In the final episode of CISO’s Gambit for this year, I joined my colleagues Brad Moldenhauer, Mark Lueck, and Ben Corll, members of the office of the CISO at Zscaler, for a look back on 2022. We discussed the outcome of this year’s cybersecurity happenings, the evolving role of security leadership, and what we’re seeing for next year.
Should paying ransoms be criminalized?
A hot debate in cybersecurity circles is whether or not governments should criminalize paying ransoms, given the argument that can be made that doing so is aiding and abetting criminal groups and fueling cyber crime.
Proponents of this approach say that, if paying a ransom was made illegal, there would be no incentive for ransomware attacks, and, theoretically, the attacks would go away. “Maybe legislation will have the impact of ending ransomware as a threat,” proposed Lueck, conceding that it would be “painful” in the short term. For some more than others.
On the other side of the argument, some say making victims of cybercrime into crooks themselves by passing laws criminalizing paying ransoms would unduly punish small and mid-sized businesses that lack the resources and expertise that bigger organizations have to respond to incidents. For smaller businesses, sometimes the best decision is to pay the ransom.
Moldenhauer shared a personal story, which he wrote about on Dark Reading, describing how he helped mitigate and guide the response to a ransomware attack on his uncle’s HVAC company. After speaking with the authorities and the company’s outsourced IT provider, they collectively concluded that paying the $4,000 ransom was the correct business decision for the company. “While I’m not a complete advocate of paying a ransom, the personal experience taught me there are conditions where it makes sense,” said Moldenhauer.
Shifting tides in the ransomware business model
Corll pointed out that many companies aren’t paying ransoms now because backups are better, and companies are better prepared. He noted, “Ransomware is less impactful now because segmentation is in place to protect critical data.” “We’ve upped our disaster recovery with primary, secondary, and tertiary cloud backup,” added Moldenhauer. For smaller organizations with fewer cybersecurity resources, backups have become the first line of defense.
In response, cybercriminals have doubled down and adapted their tactics. We saw this recently in Costa Rica. The government refused to pay ransom following an attack, so the attackers doubled down and took over even more of the digital infrastructure. They breached dozens of other government websites and systems, including the tax system and the import and export system, which ground the government’s revenue generation and commercial supply chains to a halt.
Another response has been to exfiltrate the data before encrypting it. This is a sea change in the cybercrime world. In other words, it’s no longer just about extorting value in terms of a ransom to reestablish operations and business continuity. Now it’s about exfiltrating value in terms of data to use against the organization in some other way or to sell the data to other parties.
Data is the new currency of every organization
In a world where data is the product, where does data privacy enter in? “There’s a dichotomy between what an individual thinks about their privacy and what governments and corporations think about their privacy,” said Lueck. At the same time, he pointed out that there’s a paradox around privacy: “People want to protect their rights to privacy, but they’re quite happy to give those rights away at the drop of a hat when they have something of perceived value.” For example, on a social media platform.
While steps have been taken to ensure privacy rights, such as with the General Data Protection Regulation (GDPR), Corll pointed out that many organizations are doing only the minimum required for compliance.
“Organizations are looking at the legislation from a risk perspective, assessing the likelihood of having to pay a fine versus the ability to not change and to continue to operate as usual. Many decide to take the approach of doing the very minimum, so they can say they did the right things later on if they need to negotiate the fine,” he said.
We’ve seen this historically with compliance-driven security programs. It can be difficult for an organization to make the business case for why they should do something—whether it’s protecting the consumer, protecting employees, or even protecting the continuity of their operations—when the alternative (doing nothing/paying ransom) is more profitable.
That being said, if I were in the data analysis business, like many of these social media companies are, I would be focused squarely on ensuring that the insights gleaned from that analysis are fully protected since those are ultimately the differentiator between one platform and another.
Data privacy as a competitive advantage
Lueck brought up an interesting idea: in the future, differences in data protection levels will be used as a competitive advantage. Similar to how, 30 years ago, it was not a competitive advantage for a business to be “green,” now it’s a competitive disadvantage not to be conscientious about environmental impact. He sees it as a privacy war that started with GDPR as the opening shot.
“Is next year going to be any different from this year? I don’t think so. But the war is in progress, and I think it’s going to be another generation before we really have people who care about those rights. The right to privacy is a generational change that will require time. This is not going to happen in 2023, this might happen in 2053,” he remarked.
Moldenhaur recalled how, when he was an undergraduate in the mid-1990s, the school used to post exam grades in an auditorium alongside the student’s Social Security Numbers. So, from that perspective, we’ve come a long way.
The sacrificial C-suite and CISO scapegoating
Individuals using social media services know the risks and tradeoffs and are implicitly willing to assume those risks. But we’re also seeing data being compromised at cloud-enabled services—such as food delivery and ride-sharing applications and services—that rely on personally identifiable information (PII). This is being followed by a lot of blame-shifting when it comes to accountability and who owns the risk.
There seems to be a shift regarding organizations’ perceived risk posture and how much control CISOs have to prevent cyber incidents. In the face of lawsuits from investors and criminal charges from the governments, we’re seeing organizations turn against their employees. Even if the organization signs off on risk assessments and known vulnerabilities, approving and directing the risk decision, they are starting to hold security leaders to grave account because of things they have said or questionable moves. Where does the buck stop in terms of cybersecurity decision-making?
Who owns the risk?
“We, as the CISOs, have been begging for a seat at the table,” Corll affirmed. “We finally get invited to the table, and then, all of a sudden, we’re being held accountable. So, are we business executives, security executives, or are we just technology executives? How much control does the CISO have to stop things? Can we really make those business decisions? Who owns the risk? That’s generally not going to be the CISO. Is there a risk officer? Does legal own it? This is a hotly debated topic.”
Is legislation the answer?
Moldenhauer shared that he’s been advocating for the equivalent of a Sarbanes-Oxley law for cybersecurity for a long time because it would force accountability. “If you look historically at every major data breach that’s been disclosed, by and large, there’s no long-term shareholder degradation of shareholder value,” he pointed out. “Sony, Target—they both recovered. All the companies with giant breaches have had a comeback. It’s like that’s all in the rearview mirror.” From that perspective, data security doesn’t seem to matter if your job is to grow shareholder value over the long term.
The problem with the legislation is that many organizations decide to work around it as much as possible. On top of that, looking at it from a risk perspective, there’s an argument that the organization should just pay the fine and focus on execution, revenue, branding, or gaining market share.
What is the actual damage?
“What is the actual damage?” Lueck wondered. “The actual damage isn’t the incident. It is the fact that criminal activities have become, and continue to be, incredibly profitable, and this makes the world worse off for the rest of us—just like polluting the rivers, just like dumping plastic in the seas. We need to collectively improve our game to collectively make the world a better place.”
In arguing for legislation, he said, “We have to ensure that the liability resides with those who are actually responsible for making the mistakes rather than those who are just holding the reins when it goes wrong. What did it require to get the change that we see now in corporate responsibility around environmental impact? It took a societal change, but it also took some brave government decisions. There were decisions that did not really have a societal impact for 30 years. But maybe we should be thinking about making those small changes now.”
The debate surrounding cybercrime will no doubt continue in 2023. As security leaders, it behooves us all to consider these issues and where we stand on them going into the new year.