Infonomics is defined by my colleague Doug Laney as “the discipline of managing and accounting for information with the same or similar rigor and formality as other traditional assets“. In his book “Infonomics”, Doug discusses the various ways in which data can add value to an organisation. Indeed, last year Doug wrote about how data can be worth more than the organisation that is processing it. Of course, that valuation isn’t always financial. In public sector or government service contexts the valuation is often best measured through the ability to efficiently and effectively deliver services. This aspect of the value of data has been highlighted by recent ransomware incidents which have disrupted fuel supplies in the United States, impacted an airline, and crippled the healthcare system of the Republic of Ireland.
The Infonomics of Ransomware
Ransomware actually exemplifies the economic value of information to organisations, particularly where there is also exfiltration of data as well. First you are asked to pay to be let back into your systems. Then you are asked to pay to prevent the information being disclosed or sold on to the highest bidder. The criminal’s business model is that organisations will pay a price to minimise disruption and down time and they will pay a price to prevent their data asset being exposed.
The former plays on the fact that organisations have often under invested in the care and feeding of their information assets. The latter plays on the fact that the value of data to an organisation is driven either by its exclusivity of control over that asset or by the potential brand damage or regulatory penalties that can arise following a dump of data on the dark underbelly of the internet. Both rely on an organisation suddenly realising that that data thing is actually what runs their operations these days and, without it, they are toast.
Ransomware attacks have grown in frequency and impact in the past few years, with attacks growing by over 300% in the past year. This has, inevitably, led to calls for governments to do something to help combat ransomware. The attack on the Irish Health Service Executive and the Department of Health prompted the Irish Government to reiterate a strict policy of not paying ransom. We are also seeing the payment of ransom being made illegal in certain jurisdictions, either through explicit legislation or through the application of existing laws relating to the financing of criminal or terrorist activity. We have also seen insurance companies begin to stop offering cover for ransom payouts.
However this won’t prevent ransomware attacks. It will:
- Discourage organisations from reporting ransomware incidents if they risk being doubly penalised for paying a ransom.
- Encourage ransomware gangs to find alternative markets for their “product” and sell the access to nation-state actors (lower risk, better return on investment)
- Result in businesses, schools, and governments shutting down (much like the Irish health care system is at the moment.
Ransomware and the Special Properties of Data
In his book Data Driven, Dr Tom Redman identified a number of “special properties” of data. Among these is the fact that data are not consumed with use. This is largely a function of the intangible nature of data. This intangibility of data is a key differentiator between a data ransomware attack and a ransom paid for the return of a physical asset. To put it bluntly: if you pay a ransom to get a kidnapped puppy back, when the puppy is returned to you the puppy is no longer under the control of the kidnappers. But when you pay a ransom for data, you do not have that same guarantee. Your ransom may restore access to your systems, but you are ultimately relying on the honour among thieves that there are no copies floating around the ether of the dark-web after your payment has cleared.
So, the payment of a ransom has zero guarantee of fully recovering your data. And it funds criminal activity. And you might get your data back. But the bad guys may have sold copies of it and you will never know. You are relying on the honour of the Pirate Court.
An appropriate policy response?
So, what is a government to do when formulating a policy framework that discourages the paying of ransoms and disrupts the ransomware market? This is a classic example of a “wicked problem” as it is a problem whose social complexity means that it has no determinable stopping point. So, a multi-pronged approach is required. The key thing is to define what the elements of that prong need to be and what the appropriate policy, regulatory, and enforcement strategies might be to help us achieve them.
The goals are simple. Government policies must focus on disrupting the ransomware market in a way that removes the value for the criminals in the market. This needs to be done in a way that supports organisations of all sizes, as well as helping individuals protect themselves from harm. A key lesson from the failed “war on drugs” or the United States’ Prohibition in the early part of the 20th Century is that this needs to be a broad-based and systemic effort to remove the social and commercial drivers for ransomware attacks and ransom payouts. Rather than victim-blaming by punishing the payment of ransoms, policy interventions must be directed towards improving the People, Processes, and Technology defences to make it harder for the criminals to succeed and reducing the likelihood of ransoms having to be paid out.
The goal is simple: increase the competence and capability of organisations and individuals to protect their data so that the impact of a ransomware attack is minimised and the economic necessity to pay a ransom to prevent the failure of the business is removed, or at least significantly reduced.
This policy intervention needs to go beyond merely legislating for organisations to ensure appropriate organisational and technical controls to protect data. That ship has sailed. The requirement existed in Ireland in the 1988 Data Protection Act, the 1995 Data Protection Directive, and was reinforced FIVE YEARS AGO with GDPR. And that is before we get to discussion of the gamut of other security rules and regulations that exist in legislation or industry standards.
The policy framework that is needed must address prevention and appropriate response:
Build Data Literacy for both businesses and individuals
- This is NOT “digital literacy”. The latter is obsessed with the implementation of shiny tools and technology. Data Literacy is more fundamental. It is about developing the “Three R’s” for data with an appropriate level of skill and understanding for people in the context of their daily lives and their job roles. This will support better identification and assessment of data-related risks. It will also allow organisations to better unlock the value in their data by understanding data quality and data governance issues that may be holding them back!
- Raising awareness of the role of and importance of data in day to day processes and the simple steps people can take to protect and preserve their data from malicious attackers is essential, in the same way as we have information available about the best way to secure a home against burglars.
Financial Supports for Organisations to invest in data management and security
- The Irish Government provides a €5000 grant for small businesses to start trading online. A similar initiative to support investment in securing businesses from online threats should be considered. This initiative should include both technology spend and skills development for staff to enable them to operate data-driven businesses safely and securely. This should be a targeted initiative to help small businesses protect themselves and is essential. It is essential because when the larger organisations pull up their drawbridges and harden their security it will be the smaller firms who will be targeted by criminals trying to make their next sale.
- Organisations should be encouraged to invest in security, to implement appropriate backup strategies, introduce controls and safeguards against malware getting into their networks. Current legislation creates a stick, we need to introduce a degree of carrot to the mix.
- Additional incentives could be provided through discounts on cyber security risk insurance for meeting defined benchmark standards (as an aside, most cyber risk insurance is not worth the paper it is written on today in my view). Insurers do similar things for drivers who install dashcams or learner drivers who let their driving be monitored. Similar incentives should be considered for investment in appropriate defences.
- Include basic training in data protection and information security in ALL business start up courses offered by Enterprise Ireland (in over a decade I have only seen a handful of LEOs or business incubator courses explicitly tender for or offer data protection or information security training).
- Consider how tax incentives for investment in information security and data protection tools, training, and support might be used to increase the depth of defences that even the smallest organisations would be able to afford to implement.
Invest in prevention, detection, and investigation resources for law enforcement
The third prong is the prong law enforcement. As this is something that is happening already, what is needed here is a significant investment in capability for defensive capabilities at a State level and also for investigation and detection resources. This is something that is ongoing in the Gardaí and in the DPC, but any investment here in relation to ransomware law but unless we address the other strands of a coherent policy framework we will always be playing catch-up against an evolving enemy.
Create clear political (and civil service) policy leadership and ownership
- The Irish Government is rapidly trying to fill in the gaps in its policy and policy ownership for information security and data protection having been hit hard.
- Any policy framework needs clear ownership and needs a defined political and administrative leadership. The Ministry for Data Protection needs to be rebooted, its scope expanded to include information security policy, including the co-ordination of the national security and defence aspects of that policy. It is not a Communications issue. It’s a cross-departmental issue and needs a clear focal point to push reform and change through at all levels.
A role model to consider
Taiwan has had its (un)fair share of ransomware attacks in recent years. It has placed information security at the heart of its commercial and government policy initiatives. It has even proposed the formation of a “Ministry for Data” that will include an explicit mandate for information security at a government policy level. This is a multi-strand approach involving commercial sector and civic society organisations aimed at reducing the chances of a successful attack crippling the technology industries that call Taiwan home.
Ireland, on the other hand, has left key policy positions unfilled and, while we had a Minister for Data Protection in a previous government, that role has been quietly pushed to one side in recent years.
We are faced with a “Wicked Problem”. A coherent multi-strand policy approach is required because no one approach will solve the problem. Even if every strand is successful, we will still experience ransomware attacks and the bad guys will still succeed from time to time. However, with appropriate investment and initiatives that improve the understanding of the meaning, purpose, and value of data in society and which encourage investment by organisations of all sizes in multi-layered approaches to protecting their data assets, hopefully we will be able to disrupt the economic model of the criminal gangs.
The tech sector jargon talks of “disrupting the market”. That is what we need to do now in response to this attack on our weakest and most vulnerable.