Skip to main content
close search
site logo
Dive Brief

US government rejects ransom payment ban to spur disclosure

Federal authorities strongly discourage organizations from paying ransoms, but Anne Neuberger of the National Security Council explains why it decided against a ban.

Published Sept. 19, 2022
Matt Kapko's headshot
Senior Reporter
Anne Neuberger, deputy national security advisor for cyber and emerging technology, speaks at the White House.
Drew Angerer via Getty Images

To pay or not to pay — it’s the ransomware question that dogged the U.S. government as it considered whether it should ban payments to attackers, raising moral dilemmas along the way.

Ultimately, U.S. officials decided against an outright ban, Anne Neuberger, deputy national security advisor for cyber and emerging technology on the National Security Council, said earlier this month at the Code Conference.

“It is so hard and so much more work needs to be done to improve the security of tech, to improve the cybersecurity of systems, that we’d essentially be pressing victims to make their payments go undercover,” Neuberger said.

The U.S. government would rather have organizations reach out, ask for support and recover quickly as the Los Angeles Unified School District did earlier this month after it was hit with what Neuberger described as a “crippling ransomware attack.” 

A moral quandary remains over ransomware payments, especially when the human context is taken into account, she said. It pushes against a desire to not incentivize the next act by making payment.

Even though there is not an outright ban, authorities actively discourage ransomware payments.

The advice, instead, is to follow what Neuberger described as basic cybersecurity practices: consistent backups stored offline, multifactor authentication and data encryption. 

“Our first, really strongest request is to do those practices because then you really are protected against only the most sophisticated attackers,” Neuberger said. “Beyond that, if somebody does get hit, reach out to the FBI, as the Los Angeles Unified School District did [earlier this month], and we will surge support to help you recover.”

Federal authorities also discourage insurance providers from paying ransoms, but insurers can play a significant role in reducing the rate of ransomware occurrences broadly, according to Neuberger.

Insurance companies should incentivize good cybersecurity practices by imposing higher thresholds of compliance for underwriting approvals and offering lower premiums to organizations that meet those objectives, she said.

“That makes it a lot harder for attackers because many attackers are using vulnerabilities that are known where there are patches available,” Neuberger said. “If we can raise the bar to where an attacker has to come up with something new each time, we would see the number of attacks dramatically fall. It's way too easy today.”

Recommended Reading

Filed Under: Strategy

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell