Anything goes in a war. According to technology and security experts, the ongoing battles with cybercriminals are escalating exponentially and are rapidly turning into “no holds barred” situations. According to Cybersecurity Ventures, the cost of ransomware incidents worldwide is expected to top $265 billion by 2031. To business owners −whether tech-savvy or naïve – those rapidly growing threats should be frightening.
Ransomware attacks showing no signs of slowing down, and cybercriminals are now targeting utilities and other vulnerable industries, jeopardizing critical supply chains and emergency services in many communities. IT channel companies are also getting hammered. Earlier this month, the REvil gang launched an attack on Kaseya perfectly timed to hit the company, its MSP partners, and their collective clients just as everyone was checking out for the long holiday weekend.
This news comes on the heels of the 2020 SolarWinds incident. While it may not have been the first cybercrime perpetrated on a key channel vendor, that attack elevated the awareness level across the supply chain. MSPs got a big wake-up call during the global pandemic.
Of course, those vulnerabilities are not exclusive to the channel. Scores of companies, municipalities, and non-profits with no affiliation to the channel are vulnerable to ransomware attacks, and those incidents have become regular features in the news. The reality of the situation is that the threats seem to be coming from everywhere and show no signs of diminishing anytime soon.
Will Regulation Help?
People in Washington and a number of state capitals around the U.S. are certainly paying attention, as are influential groups and individuals in other developed countries. The most recent actions, including the Colonial Pipeline and IT industry supply chain attacks, have a slew of governmental agencies and politicians investigating and proposing legislation to slow cybercriminals.
One option gaining a lot of attention involves criminalizing ransom payments. While the White House-supported Ransomware Task Force (RTF) did not advocate a regulation, the group reportedly floated the idea with several influential business communities. Insiders indicate that support for that proposal was split, and the suggested legislation was not included in the final report submitted to the Biden administration.
The New York Senate is forging ahead full steam by advancing a bill that restricts the use of taxpayer money for ransoms and bars private sector businesses from that practice. North Carolina, Pennsylvania, and Texas are all looking at legislation that would forbid state and local governments from making these types of payments.
Some companies may already be breaking at least one law when they bow to cybercriminals’ demands. In early 2020, the U.S. Treasury Department underscored that any business sending cryptocurrency to previously sanctioned groups or organizations would “not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” Reporting those activities can lessen the sting, but the agency has the ability to impose significant fines on businesses that violate the rules.
The Channel Impact
If government entities (Federal, state or local) outlaw ransom payments, how will that affect MSPs, vendors and other industry professionals? Like the war on drugs, these rules penalize and tie victims' hands, not the offenders, which means the strategy for avoiding attacks has to change. There is no fallback option if an employee clicks the wrong link and ends up encrypting most if not every system inside their business.
Could these laws help or hurt MSPs?
On the positive side, providers can easily overcome the “we’ll just pay if ever affected” objection. Removing that option should increase the discussions around cybersecurity with clients and prospects and move the needle forward on new solutions and services. Without paying the ransom as a contingency plan, most business owners should be more receptive to implementing proactive measures, developing long-term and robust cybersecurity plans, and researching alternate remediation options.
On the negative side, people are still a major part of the equation. Eliminating human error in businesses is impossible. When a client inevitably suffers an attack without a solution like CryptoStopper in place to limit the damage, who will they blame? In many cases, MSPs will end up being the scapegoat for the failure, not the employee.
Setting proper expectations and objectives can alleviate those concerns. With a solid plan and effective cybersecurity measures in place, MSPs could benefit from any proposed regulations.
For now, ransomware payment laws are just a philosophical discussion. There are no right answers. However, MSPs should be prepared for those conversations if any of the proposed regulations go into effect.