How to Stop Ransomware Attacks

A friend of mine, a Sergeant in the RCMP, once said, “Crime pays. And contrary to what most TV police dramas suggest, it pays quite well.” Why are school boards being attacked by cybercriminals who encrypt their data and demand money? It pays. And, based on the massive increase to cybersecurity insurance premiums for school boards this year, it seems to be paying quite well.

It seems unusual that in the millions of productive hours spent strategizing against ransomware attacks we’ve completely overlooked the two simplest and most effective means to dramatically reduce the probability of an attack.

First, stop paying the ransoms.

Stop funding criminal masterminds and eliminate any financial motivations for attacking a school board. How? By having each school board apply immense pressure on their respective provincial education authority to institute policy prohibiting any school board from paying out a ransomware attack. Being the lone ranger who refuses to pay out a ransom isn’t realistic – this needs to be a collective decision so no school board gets singled out publicly.

Will it hurt? As U.S. President Richard Nixon discovered in March of 1973, sometimes making the right choice for a society comes with significant individual sacrifice. When a Palestinian militant group took hostages in the Saudi embassy of Khartoum, three Americans were killed when Nixon responded at a press conference the previous day with, “There can be no negotiation with terrorists.” Initially, it may result in lost or leaked data as criminals test the newfound policy. But, holding fast will quickly make criminals realize that there are more lucrative paydays elsewhere.

What school boards are doing today is like making a public announcement that you’ll be delivering your million dollar payroll through the worst part of town in a decrepit pinto by your 83 year old Aunt Urma who loves the Beatles but hasn’t driven a day in her life. But, don’t worry, the payroll is insured, your Aunt Urma used to grow up in that same area of town, and the pinto has a mostly functional airbag. It’s not a matter of “if” she’s going to get robbed, but “when.”

Second, we need to reclassify ransomware attacks against critical infrastructure as a form of terrorism. The penalties against individuals (and nations) should be severe. This requires school board officials to advocate to their local Members of Parliament. Perhaps this is an area where Liberals, Conservatives, and the NDP could finally agree on something that benefits all Canadians and one of our most critical institutions: public education.

It seems an impossibility that school boards should ever have the capacity to create an impenetrable technological fortress immune to compromise when their adversaries are so well-organized, well-funded, and disciplined with such a singular, narrow focus. By comparison, school boards are in a totally different line of business: educating kids – not mounting a defense strategy against cyberwarfare!

Don’t get me wrong, school boards should take the security and protection of their data with very sober thought: employees should be using two-factor authentication, they should be trained to recognize common attack vectors, software should be kept up to date, email should use anti-phishing technology, and they should take a minimalist approach to access to information. But, it’s also not a realistic expectation to sustain an indefinite defense against these kinds of online attacks, especially as they grow in sophistication.

The best way to negate crime is to take away the incentive and motivation.