‘I don’t see it happening’: CISA chief dismisses ban on ransomware payments

OXFORD, United Kingdom — Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency, on Thursday poured cold water on suggestions the United States might bring in a ban on ransomware payments.

“I think within our system in the U.S. — just from a practical perspective — I don’t see it happening,” said Easterly at the Oxford Cyber Forum, an event run by the University of Oxford’s Blavatnik School of Government and the European Cyber Conflict Research Initiative (ECCRI).

She was interviewed by Ciaran Martin, the former head of the U.K.’s National Cyber Security Centre, who had earlier this year called for a ban on all ransomware payments in a comment article in The Times newspaper. He acknowledged on stage that the article had “divided opinions, to put it mildly.”

Asked how bad the problem was, Easterly said: “We have done enormous work with our partners to try and reduce ransomware attacks. It is not clear that we’ve been terribly effective at it, but I will say it’s very hard to know, frankly, because there is no baseline.

“It’s one of the reasons I’m excited about this law we have put in place called CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act, so it will be mandatory for critical infrastructure owners and operators to report if they have a ransomware attack or a cybersecurity incident,” said Easterly.

The CISA director said the new rule would “for the first time” give the agency “a sense of the cyberattack ecosystem that we just don’t have,” compared to what were currently “very anecdotal” numbers about the threat ransomware posed.

There are already similar rules for designated critical infrastructure organizations in the United Kingdom under the NIS Regulations, although the government failed to introduce an update to these laws despite announcing that it would do so two years ago. The regulations, which pre-date Brexit, are also used in Europe.

A planned consultation in Britain proposing a major overhaul of how the country responds to ransomware attacks — including by banning all payments from the critical infrastructure sector, and requiring all victims to report incidents and to seek a license before making any extortion payments — was scuppered by the snap election.

Easterly also praised her staff’s pre-ransomware notification initiative, where the agency shares detections from threat researchers with businesses, for instance of precursor malware. The program is aimed to help businesses try and prevent ransomware attacks from happening, something she said they had managed “probably hundreds of times.”

A similar program in Britain uses the intelligence agencies' unique access to information feeds unavailable to anyone else to detect the beginnings of ransomware attacks and tip off the target. As Recorded Future News reported previously, in one three-month period this year, they detected an attack every 72 hours on average.

“I do think we’ve made a difference, but I don’t think we’re going to make ransomware a shocking anomaly without successful implementation of a Secure-by-Design campaign,” said Easterly. “We cannot expect businesses that don’t have huge security teams to be able to secure that infrastructure unless that technology comes to them with dramatically reduced numbers of vulnerabilities.”