Cybersecurity Reporter Nicole Perlroth Says the U.S. Should Outlaw Ransomware Payments. But It’s Complicated.

“It’s easy to sit back as journalists and say, ‘Why should we pay cybercriminals?’ The problem is, the situation is always more complicated than we give it credit for.”

NYTimes_NicolePerlroth (Nicole Perlroth)

Nicole Perlroth, cybersecurity reporter for The New York Times, says the United States should make it illegal for companies to pay ransom to restore service after cyberattacks like the one that struck the Colonial Pipeline earlier this month.

Perlroth delivered her remarks during a keynote appearance Friday at a virtual TechfestNW, presented by WW.

Perlroth immersed herself for seven years in the shadow world of computer hackers, cybercriminals and international espionage to write a new book about it, This Is How They Tell Me the World Ends. The overwhelming experience of covering near-constant cyberattacks around the world for the Times not only gave her writer’s block, Perlroth said, it showed her the United States is both the most targeted nation on earth in cyberspace—and the most vulnerable.

Related: Our review of Perlroth’s book.

The May 7 ransomware attack on the Colonial Pipeline only highlighted that vulnerability as it choked off much of the East Coast’s oil supply and drove up gasoline prices across the nation until Colonial agreed to pay the hackers almost $5 million. The U.S. must outlaw such payments if it ever hopes to put an end to ransomware attacks, Perlroth said, but that’s going to be a hard choice for lawmakers.

“It’s easy to sit back as journalists and say, ‘Why should we pay cybercriminals?’” Perlroth said. “The problem is, the situation is always more complicated than we give it credit for.”

The Colonial Pipeline delivered 45% of the East Coast’s fuel supply. If the cyberattack on the pipeline had further penetrated U.S. oil infrastructure, the cost of the damage could have been 10 times the nearly $5 million paid to the hackers. And Colonial’s insurance provider had only two words of advice for the company: Pay it. “There’s no easy decision to be made in this space,” Perlroth said.

Insurance companies could make a start by refusing to cover ransomware payments, Perlroth said, but ultimately Congress needs to step in with legislation that removes the financial incentive for cybercriminals to mount ransomware attacks: “That’s going to be a hard issue to legislate.”

Perlroth said the black market in computer hacks to break into everything from a nation’s power grid to its transportation systems is so pervasive—and profitable—it’s a never-ending threat U.S. companies and the federal government must combat. A freelance hacker who discovers a backdoor into the iPhone’s iOS operating system, for example—the holy grail of hacks—can easily command $2.5 million for it from companies like Zerodium.

Meanwhile, the U.S. National Security Agency sits on the largest arsenal of cyberweapons in the world, Perlroth said, and must choose between the nation’s international security interests (how much do we stand to gain by holding onto a hack to spy on or sabotage other nations?) and its own domestic cybersecurity (how much safer would the country be if we allowed the software’s developer to patch the flaw?).

“They are leaving America less safe,” Perlroth said. “The stakes for these decisions are only getting more dangerous.”

To its credit, Perlroth said, the United States has developed a set of questions to ask when determining how long to hold onto computer hacks before handing them over to companies like Microsoft to be patched: How widely is the software baked into the world’s critical infrastructure? How destructive could a hack be if were turned back onto the United States? How damaging would it be to the nation’s image if the public learned we could have prevented a cyberattack?

The U.S. learned this hard lesson, Perlroth said, when an unidentified group of hackers called the Shadow Brokers broke into the NSA’s cyber arsenal and began leaking it on the internet, doing more damage to nation’s security interests than the Snowden leaks. Russia used one hack held by the NSA for five years, EternalBlue, to wreak $10 billion in havoc on neighboring Ukraine as well as U.S. companies like Pfizer, Merck and FedEx.

“There’s no reason we should have held on to [EternalBlue] for that long,” Perlroth said. “It was like fishing with dynamite.”

Willamette Week’s reporting has concrete impacts that change laws, force action from civic leaders, and drive compromised politicians from public office. Support WW's journalism today.