Cybersecurity professionals are opposed to the Senate’s position on the cyber ransom issue. For them, facilitating the reimbursement of a ransom demanded and then paid to an insured company is frankly not a good idea.
It is one of the most divisive measures – controversial for some, incomprehensible for others – of the orientation and programming bill of the Ministry of the Interior (LOPMI). Article 4 of the latter was indeed adopted by the Senators. It opens up the possibility for companies that are insured against cyber risk and that have made a pre-complaint within 24 hours of the attack, without having paid the ransom, to be reimbursed for a potential payment. In the wake of our last file on hospitals, several cyber experts, whom we were able to meet at the Assises de la sécurité in Monaco, reacted to this text. And they are unanimous: the measure, if it is adopted at the end of the parliamentary shuttle, will lead to the financing of cybercrime.
Do not pay the ransom: a golden rule that seems to escape the legislator
” I think it’s a big mistake, and it amounts to putting a target behind the backs of French companies “, is surprised Christophe Auberger, cyber-evangelist Fortinet. Nicolas Groh, Technical Director (CTO) Europe for Rubrik, fears that “ this does not allow hackers to set foot in the stirrup, while hospitals, administrations and others are already massively affected “. It is true that cyberattacks (ransomware, data theft or intrusion into IT services) have multiplied in recent years, as ANSSI boss Guillaume Poupard pointed out a few days ago at the microphone of France Inter.
Suddenly, we find the same reflection in David Grout, CTO Europe of Mandiant: “ Unfortunately, paying a ransom powers a system “.
And from one professional to another, opinions are often identical. For Ivan Kwiatkowski, researcher at Kaspersky’s GReAT, ” the ransom, you should never pay it, because it will finance a group of ransomware which will then be able to increase in capacity, buy vulnerabilities, and therefore improve “. Joël Mollo, vice-president of Cybereason, also fears that ” of companies are more lax in their cyber equipment and solutions, telling themselves that if they are attacked tomorrow, they can be reimbursed “.
Initially, the bill provided for compensation to be opened in the event of a complaint filed within 48 hours of the payment of the ransom. An amendment, approved by the senators, came to water down the thing a little. The complaint deadline was reduced to 24 hours, and this time not after the ransom was paid, but after an attack was identified. In addition, you should not pay the ransom to the hacker. Probable financial negotiations should then open between the different parties: hackers, targeted companies, insurers and authorities. However, the problem remains the same.
The mistake would be to make the ransomware model even more durable: we could go straight there
The legislator therefore wants to push companies that are victims of ransomware to file a complaint. Basically, the intention seems laudable to us. ” But we must not forget that more than one in two companies that have been attacked do not declare that they have suffered a cyberattack, for fear that their image with the public will take a hit. “, recalls Joël Mollo, supplemented by another statistic that Christophe Auberger blows to us: “ 25% of companies pay the ransom “. This therefore means that one out of two companies having declared an attack proceeds to the payment of all or part of the ransom.
If nothing changes, insurers should soon not be short of work:
” Generalize the concept by saying that we will reimburse the ransoms: yes, I understand the point of view of the insurer, because it costs less, it’s really mercantile. But from a business perspective, that’s not good. By paying the ransom, we do not necessarily have the assurance of recovering everything, even if the cyberattackers are obliged to return the data, because otherwise the business model would not hold. »
Cyber professionals, on the other hand, are more divided on where the cursor should be placed. ” The reality is that we are also talking about business and companies that can go out of business. Each case must be studied individually, to make the right decision “says David Grout. ” We must not fall into an American system where we must not deal with cyber-terrorists. We must proceed in good intelligence, by partnering with the right authorities, such as ANSSI or Cybermalveillance.gouv.fr “, continues Christopher Auberger. It is perhaps on this sacred union around the victim company that the senators are betting. But is it reasonable and playable?
On this question, Ivan Kwiatkowski is categorical. ” You don’t have to go in there. When I speak to people from various departments, I am told that if a company is prohibited from paying the ransom, it sinks and can destroy jobs. I also hear the other positions, which say that there is an industrial fabric to safeguard and protect. But my opinion is that you shouldn’t reimburse, because that will inevitably create incentives “. The researcher compares this to the economic concept of the tragedy of the commons, “ i.e. the maximization of an individual behavior, which is to pay and recover its data, which then leads to a decrease in the overall utility for the system “.
Thinking about safety before suffering an attack
We know that paying the ransom would amount to financing cybercrime and would not help solve the problems. ” When you are faced with a production tool that is down and you need to restore service, you may have to think », Then explains Xavier Duros. For Check Point Software’s cybersecurity expert: “ What is needed is to raise awareness by encouraging the implementation of procedures to be able to react as much as possible in the event of a breakdown. It is better to invest as soon as possible to avoid being penalized on your production tool. »
Kaspersky researcher Ivan Kwiatkowski follows suit, adding that “ many incidents could have been avoided if upstream there had been this concern on the cyber side. “Paying a ransom does not guarantee that there will be no more problems in the future” or that the hackers didn’t leave a backdoor before coming back later, saying they found a new loophole “.
” Many companies, which had nevertheless paid the ransom, were again hacked a few months or a few years later “, adds Nicolas Groh. The case of the hotel giant Marriott, victim of several data thefts in recent years, is a good example. ” I don’t think systematically insuring ransomware victims is a good idea “, concludes the cyberspecialist.
This thematic dossier on cybersecurity is the second in a series that you will be able to discover over the next few days on Clubic, following our visit to the Assises de la sécurité which was held from 12 to 14 October in Monaco. Thank you to all the specialists who agreed to answer our questions, and see you for the last two episodes, where we will talk about geopolitics, data restoration/recovery and cyber insurance.
24