourages organizations from paying ransomware and now the Department of Treasury has declared that paying ransoms is illegal and violates OFAC regulations. Seemingly this puts Boards—and the conversation in and around evaluating risk—in a very precarious situation. The consideration around this and the balance of fiduciary responsibility is different depending on the organization (a manufacturing company vs a hospital, for example) and what data is being held….but it still squarely could disrupt the natural flow of risk considerations for Boards.
Catherine Lotrionte is a Senior Researcher at Georgetown University, a Senior Associate in the Technology Policy Program at CSIS, and a Senior Fellow at the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University. She has served as the Brent Scowcroft Scholar at the Atlantic Council. Founder and former Director of the CyberProject at Georgetown University, she has taught and written on international and national security law, international affairs, and technology. At Georgetown she founded the CyberProject in 2008 and the Annual International Conference on Cyber Engagement which draws on the experience of government practitioners, industry representatives, and academic scholars, providing technical, corporate, legal, and policy perspectives from the international community.View the profile
Adam S. Hickey is a Deputy Assistant Attorney General of the National Security Division (NSD) at the Department of Justice (DOJ), overseeing the Counterintelligence and Export Control Section and the Foreign Investment Review Section. Among other things, he supervises investigations and prosecutions of foreign, state-sponsored computer intrusions and attacks, enforcement of the Foreign Agents Registration Act (FARA), and NSD’s foreign investment security reviews (e.g., CFIUS work). Currently, Hickey focuses much of his time on DOJ’s China Initiative (dedicated to better combatting national security threats from China). Previously, Hickey was a Federal Prosecutor in the Southern District of New York. He is a graduate of Harvard College and Yale Law School.View the profile
Stewart Baker is a Partner in the Washington office of Steptoe & Johnson LLP. He served as General Counsel of the NSA and Assistant Secretary for Policy at the Department of Homeland Security. At DHS he was responsible for policy analysis across the department, as well as for the department’s international affairs, strategic planning and relationships with law enforcement and public advisory committees. His legal practice focuses on cybersecurity, CFIUS, export controls, government procurement, and immigration and regulation of international travel. Baker has a JD from the University of California, Los Angeles School of Law and a BA from Brown University. He hosts the Cyberlaw Podcast.View the profile
So today, we're here to discuss the issue of ransomware and the topic of paying Ransom, where I'm specifically. And what kind of risks may be involved in paying ransomware. I'm in the context in background of the Department of treasury's. Most recent guidelines with respect to the payment of Ransom wear on first before. Introducing are two speakers to you. I want to just let you know that there is a chat on that you can submit questions to while the recording is being played. I'm in they'll be alive session
in which the speakers will be able to answer those questions. So I suggest an offer that up to you as you listen to please submit your questions. So good day. Good afternoon. My name is Catherine Lowe. Treant a. I'm a professor at Georgetown University and also work at the center for Csis in Washington DC. I think tank in DC. Today. I'm happy to introduce to you two. Gentlemen, who will be discussing this very important. And also a timely topic about ransomware first, we have today with us Adam. Hickey.
Adam, is a deputy Assistant Attorney General at the National Security division, Department of Justice at the Department of Justice. He oversees with counterintelligence and Export control, the section and the foreign investment review section at the OJ among other things. He supervises investigations, and prosecutions of foreign state-sponsored, computer intrusions and attacks enforcement of the foreign agents registration act or Fara and the National Security division foreign investment Security reviews. For example house, if he is, were we also have Stuart Baker,
Stewart is a partner in the Washington DC office. Steptoe & Johnson, he served as general counsel at the National Security Agency and assistant, secretary for policy at the Department of Homeland Security at the age as he was responsible for policy analysis, across the department, as well. As for the Department's International Affairs, strategic planning and relationships with law enforcement and public advisory committees with that introduction. I'd like to offer an opportunity for both Stewart and Adam. And then, let's begin with Adam Adam. I'm hoping that you can
kind of lay the groundwork. I'm getting us some background on the department of treasury's, guidance on the payment of Ransom. Where are recognizing that you're not at Treasury Department. But as the government officials current government official in this discussion, I think you can lend some insight as to what the guidelines says. And what it means for people a bothan. Companies, that may be victims of ransomware or others in the community that might have some involvement in ransomware. Sure, happy to good morning to
you. At least, as we're recording this. Thanks for having me on the panel and Stewart. Great to see you again. I'm looking forward to this. I think it's going to be a lively challenge in conversation. At least for me. Thanks for tuning in. Sol foundation for the conversation. October 2020 by treasury issued, an advisory on potential sanctions risk for facilitating ransomware payment. And I'm going to summarize it. Briefly, It reminds its audience that if you
engage in transactions with a sanctioned entity or person you can be still be liable. And treasury has the authority to bring an enforcement action. Even if you didn't know that's what you're doing. It's so strict liability Stanford and that includes for ransomware. Actors are groups of actors that have been designated as recent years. 2016. Treasury has designated cryptolocker Sam. Sam wannacry 2.0 and dry deck under their Authority. Some of which are related to Ron and North Korea, sanctions authorities, and some of which relates
you yo, 13694. And if revisions with all the first to collectively as the Cyber, you go deeper advisory. Does it remind readers of that authority to bring civil enforcement action? And also, the factors that will affect treasurer's judgment about whether enforcement action of penalties appropriate, including whether the American company or entity had in a risk-based compliance program in design to identify and mitigate sanctions risk, so that puts payments were made.
Are you with law enforcement reached out to law enforcement and was an error with them, which is described as the significant mitigating Factor. They will tell you that this guidance isn't used that. All it does is summarize, the law that is long and just stood. And you actually think was relatively recent some of the other things that relate to the ramp and where they back some years, I think back to the 2016. But I think the the wind advisory did land when it was a bit of a detention
getting signal because some thought it was a way of targeting ransomware victim, something that you shouldn't pay a ransom, if you ran somewhere. And if you do, we're going to come get you. If you read The Advisory though, the audience that it's geared towards is not the victim of ransomware so much as the intermediaries. Victim might rely on to make a ramp and we're payment of my business with him responding intrusion. And I think the point of the advisory is to
go to those intermediaries, get their attention and I'm sure they have wristbands compliance program. So that deal with the ransomware incident and there are indications that a payment might benefit of all the sentient entity or person. Those intermediaries deflect, the payment for the might ask. Why do this? If you get hit by ransomware, very stressful day for the victim, right? It may be that they don't have adequate backup. That might be the back of some cells were compromised by the ransomware. There may not be much
of a choice. So it doesn't this make a hard day worse for that particular victim. That's probably right. If you look at it, only from that, victim's perspective, but ransomware is the classic tragedy of the commons, where as an individual entity you may or may not be better off paying the ransom. But all of us are worse off if you do because every dollar that goes to the ransomware operator or designer expands the market for it, makes it more profitable ensures that they'll be more ran somewhere in the future and it's even worse if it's North Korea or
Ron. That's in the background sponsoring the ransomware, right? Because they can be tied to nuclear proliferation or terrorism. So that I think is the policy case for reminding, those intermediary like insurance companies of the sanctions Authority and the impact. And the hope I think is that by shrinking rewards from ransomware payment. You potentially shape the behavior of ransomware actors and constrain, the market for it in a way that benefits all of us. Stewart. Can you give us your take on having
you know, carefully looked at the guidance? I know it's not been out that long and as Adam, I'm rightly pointed out. Maybe it's not new news. In other words. It's kind of this was based on already authorities. But what's your take looking at the broader picture? Is this useful? Do you anticipate a change in the behavior? Well, of those conducting the cyberattacks but more specifically, those that are Victims of the ransomware. I think this is this is not new for people who
practice law in front of olfaction and who do sanctions lost. None of the principles that were laid out are at all, surprising to people who do that, but it's completely new in the context of ransomware payments where people had only begun to think about this. And mainly to think about it, in terms of a liability of the company. That was the victim of the attack at the one place where I might just agree with Adam. It's true. That this is aimed in substantial part at the facilitators of
payment. But before I was aimed at the facilitator that was the end of the victims of ransomware. If you pay it, you are clearly subject to liability under. Back. If you pay it to somebody whose subject to sanctions, what is mildly novel as a factual matter, is that the treasury is calling out the people who negotiate these things. The people who do the forensics and say we think of this is an okay payment or not an OK payment based on the evidence from the attack on the insurance companies that say,
yes, will cover you for this and maybe the financial services people who actually move the money. Those folks probably had not because they didn't have a reason to, to understand, but the tales of old Backlot didn't understand. But the Scylla tating, a payment that violates ofac sanctions is itself. A violation of the sanctions today. I am and that's clear enough. As a matter of law. It probably was a surprise to the people who do this to some degree depending on How much legal advice they got before they did this? This is probably and I think it's
worth saying that there was in August for 3 months. Before this came out, a very notorious ransomware attack on Garmin and Garmin everyone some surmises. I'm not sure they confirm this paid, the ransom, got their data back and not long thereafter. Already Witch is, Which does forensics announced that it had decided that the particular kind of ransomware that was used to attack Garmin at the very mention, Garmin. Not at all. I was not necessarily evil Corp, which was subject to sanctions. So they there was
a controversial but it was a public analysis. Was widely viewed as a justification for Garmin to pay and for others to pay if they were subjected wasted Locker attacks and it's not unreasonable to view the treasury did as an effort to make sure that people who stepped into this crazed own understood that they were taking the risk. That, if they were wrong. They had violated the law. The fact that they didn't know for sure. They were wrong, doesn't matter if treasury later finds that you made a payment to somebody whose subject subject to sanctions all the Goodwill and all the
reasonable precautions in the world. Don't prevent you from being held to a violated. The law. All they will do is reduce the level of sanctions and the advisory gives us a couple of Practical tips for ways to reduce your likelihood of liability, which are also designed to say, don't get too cute with your attribution because we were going to be watching. And if we don't think you're did it in good faith. If you didn't do it pursuant to a careful compliance Clan, we're going to Camarillo. So can I if I could follow up with both of you on on that first to
Stewart's, the list of intermediaries, that you discussed as potentially being a very much affected by this. Could you throw in law, firms. In that to, I mean, those that are So yeah, they did not include law firms and I suspect that was a careful decision. But I have advised plenty of American general counsel, or working in foreign firms that they can be subject to facilitation liability. If they are not careful about the advice, they give us a little more leeway cuz you can give
compliance advice and not be guilty of facilitation. That may be why they left the law firms out. But that, yeah, I think law firms that are too cute here and develop a reputation for the good luck from to go to. If you want you to advise are probably at risk. That take away from this. Could it be an in an atom it and do it like to get both of yous but maybe Adam first on this is what if I'm reading this and I'm not say I'm a victim but not a lawyer, haven't consulted lawyers, but I'm reading this guideline, the new guidelines trying to understand the
state of things in a been a victim is 1, take away. Is it recommended that? The first call is to FBI? I mean, does that help? Does that help a potential entity? That's been a victim who wants to pay benefit? Is there an FBI? How does that help them? The answer a question will always be. Yes from my perspective. You should call the FBI ransomware or not, but it will help in this specific context. You I think if you're the victim and you met with ransomware, you're probably not reading treasury guidance at that. You probably called You're if you
have them on retainer or your networks, and if your it Department can't do what you need to restore from backup or you need to figure out what's going on. Maybe you don't call them if you try to make the payment yourself, but I think at some point you're going to get your insurance company a forensic crime or some other, in an intermediary, our facilitator with Judas word. Hopefully, we'll and then in the course of their response, they will say, well this might be a dry texter. And so we can't help you make this
payment at what point you called. Maybe you called. The minute your system, block. Maybe you call them after you called your lawyer, your insurance company in your friends. At the FBI, might be able to help you understand better what they might tell you with greater Clarity. That it's not a sanction variant that actually it looks different. Looks like a false flag or they might tell you confirm what your others have said, which is now we're not sure there indications. This is such and such ransomware and that that's been designated
as it does make it harder for you to pay. But let's take a another example, where no one's seen this before. It's a new variant. There's not a lot of information out on the internet about who's responsible for it. You've called the FBI. No one tells you, this is the sanctioned Amity, you make the payment and six months later. It turns out that this was dried extra point out, but you didn't know that. And what day is public? Because you're a large company. So the fact you paid, the ransom becomes know the benefit of having called the FBI is that. If treasury reads the newspaper that you
paid the ransom and they know that was having to be a sentient entity. The fact you called the FBI, involve them, in a certain way, in your decision-making will be a significant mitigating factor and I'm not aware of any circumstance where someone has done that. Where we, the justice department has come after him criminally or treasury has. I think this is a hard but I don't have it. But I really do think the point of the advisory is to get people to design, programs, to detect risk,
and did not make the payment. It really doesn't work as a, as a policy matter. Just to go after people after making the payment, that's not the goal. The goal is likely to make it on. Palatable to you to make the payment. And I were to be a firm that says, where we're going to turn a blind eye to this and develop policies, and could have helped victims. I really feel bad for ransomware victim, so you can come to us. And we will tell you, no matter what, this is not thanking Branson where we
will probably catch on to this and that will take you from being a strictly liable to teach you an interview, at least, conscious avoidance of the fact, if not in Criminal Intent, that will expose that intermediary. The prosecution. So I think that's the way to think of the, the chain of behavior were trying to encourage is if you create policies that will prevent the pain will lessen. It in the one or two to slip by because the compliance program, maybe you just doesn't catch everything. But if you haven't designed that program and talk to John the office, then you're
exposed to a much more significant section of find that most of the intermediaries have been pretty thoroughly heard from offering now. Close to the line advice on this up. Because from their point of view what they make for one engagement. It is simply not enough to justify a large risk of an investigation and substantial penalties under the olfactory regime. So it is your insurance company is certainly not going to want to assure you of that and it will cover your payments if it thinks there's a risk, but it's the sanctioned entity and
probably That's true for the forensics and the negotiators that you might hire to to try to arrive at a suitable rap. So it probably is having the effect that was intended, which is to make it harder to make payments to people who are reasonably believed to be subject to sanctions. I do think there is a question whether that makes sense. I fax rules were originally designed to impose penalties on that. I'm in Nazi Germany. Yeah, why we were at war with them and is the same in World War 1. It is a nuclear weapon in the penalties are enormous and the
structure is designed to make sure people stay well away from anybody to the sanctioned entity, but we have begun using it in a very fine, tuned way. The US government has begun you. Person by person to cut people off from the banking systems. And it has worked to some degree in that context. But in this context where people are really up against it and it really does simply add to the pain, the victim suffers and I'm not sure it's really going to affect people who are serving ransomware. There's no indication that
I've seen that they are hiding their their old protocols and tools and techniques in an effort to make it easier for people to decide. This is really not too evil Corp in so I can pay them if they're not even doing that, then they're not really very deterred by the the imposition of sanctions. And the only people who are suffering are the companies that are subjected to a second risk of liability if they pay. If we coming up to do it at 3, if the if it ends up being that the
effect is that these intermediaries are deterred then and they're not going to be giving any advice that they might, otherwise have been given to these victims. Are we leaving the victims, then, you know, those. They feel that they need to pay this rent somewhere. They don't have backups for whatever reason. They've made the determination for their own interest. But their company. They're going to have to pay this. Ransom. Will that, is that going to deter them in? And I would like to see, do we not have any idea of how this looks globally, are we
then putting American entities, in a situation where, as you said? It's at the bad guys are going to continue to conduct these attacks and maybe look elsewhere outside the United States if they're not getting their money here. How We placing our American companies, Visa be others, that might not be under the same, no restrictions or Department of Treasury guidelines. If it was working, then we would see ransomware gangs are avoiding American companies for companies with substantial, USF. That's because
they thought it was going to be harder to get paid and then they would pick on others and let them. It's a variant of what we have seen. I think in the area of terrorist hostage-taking, where the US very hard line, until fairly recently has made it unproductive to kidnap Americans for ransom. If you happen to kids kidnapped them. It's probably more likely you'll kill them than that. You will hold them for ransom because the US has been so tough on Ransom payments. And that has exposed other Western countries to War
kidnappings then Americans. Is it could work but I don't I don't see a sign that it is having that effect, which makes me think that maybe these sanctions aren't really biting for the ransomware attacks. So, I think it's a little, the difficulty, with measuring the effect of the policies. If it's inherently going to involve unknown, remember that the not all ransomware are subject to sanctions, right? It's only payments to sanctioned entities of which there are four clusters are groups. So, one interesting question is, what's the impact on
ramp your creators operators, who are not yet a shape their behavior in any way knowing that if they become the worst of the worst, why is the standard for sanctions under our national security interest? And it makes it that much harder for them to move money off their access a bit. Do they, then try to stay below that threshold? Does that mean that it's better to be in when you're in the bear is chasing you? You don't have to outrun the bear. Text, you should buy that logic, you just are, you will better. Be a little quieter, a little less ambitious, and therefore victimizing fewer.
Americans are focusing more on Western Europe. I can't answer that but there's a certain logic to that driving your that decision calculus. And to the pure question, Catherine about the victim that has to pay, you know, that feels like a compelling case, but frame it in terms of paying money to Tehran, right? I mean, relative or your business is held hostage by a terrorist group, but we are all much worse off. If you give them the more money to encourage this Behavior to the point about
victims can protect themselves. You have to take Driver's position just because you didn't take the right steps to prevent or mitigate on to your network. Doesn't mean the rest of us should have to contend with a richer North Korea or Iran. Thank you for your thoughts on that both. I wanted to not sure it's not completely unrelated but it's 10, gentle gentle to the to the guidelines. I wanted to see if we could say or get your opinions on some general efforts or maybe even specific efforts from the government and others with respect
to the release of private emails. I mean, it's not necessary ransomware, but I think this is an important thing that and which may be some of the same victims of ransomware would be very concerned about emails being released out there. And in what the government. FBI are others. Could do maybe to assist these individuals in this item. You can start with the perspective from what the government might be able to do and then and Stewart. Maybe some use it at how effective, this could be a useful. It might be Sure happy to. And it's a logical Segway from this
because I know you probably know. Ransomware operators are now turning to extortion at the victims of all, not going to pay you. I have back, whatever the next move might be to say. Well, you have the email, but then why, and I can release them. And what do you think about that? You're seeing a, a blending from ransomware into extortion? This isn't new right? The first time I saw this was in the attack on Sony Pictures Entertainment in where in addition to Breaking the company's Network. The actors
in this case did dump a lot of the material on the way, one of the benefits of working with the FBI and the justice department is our network of contact with law enforcement around the world. And so, well, a lot of that data, most of it. I wish that year was hosted on systems around the world. We were able to reach out to law enforcement liaison relationship and ask the authorities. In those countries to use, whatever authorities they have to try to mitigate that. I'm here if it's hosted here, although you cannot to see that quite as much
and we would go to the provider's alert them to what they're doing, in the case of a sanctioned entity. If you're providing server space to North Korea launched here in and we tell you that that's what you're doing and you don't stop the transaction about providing that you then become potentially exposed to a penalty right under the same Authority. Could you imagine the ransomware operator that the site? You're right that you're doing business with them? So that is one way the government can also help
mitigate the harm. But you know, there's a difference between how widely accessible if it's an impact. That is. So that's another reason to call. The FBI think is that we can be helpful and I respect that the treasury has made it absolutely clear. You bring in law enforcement. Don't have the FBI could be the Secret Service. They could be ice that could be yet. It's probably be local law enforcement and you make a full disclosure a timely disclosure to the
interesting Lee. They did not ask that you asked law enforcement whether it's okay to pay. So you might be able to tell them, I'm going to pay, I wanted to bring you in and tell you all this stuff because it's part of my compliance plan, but I'm paying so that's a possibility. Getting back to the of the doxxing. Packing and releasing of data. I think there's there are options to consider ever since it frankly, an operation like that cost Hillary Clinton's presidency. Silicon Valley has much been much, less enthusiastic
about Wikileaks and Julian Assange on the light and they probably would be open to refusing to allow the distribution of a hack material side. Some of the companies say it's a violation of their terms of service. And one thing I've often wanted to try is nobody carries. If they can avoid it, copyrighted materials. It turns out that all of our emails are copyrighted as we write them. And so, if you were to find a way to register copyright, for at least some of
the emails that might end up being released. Have very powerful sanctions on secondary distribution of those that those documents. It's probably worth considering if you think you're at all, likely to be a Target, although I, I will infest. This is an idea that has occurred to me as we were speaking. So, there may be a legal problem with it, but it's worth considering problematic emails are probably not the ones are going to rush the copyright, but I think reaching back twenty years the copyright, right? That's that. You fix it in a
tangible form. So I don't know that you have to actually register it and have some of the protection. That's right. It is, it is already copyrighted, but to get the benefit of the hammer of $250,000 for every publication you need to have register. Two end. You'll have to register like that. You're scary. One is no one is going to go through and only release the scary ones. They're just going to dump the whole thing and you just sick. As long as I have us. You canaries in their victims. I've got coal. Mine is going down. It may be enough. This is
why you get paid the big bucks to it. So that's, that's that's something new. Actually. That's a good take away. And I think that we've given some potentially many people in the audience, some food for thought that they may be calling their or asking their in-house counsel about copyrighting emails. Like I think I myself would consider that especially if I was a CEO of a company. I might think about that. I think we're coming up close to, there are times when it but I wanted to ask both of you for any concluding comments or advice that you wanted to share anything. You want a
highlighter emphasize or take away for folks to remember from the session. No, I just say that. I think a common theme is that you're better off calling law enforcement and working with us mean. There's a temptation to avoid being pregnant with knowledge, but the system isn't built to reward that and yeah, even if you you think I know Ransom your only option, it could we do s picture in the future cuz there's no guarantee of that actor. Going to pull every tool. They have off your network if you pay once. Why wouldn't you pay again for the second time?
So I use Dallas to the get rid of the cockroaches in your home. And that's the book, The War here with that. There's a lesson here for business. It's that we shouldn't be up while I think when the treasury announces that they are been posting sanctions on another ransomware entity, unless we know it works cuz if they impose the sanction and it doesn't work. Really just imposing sanctions on the businesses that are victims and we need to be much more careful about that.
No, we know what it will look like if it's working. I think. So. You kind of outline that Adam you did to. How long will this take? Do you suggest? It's a big hypothetical. I guess we know. Ransomware is probably not going to in the near future doesn't look like this doesn't look like this going down, but will it take a year before we can come back and say, oh, these guidelines look like they're working? Or is this some a longer-term? Do we have to wait longer and in which to get a good assessment of Effectiveness? Do you think? I think if you in terms of discouraging payment, I think we
agree. It's working. So that by that measure, it is a success, right? We think it's already slowing or stopping payments to if your measure is is it working in bankrupting? The ransomware Operators, know, and I don't know that we will ever know that we'll never know how much more they would have made. You wouldn't we won't ever know what the other unsanctioned operators are doing differently. So I think it sets up a burden. You can't carry if you frame it that way, but if you think about kidnapping by terrorist groups are the like we all agree. It's better that they don't
have resources. I'm totally agree that discouraging. The payment of resources makes them. So they're not getting an extra 250 Bitcoin or a thousand Bitcoin, then it's working. I don't think this is going to work by itself ever. I know. We are going to have to find other ways to sanction and impose difficulties on that ransomware gang. Maybe it's clearly cryptocurrency that has made this a easily reward for ransomware gangs and finding ways to track and discourage illicit. Use of cryptocurrency is really critical and then
finding other ways to discourage the the Havens for wrapped around somewhere. I maybe, yeah, maybe we could persuade Vladimir Putin. That he's been the victim of drydex. That gang will find no us a refuge in Russia, but we're going to have to continue to work on this. This is a feel good solution for the u.s. Rather than a real solution to the problem. So, so, maybe step number one, but it does sound like, what, Stuart, at least what you're calling for in, and I don't think Adam would be
opposed to more creative thinking that we probably do have to. It's not only treasury departments or even law enforcement roll, but maybe even broader on thinking about what else can be done. So with that, maybe we wrap it up and we'll might have to be back on this topic to discuss what progress we're seeing or more creative ways to tackle the issue, but I want to thank you a very much Adam and Stewart, for taking the time.
Buy this talk
Buy this video
Our other topics
With ConferenceCast.tv, you get access to our library of the world's best conference talks.