“Garry on Lockdown” Episode 8 | Avast

It’s often bad news when an obscure tech term becomes mainstream. Think about “spam,” the plague of unsolicited mass email that threatened to “destroy the internet” twenty years ago. Or even the whole field of cybersecurity, a good example of a massive industry that barely existed when most of today’s workforce was born. Avast was founded in Prague in 1988 after analyzing a virus on a floppy disk, in case you don’t feel old already!

The latest term threatening to become the ominous word of the year is “ransomware,” which, like spam and viruses before it, is only new in the mainstream headlines. Experts in fields like cryptography, security, and even corporate insurance have been monitoring and dealing with it for many years. Like more widely known malicious hacking endeavors like stealing credit card information, ransomware attacks flew under the radar because they were quickly incorporated into the targets’ business models. You get attacked, you pay, and you try to move on quietly so the scandal doesn’t hurt your brand image. After all, resetting passwords and refunding stolen money to customers (money sometimes coming back to you from insurance), is cheaper than customers realizing that your company is incompetent and unsafe.

Paying the costs of being attacked was also seen as cheaper than hiring cybersecurity experts and implementing the reforms and maintenance that good security requires. Managing public relations after even the most massive hacks became nearly routine, and it becoming so common also helped the companies. “It happens to everybody” would not be an acceptable response to an armed bank robbery, or, for a more accurate comparison, to a crime spree hitting millions of shops and banks at once.

Negotiating with cybercriminals triggers more attacks

Decades of this shoulder-shrugging may be slowly coming to an end today, as the real-world impacts are becoming more severe and the ransoms are getting higher. The criminals risk putting themselves out of business by demanding so much that the headlines can’t be ignored. Under national scrutiny, the corporate tendency to pay off the crooks looks bad, especially since this money funds more and bigger attacks. There’s a reason you aren’t supposed to negotiate with terrorists and kidnappers — it encourages more terrorists and kidnappers.

The other element coming to the surface is geopolitical, forcing politicians to respond all the way up to the US president. It’s been hard to generate consumer outrage against unseen hackers. But when they cause gas shortages and threaten hospitals and the food supply — during a pandemic, no less — that changes quickly. And when there’s a face, or in this case, a flag, attached to the attacks, the framing shifts.

Far too late, if better late than never, the US admitted that Russian hacking isn’t just going after political or intellectual property targets. Ransomware isn’t just about the money when it can disrupt vital infrastructure. We have to be careful about using the phrase “act of war,” and the consequences it can trigger, but it’s clearly well past time to start taking cyberwarfare much more seriously — at the national, corporate, and individual levels.

My own views are clear, if admittedly a little simplistic without deeper explanation. As with other types of hybrid warfare, when it comes to cybercrimes that are easily denied and often “extra-governmental,” deterrence is the only real solution. Trying to arrest every hacker and bring them to trial is a nearly impossible task, especially when they are protected by their governments, or directly supported by them. 

While law enforcement shouldn’t be abandoned, regimes that host and protect hackers should be treated like they are hosting any other kind of terrorist. Shutting down a fuel pipeline by hacking can be just as dangerous for national security as blowing one up. Waiting for a truly catastrophic event before responding strongly is foolish. Make the consequences clear, early and often. The “REvil” group, based in Russia according to experts, has gone dark in recent days, possibly to rebrand and wait for our guard to drop like it did every other time.

---

Further reading:
The US government’s move is changing the ransomware landscape

---

Cyberweapons arms race

For all of these reasons, I was delighted when New York Times cybersecurity reporter Nicole Perlroth agreed to come on the latest episode of Garry on Lockdown. Along with dozens of recent stories from the front lines of hacking attacks around the world, Perlroth released a book this year on the subject, “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race.”

So my expectations were high for our conversation, and I had many questions about the nature of the threats we’re facing and what we can do about them, especially when it comes to the public/private divide that is so effectively exploited by hostile nation-state actors. When is it appropriate for the government to step in and what levers, what regulations, can they apply to improve security without inflicting high costs on the private sector? Is “hacking back” unethical?

I must say that all my expectations were blown away by Ms. Perlroth’s direct and informed responses and lively explanations. Not every expert can communicate well and not every good communicator has the depth of knowledge and willingness to state things bluntly instead of choosing more delicate phrasing. Indeed, such candor is an accusation I’ve always been happy to confess to myself!

We covered a wide range of topics from tech and geopolitics in our half-hour of Lockdown, and if it hadn’t been well past midnight where I was in Zagreb, we might have gone on for another hour. The origins of the Western, especially American, difficulties in the cyberwarfare sphere despite its many technological and expertise advantages is a tragic tale, and one that must be understood if we’re to do anything about it.

I have no doubt that you’ll want to pick up Perlroth’s excellent book after you watch this episode, and, unfortunately, I’m sure this theme is one we’ll be continuing to look at in these pages as well.