Many of the tactics commonly used in terrorist or hostage negotiations are not applicable to cyber-negotiation. Empathy-creating moves aimed at drawing in hostage-takers rarely work in a setting in which identity obfuscation is a given, and even the motivation of the attacker is hard to ascertain. In the cyber context there are very limited opportunities for direct communication between the attacker and victim, enhancing the importance of preparation and advanced planning. Because of these differences, we interviewed Chief Information Security Officers (CISOs) for various types of critical urban infrastructure to understand their views on how to handle ransomware threats. We learned that most CISOs tend to think in terms of three stages of ransomware negotiation (pre-, during, and post).

The pre-negotiation stage focuses on getting an organization to think ahead about the possibility of a cyber attack. Pre-negotiation also includes deploying technical defenses of various kinds that might exclude ransomware before it can infect or encrypt a critical urban infrastructure system. Pre-negotiation also includes establishing a robust backup system in the case an attack succeeds and takes an operating system hostage. The deployment of social defenses such as  raising employee awareness of possible phishing schemes also begins during the pre-negotiation phase.

During the actual negotiation phase (i.e. the time immediately after an attack has occurred and before ransom is paid or a request for ransom is decidedly ignored), the first move by the CISOs with whom we spoke was to consult their organization’s incident response plan. In some organizations, protocols for dealing with a ransomware attack are spelled out in detail. Most incident response plans advise the CISO to deploy backups for the systems that were attacked. When the scale of an attack is beyond anything the incident plan imagined, the CISO is typically advised to convene a designed management committee to decide on the best course of action. Most of the organizations we have met with so far are not equipped with a negotiation strategy or playbook, so the first response tend to be to call in a federal body such as the FBI or Homeland Security to manage the situation.  None of the organizations with whom we have spoken have tried to initiate direct negotiations with their attackers on their own.  

In the post-negotiation stage, organizations often invest in enhancing their technical security. This usually involves spending more money on anti-malware and defensive software, developing schedules for regular security sweeps, engaging outside consultants and increasing team testing exercises. Post-mortem reports and new policies regarding the way future attacks should be handled are sometimes drafted and reviewed by top management.

We believe there is merit to thinking about these three phases of cyber negotiation. As we continue to meet with the managers and CISOs of critical urban infrastructure operations we will add to our review of methods for handling each phase of a malware attack. Our goal is to generate the most robust playbook possible.