Independence Day attack on Kesaya Software – is this now just a cost of doing business?

laptop work email office tech

Ciaran Martin formally of GCHQ has recently called for legislation, to make ransomware payments illegal where human life could be put at risk. This comes following a series of massive cyber-attacks the latest of which began yesterday on the software developed and sold by Keseya of the United States. Last month saw the shutdown by hackers of a major U.S. Pipeline, the costs of which has yet to be calculated, an attack on Japanese industry giants, Toshiba, and a catastrophic hack on the Irish Health Service Executive. Martin pointed out that there is legislation against paying ransom to terrorist organisations in the UK, but where criminal gangs are protected by a hostile state, it is allowed, and this makes no sense. Are we developing a new Stockholm Syndrome, ‘if you can’t beat ’em, live with ’em?’

Whilst CEO of specialist cyber security company CyberCrowd and anti-phishing and ransomware (un-caped) crusader Mike Robinson, whole heartedly agrees with Mr Martin, he would argue that we need to go further in the UK.

“We should be calling for legislation that requires corporations, especially those making secondary sales of software infrastructure to have independent security auditing, be certified and regularly monitored, with all board level executives held accountable for this testing to be in place.

The digital devastation caused by these sorts of attacks should not have to be absorbed as a ‘cost of doing business’ for innocent third parties companies”

Currently insurance companies are offering to indemnify against these attacks, this only fuels the sense that this is a ‘victimless crime’ and perpetuates it. In turn this will price SMEs out of the market as insurance renewals spiral and ransom attacks begin to fall under the ‘price of doing business’ catch-all for hopeless cases.

“At the very least, where payments are made – especially by public or floated companies, there should be forced disclosure, so the situation can be more closely monitored at stakeholder level” concludes Robinson.