Advisory pushes companies to seek FBI guidance with cyberattacks
Businesses may be reluctant to approach federal agencies in the wake of an attack over fears of losing control over the investigation.
A recent advisory notice issued by the Office of Foreign Assets Control (OFAC) won’t necessarily put more direct pressure on organizations to ascertain the identities of bad actors behind ransomware attacks. But it could force risk teams and the companies they serve to overcome their reluctance toward voluntarily approaching the FBI or other law enforcement agencies in the wake of a cyberattack.
While the advisory did reaffirm the existence of sanctions facing both businesses that choose to pay a ransom to a blocked person/embargoed jurisdiction or a provider that helps facilitate such a transaction, OFAC’s latest bulletin isn’t necessarily bringing anything new to the table. “I do not believe that anything really has changed. … When I think about my team and the way that we are responding to ransomware matters, nothing really has changed,” said Ted Kobus, chair of the digital assets and data management group at Baker & Hostetler.
So why bother with the advisory? A subheading of the bulletin that OFAC released recently focuses specifically on urging organizations in the midst of a ransomware attack to contact “relevant government agencies.” While this section of the advisory is relatively brief, it may denote a much larger problem — mainly that some businesses would rather not consult law enforcement at all, which could be seriously impacting their ability to identify who is extorting them in the first place.
“We’re finding that companies are being poorly advised by people around the potential risks of going to the FBI when you are dealing with ransomware,” Kobus said.
Advances in blockchain analytics have made cryptocurrency or bitcoin transactions easier to trace than they once were — and according to Laura Jehl, a partner at McDermott Will & Emery, the FBI has those tools in its arsenal. However, some of her clients are still reluctant to knock on the agency’s door.
Fears run the gamut from potentially opening up the company to additional penalties or legal jeopardy to losing control of the investigation entirely. Jehl stressed that the FBI is not a company’s employee, which could lead to conflicts over how and when information about a breach is shared with the public, for example.
“I used to be a skeptic on going to law enforcement myself,” Jehl said.
However, ransomware may be forcing changes in the dynamic between impacted companies and the FBI. Both Kobus at Baker & Hostetler and Jehl noted a significant uptick in the volume of ransomware attacks occurring, with the latter also pointing out that the targets hackers are selecting are less random than they used to be. For example, health care or shipping companies, both vital during a pandemic, may find themselves under more pressure to cave to ransom demands.
While that stress may not necessarily make impacted companies any more eager to work with the FBI, it could make the FBI and its law enforcement counterparts more eager to work with impacted companies. Jehl noted that her recent experiences with the FBI have been positive, with the agency sharing information on the identity and potential location of a bad actor where possible.
“I think the FBI has seen ransomware as this massive explosion in organized crime,” she said.
But can the OFAC advisory successfully push more ransomware-afflicted companies to seek out the help of law enforcement? If not, maybe the data can. Baker & Hostetler, for example, has used metrics accrued from previous matters to help illustrate to clients some of the more positive outcomes that can result from involving the FBI.
“When they see those data points that they can rely on because they are tangible evidence, we find that it’s easy to convince them of taking the steps that are appropriate, particularly those that are outlined by OFAC’s advisory,” Kobus said.
Related: