Could Lessons From Plane Hijackings Help Fight Ransomware?Atlantic Council: Extortion Is an Old Crime; We Have Existing Strategies
Ransomware is the result of a criminal blending technology's wonders: networking and encryption. It's a modern-day implementation of extortion, a crime as old as time. The Atlantic Council contends in a report that lessons from fighting past extortion schemes, such as plane hijackings, could help fight ransomware.
Between the late 1960s and early 1970s, aircraft hijackings surged. It took years of collective work by government policymakers, airlines and victims to foil and deter attacks. Lessons from that era could be applied to ransomware, says Emma Schroeder, assistant director with the Atlantic Council's Cyber Statecraft Initiative in the Scowcroft Center for Strategy and Security.
"It's part of a larger effort that we're trying to do - kind of the unconventional cyber approaches, taking lessons from different periods of history in different areas," she says.
Plane hijackings and ransomware attacks have broad-stroke similarities. For example, the opportunity cost for the attacker is low - a single weapon may be enough to commandeer a plane and a single email with malware may open a door to a network. Also, attackers need to be successful just one time, while defenders have to always be on guard.
Plane hijackings were reduced by a combination of active and passive measures. Passive measures to fight ransomware, the council notes in its report, can include helping organizations improve their overall security, including direct advisory support and financial resources. Also, technology vendors should be pushed to develop more defensible software that also has better security.
Although it seems unfathomable today, airports in the late 1960s didn't have metal detectors, the installation of which was a passive measure to catch weapons that may be taken on board.
Passive measures result in "making it costlier for a potential attacker to target you," Schroeder says. "You want to make it as difficult as possible for them."
Active measures are another set of options. In the early 1970s, the U.S. resorted to military action as well as force projection measures to dissuade hijackings and groups. Some discussion has been floated over whether signals intelligence agencies should undertake offensive actions to disrupt ransomware groups.
Cybercriminals sometimes have terrible operational security. OpSec mistakes could help with an active measure: identifying the details of those running ransomware gangs and their affiliates - spinoff groups that use the core gang's ransomware tools and support. The U.S. has pursued a "name and shame and indict" campaign against cyber intelligence agents in China and Russia. The indictments often provide insights into the deep forensics and investigative capabilities of the U.S. government.
That work can also enable new levers outside the cyber domain, says Trey Herr, director of the Cyber Statecraft Initiative. Sanctions and travel bans, for example, make the spoils of ransomware more difficult to enjoy.
"Realistically, these folks [ransomware operators] have to travel; they want to make use of their money," Herr says. "They want to live well. And there are a lot of ways to put pressure on ... that have nothing to do with coming back over the top in any electronic domain."
Pressuring countries harboring ransomware actors is another step, although that's a barbed path, particularly with Russia. "Vladimir Putin appears to view criminal groups based in Russia as an extension of his strength in cyberspace, and the Kremlin appears to tolerate their activities so long as they are directed externally," the Council's report says.
The U.S. has made fighting ransomware a priority, elevating ransomware incidents to the same level as terrorism and offering rewards of up to $10 million to identify perpetrators. After the Colonial Pipeline ransomware incident on May 7, President Joe Biden directly brought up ransomware concerns about a month later with Putin (see: Biden Promises Retaliation Unless Putin Stops Cyberattacks).
The U.S. is also working to help organizations improve their security. In July, it launched Stopransomware.gov, a website that consolidates resources and guidance from federal agencies with an aim to uplift security. Still, it's going to be a long haul.
"We're not even at deterrence," Schroeder says. "All these people are incentivized currently to engage in these activities. It's really profitable."