The US Department of Justice will treat ransomware as terrorism, we’re told. It’s impressive that they take the threat so seriously, but somehow ransomware doesn’t feel like “real” terrorism –with people killed and maimed, sirens wailing, and families cowering in fear.
So is ransomware terrorism? And what do we gain and lose by applying that label?
Terrorism means using violence to spread fear and intimidate society for political, religious or ideological goals. That’s generally not what ransomware is about, although sometimes it comes close.
The Colonial Pipeline ransomware attack spread fear, inducing panic when gasoline stations dried up. It’s a stretch to say the incident was violent, though. On its face, it doesn’t seem to have political, religious or ideological goals either. However, to the extent the Kremlin or other state actors are directly involved –or look the other way to advance their own goals– things get a little murkier.
Meanwhile, most ransomware is ‘just’ a financial crime. If Bob’s Bakery or a bank is held for ransom, it’s tough for them but it isn’t terrorism.
Ransomware dominates the headlines now, but other kinds of cyber and cyber/physical attacks are actually better suited for terrorism. Attacks that take control of systems to cause floods, oil spills, explosions, etc. come to mind. Cyber tools can also be used for government and corporate espionage, although we generally don’t label these activities as terrorism either. But definitions of terrorism –and warfare are being reconsidered by NATO and others as the world’s assets become more digital and interconnected.
Notably, the US DOJ directive itself does not say that ransomware is terrorism, but rather that the government plans to fight ransomware gangs with some of the same proven strategies used against terrorist organizations. That makes a lot more sense.
Some of the most promising approaches are:
- Centralized information gathering to gain a clear picture of the threat landscape
- Data analysis to connect the dots and assess future challenges
- A coordinated response across local, state and federal agencies
- Providing support for businesses and organizations of all sizes –so they aren’t left to fight on their own
If you see something say something
That phrase is overdone when it comes to terrorism. After all, the 9/11 attackers hijacked commercial airliners and flew them into buildings. What exactly is the average individual supposed to be looking for to stop that?
When it comes to cyber attacks, however, there is more that the typical person can do. It’s a fact of life that adversaries are always probing our systems, seeking out vulnerabilities, valuable data and access points in corporate and government ecosystems. Computers and networks are attacked constantly –and you can assume yours is included.
There are three key roles that everyday individuals can play:
- Follow best practices to avoid increasing your organization’s “attack surface.” Our 10 Working From Home security tips are a good place to start
- Remove sensitive data from your computer, especially corporate secrets and personally identifiable information (PII) that could be useful to hackers and violate privacy rules, such as the European GDPR
- When you find a suspicious email or accidentally click on a link that turns out to be fraudulent, report it to your local security contact
Fundamental Cyber’s Funda tool enables non-technical end users to quickly scan their computers for PII and to report concerns within their organization. Often there is sensitive information in old or neglected files, not just the most current documents. Visit fundamentalcyber.com to learn more.
What have we got to lose?
Comparing ransomware to terrorism helps elevate awareness and rally resources. But there are downsides, too. It could make people even more reluctant to report breaches than they already are, for fear of being labeled a terrorism victim or for allowing an attack to succeed. It’s also kind of confusing to organize a program against a tactic. The War on Terror term was confusing because we weren’t fighting terrorist acts themselves but rather an ideology that gained recruits when US counter-strikes led to civilian casualties. Cyber attacks are in some ways more straightforward to counter because they are generally not ideological. Striking back at a ransomware gang doesn’t make their cause more attractive.
It may seem that ransomware is an incurable scourge. Yet, there are ways to beat it. The US Department of Justice has taken an important step. Now individuals and organizations of all sizes need to play their part.
Did you find this post useful? Is there more you’d like to know? Drop us a line at firstname.lastname@example.org