Though the Federal government has certainly experienced ransomware attacks, experts speaking at the Armed Forces Communications and Electronics Association (AFCEA) Cybersecurity Summit on Tuesday explained that it is not the primary target for ransomware hackers.
“Is the U.S. government a target of those attacks? Absolutely. However, there may be reasons why they are not as susceptible as some of the private sector folks,” said Jeffrey Coburn, unit chief of Major Cyber Crimes at the FBI.
One of those reasons is a lack of financial motivation, as the government is more likely to have policies against paying the ransom at all.
“These particular bad actors, they are going after money. They’re financially motivated, they’re going after who they think are going to be able to pay them money,” Coburn said. He said that the FBI policy was to not pay ransomware hackers, as there can be equal or greater negative consequences to paying.
“There are some ramifications if you pay: you could be paying to a criminal enterprise, you could be paying funds to a terrorist enterprise,” said Coburn. “Another consequence, and we have seen this happen, is an individual or a company will pay the ransom, they will get the token that should unencrypt, and then they find that the token does not actually unencrypt. In another instance, we’ve actually seen when a ransom was paid, they tried to obtain the token, the bad guys are bad guys for a reason, and said ‘Oh that’s not enough money, we’re going to need a bit more money.’ Or they get reinfected.”
Frank Konieczny, chief technology officer of the U.S. Air Force, “doubt[s] the Air Force would ever pay” in the case of a ransomware attack, in part because they keep separate backups of most of their data. He also said that the government overall should have a policy about when to pay and not to pay ransoms.
“Normally we don’t pay ransoms, and so that would have to be a policy, basically,” Konieczny said. “But to enforce that policy you have to make sure that you have the necessary prevention method in place. I mean, that’s always the issue that you’re going to have.”
According to Coburn, those prevention methods are for the most part simple and straightforward to implement.
“Some of the simplest things are also the ones that are going to keep you most protected: having a backup of your system, and not only having a backup but testing your backup to make sure that it can actually be restored, having software in place such as firewalls and anti-virus scanners that are going to stop the malware from ever intruding and getting into your system,” Coburn said. “These are some simple steps. Also, you can implement some user-level privileges.”
“You have to look at the problem assuming that it is going to happen,” agreed Bob Gregg, CEO of ID Experts.
Though the panelists provided many ways that the government is working to prevent ransomware attacks, Coburn explained that prosecuting the hackers responsible is more complicated.
“They’re not coming from your backyard; they’re not coming from the United States, more than likely,” Coburn said. Even when these hackers can be identified, if they live in a country that doesn’t have prosecutorial agreements with the United States, there is little the government can do to combat the hackers through legal means.