The threat of ransomware is that it makes life unpredictable
The biggest threat of cyberattacks: breaking public trust.
I’m a researcher at the UC Berkeley Center for Long-Term Cybersecurity where I direct the Daylight Lab. This is a newsletter about cybersecurity and politics. If you’d like to sign up to receive issues over email, you can do so here.
Last week, I was interviewed a few times about the Colonial pipeline ransomware attack. Why was this the attack that captured widespread attention? Compared to SolarWinds? Compared to Microsoft Exchange, in which Chinese intelligence could well have exfiltrated emails from every government agency and private-sector company in the US? I'm not sure—something about the US and its oil, perhaps.
Or, perhaps it’s because Americans felt this attack when they went to the gas pumps. It frightened them.
Disrupting life’s predictability
Ransomware attacks don’t just disrupt pipelines, hospitals, or water plants; they disrupt trust in the predictability of everyday life. Remember: this pipeline ransomware did not directly cause the gas shortage: the ransomware freaked people out, making them panic-buy oil. The panic caused the shortage, not the hack.
Now imagine that panic revolves around water rather than oil. Imagine the electricity’s out. Imagine credit cards aren’t working. Imagine going to nytimes.com and not seeing the New York Times.
The real threat of ransomware—of cyberattacks generally—is that they induce panic, breaking trust in public life. High-profile ransomware attacks shake our already-uneasy society’s confidence in the reliability of our everyday world. Will we be able to buy gas? Is our water safe to drink? These questions are conceptually similar to the now-everyday question: is this news real?
These questions invoke paranoia and distrust; they fuel preppers’ basement shelters. This paranoia—an already-lurking force in a post-Trump, mid-COVID United States—is a threat to the country’s basic fabric. Cybersecurity is a matter of maintaining—perhaps even repairing—public trust (with)in a society. That’s the imperative.1
The panic we saw at gas pumps was not wholly irrational. If a profit-motivated business can take down an oil pipeline, I shudder to think what havoc a coordinated state attack could wreak. Our systems—technical, social, political—are unprepared. This attack was oil, but the next one could very well be water, and the United States is not prepared for that level of chaos.
As I told KCBS last week, the number of successful ransomware attacks in the United States could be zero. How does the US get there?
Provide public resources to prepare organizations. With regular, air-gapped backups and other practices, ransomware is easy to recover from. We need good public infrastructure to help businesses, government agencies, and civil society organizations prepare. Something like a NIST training course could go a long way. It could even help repair trust among a public that primarily associates the US government’s cyber capacity with domestic spying.
Mandate disclosure through supply chains. If a vulnerability has hit you, you should be required to disclose that vulnerability to your customers and users. Withholding threat information should be a crime.
Push on diplomatic channels. Ransomware crews feel safe in jurisdictions like Russia. They operate with impunity. The US could use its available diplomatic leverage to make ransomware crews feel less untouchable.2
A wish for security research
Cybersecurity isn’t just a business or government concern. Cybersecurity is about protecting civic life—“security” in the sense of confidence, order, certainty.
Security in that sense has always broken down along racial, class, and gender lines. That’s the case for cybersecurity, too. The US’s vulnerability to cyberattacks is colossal, and the impacts of those attacks are likely to break down differentially along the usual historical lines of race, class, and gender. Who gets hit the hardest by rising gas prices? Who is already water- or food-insecure? Which business owners can afford ransomware protection—and which can’t? As COVID-19 hit communities of color the hardest, so too shall cyberattacks.
Who protects whom from what? The core truth of cybersecurity is that this question is and always has been political. Our job is to meet the question headfirst and to remain reflexive as we answer it. The government’s job should be to maximize benefit with an eye toward the margins. On cybersecurity, there’s an opportunity for research and government to have a fruitful collaboration. That collaboration will require us—as researchers—to place the differential impacts of security at the center of our work. And it will require policymakers to listen.
Mutual trust is critical to a high-functioning civil society, as illustrated by Robert Putnam’s comparative study of modern Italy, Making Democracy Work (1993).
Ransomware is typically paid in Bitcoin. By default, cryptocurrency transactions do not provide meaningful anonymity. To make their transactions more anonymous, criminals often use “tumblers” or “mixers”—services that (if built correctly) provide guarantees around transaction privacy. Or, as governments would call it, “launder money.” Lately, the EU and US have become more aggressive in leveraging their jurisdiction to shut down these mixers. The fewer mixers there are, the harder it becomes to send bitcoin that isn’t “marked” via its involvement in a ransomware attack. (The details of how mixers provide privacy guarantees deserve their own footnote).