Homeland Security Secretary Backs Call for Mandatory Disclosure of Ransomware Payments


DHS Secretary Alejandro Mayorkas said the department will work with a task force developed by the private sector on ways to tamp down the increase in ransomware attacks. 

The Department of Homeland Security will work with a private-sector think tank to implement a report of recommendations for slowing the scourge of ransomware, including one that would require victims to report when they give in and make a payment, according to DHS Secretary Alejandro Mayorkas.

The report reflects the work of a ransomware task force convened by the Silicon Valley-based Institute for Security and Technology that included 60 experts from software companies, cybersecurity vendors, government agencies, non-profits, academic institutions, cybersecurity insurers and international organizations, according to the document.

“The task force's report provides a vision for what we can do to better address this urgent problem,” Mayorkas said during an IST event Thursday. “DHS looks forward to working closely with the task force to turn its recommendations into action.”

The pandemic drove greater rates of hospitalization and remote working and learning. That only made things worse in a system that was already being commoditized for maximum efficiency.

“Carrying out a ransomware attack does not require technical sophistication,” the report explained. “‘Ransomware as a service’ is a business model that provides ransomware capabilities to would-be criminals who do not have the skills or resources to develop their own malware.” 

Last year saw an exponential increase in the number and size of ransomware payments entities—often schools, hospitals and other critical service providers and local governments—made to hackers who encrypt or threaten to publicly release their data unless they’re paid not to.

“Victims of ransomware face an impossible choice: pay a ransom and fuel a criminal market or refuse to pay and hope their computer systems are restored,” Mayorkas said. “Unfortunately, many choose to pay, despite not always having their data or systems returned to them.”

According to the report, the average ransomware payment increased from $41,198 in the third quarter of 2019 to $233,817 in the third quarter of 2020, with the cyber insurance firm Coalition noting a 260% increase in the frequency of ransomware attacks among its policyholders in the first half of 2020.

The report made a total of 48 recommendations in four goal categories: deterring ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; disrupting the business model and reducing criminal profits; helping organizations prepare for ransomware attacks; and responding to ransomware attacks more effectively. 

A number of its priority recommendations are already underway, such as working with international partners to condemn activities that are sometimes associated with nation-states and establishing government task forces that operate across agencies and with the private sector. 

“We need to treat this at the same level of threat as nation-states and I'm glad to see that we're already beginning to do that,” Christopher Painter, formerly the top cybersecurity diplomat at the State Department and a member of the IST task force, said. “The statements that have come out of the five country-ministerial that Ali [Mayorkas] talked about, out of the G7 ministerial, we're getting that traction. It's not obviously just a U.S. issue.”

Coalition said ransomware attacks are the most common reported cyber insurance claim and one cyber criminal quoted in the report said firms carrying cyber insurance are “the tastiest morsels.” The report acknowledged the complicated incentives insurance coverage can create for victims of ransomware, but ultimately views the industry as having the potential to encourage proactive defenses.

“The best insurance, in any line of business … promotes, best practices, incentivizes the right types of preventative measures and risk management solutions that can bend the curve of whatever the problem is, whether it's building a house on a floodplain, or here, dealing with the ransomware epidemic,” said Michael Phillips, chief claims officer at Resilience Insurance and a member of the IST task force. 

Jen Ellis, another task force member and vice president of cybersecurity firm Rapid 7, stressed the importance of the recommendation to mandate the disclosure of payments so that law enforcement can have a better understanding of the threat and to discourage ransom payment. She said the information would be anonymized to prevent organizations from being “re-victimized.”