While a bounty might incent defenders to chase the identity of attackers, that is hard to do and this article indicates there are major loopholes in the proposal. First, is the offer of “up to”$10 million but little definition regarding how that level of payout is achieved. Second, an explicit caveat that the lead must identify a state-sanctioned actor, and how a business would know that tidbit of knowledge is not identified.
The Biden Administration is trying hard to establish policies that will deter ransomware criminals which is absolutely a good thing, but expecting a business to have the resources that can identify the ransomware operated by state-actors strikes me as asking a bit much given existing assets. Then there is this:
“Roger Grimes, data driven defense evangelist at KnowBe4, had additional questions about how effective the offer of rewards will ultimately be in countering the threat: “Anything that gets us closer to putting down malware and malicious hackers is a good thing, and this is just another tool to do so. With that said, I’m not sure how large rewards have done against foreign adversaries in the past. We’ve offered pretty huge rewards in real, past, kinetic wars, that went unclaimed. But it can’t hurt. I applaud it. We might get lucky. The question is what to do with the information if we get it and will it matter? We have no legal jurisdiction to pursue any identified criminals in most of the foreign countries hosting many of the cybersecurity criminals. The criminals are often directly protected by the leaders of their countries or paying enough bribes to legal and political protectors that any amount of even really good information will not turn into people arrested and cybercriminal shops permanently closed.”
There is one catch: the information must be linked to ‘state-sanctioned’ actors. This makes it doubtful that the recent #ransomware attacks on JBS and Colonial Pipeline would qualify. #cybersecurity #respectdataClick to Tweet
The payment program for information on ransomware attacks is expected to roll out quickly, however, with the government taking the unprecedented step of setting up channels on the dark web for the reporting of this information and potentially even paying out the reward money in cryptocurrency (according to a statement by the State Department).”
Overview provided by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group