The latest cyberattack, apparently emanating from Russia again, has hit at least 20 software firms affecting at least 1,000 businesses. It follows a cyberattack that left parts of the U.S. without adequate gasoline supplies for several days, and one on the Irish public health system. There are undoubtedly many more attacks that go unreported, if only because the victims do not wish to advertise their willingness to pay ransom.
And so the obvious question arises: How is all this supposed to stop? For an answer, it's useful to apply some game theory.
The scalability of the internet can be a major virtue. But it also makes it easier for vices to proliferate. There are now the equivalent of venture capital markets to help fund ransomware attacks.
Consider street crime, for example. There is a natural limit to it if only because most people have better options than to pursue such a life, and many who do so are simply not good at it and get caught. What's more, street crime is constrained by the need for physical presence; you can only commit so many carjackings in a month.
In the cyber realm, these constraints do not apply. In low-wage, low-trust countries, such as Russia, you can just hire more hackers to pull off more attacks. Even if the perpetrators can be identified, Russia doesn't seem so eager to help U.S. law enforcement. Other havens for cybercriminals could emerge.
More aggressive regulation of cryptocurrency markets could make ransom payment more difficult, but the hackers could always resort to anonymized cryptocurrencies.
Some have proposed that paying ransoms should be made illegal. That might be hard to enforce, and is it really wise to penalize businesses that seek to restore services to their customers? Criminalization might also incentivize hackers to create ever more destructive attacks in an effort to get the ransom spigot turned back on. At least under the status quo, hackers have some incentive to seek out relatively quiet attacks that will yield a ransom but not wreak too much havoc or attract too much attention.
What about military drone attacks on ransomware terrorists? It might be an option if they are in a relatively weak country, but that is hardly likely with Russia.
Ultimately, the primary long-run solution is for businesses to pay for more secure systems. This could mean much less reliance on passwords (iris scans, anyone?), additional reliance on hardware, and greater use of multi-factor authorization. Health care providers and insurers may have to become a bit more like the CIA.
None of this will stop ransomware attacks. But it will likely cause them to decline.
How exactly all this will unfold is clear, though unpleasant to contemplate. Many businesses and institutions still don't view a ransomware attack as a major threat, and they won't invest much more in security until they do. As more security-conscious institutions fortify their protections, hackers will switch to the less aware and less secure targets. Most countries have millions of soft targets, and this crime will continue until most of them have improved their defenses. That could take decades.
It gets worse: In economic terms, the private value of internet security is often less than the public value. A ransomware attack that results in only a slight decrease in profits for a business could translate into a major social inconvenience.
One consolation is that hackers will almost certainly "overfish" the pool of victims. At some point there will be so many attacks that most institutions will have no choice but to respond with significant defensive measures. The hackers themselves will accelerate this process, because each will try to maximize their profits before the game is over. Curiously, this means that a successful attempt to "slow down" the hackers could just delay the necessary adjustments that businesses need to make, leaving everyone worse off.
Game theory doesn't help very much in predicting how long this cat-and-mouse game will go on. But it's safe to say that it will be here for a long time to come.
Bloomberg