“It was the equivalent of a Category 5 hurricane coming through,” lamented John Miller, Chief Judge of the First Circuit Court of Florida, in an interview with the Harvard Political Review. “They got our computer systems, our hard drive, all of our stored information, [and] our telephone system.” An entire judicial circuit was knocked off the map, incapable of functioning normally. But this was no hurricane; rather, it was an orchestrated attack by ALPHV Blackcat, a prolific ransomware criminal organization. Much like a prisoner ransom, ransomware organizations kidnap the functioning of a computer system as well as their victim’s information and data before ransoming it back for a fee.
“They’ve hit hospitals, they’ve hit law firms, they’ve hit accounting firms,” explained Miller, “their goal is to collect ransom.” On March 1, 2024, in a separate attack, the UnitedHealth Group paid Blackcat $22 million to retrieve compromised insurance information. It is a lucrative enterprise, and it is on the rise: The United States saw a 96% surge in ransomware incidents in 2023 compared to 2022, and this trend is expected to continue.
In an increasingly technology-reliant age, with every organization — from private firms to government agencies — dependent on online systems for data storage, communication, and other everyday tasks, the danger is imminent. At any point, important entities can be completely crippled, and confidential information can be stolen through cybercrime. As it stands, cyberattacks pose an existential threat to the very fabric of our functioning world.
This begs the question: What can we do?
In April of 2021, the Institute for Security and Technology (IST), a think tank founded in 2020 to advise policymakers on cybersecurity and technology issues, published “Combating Ransomware: A Comprehensive Framework for Action,” a report detailing 48 recommendations to create systems resistant to cyberattacks. It outlines four key pillars for cybersecurity: deter, disrupt, prepare, and respond. The federal government must prioritize a well-equipped, well-funded, and well-supported cybersecurity network to establish these pillars across the nation’s digital infrastructure in private and public organizations.
Deter
The deter pillar focuses on preventing ransomware attacks from occurring in the first place through international signals that cybersecurity is a priority. Taylor Grossman, Deputy Director of Digital Security at the IST, said in an interview with the HPR that deterrence involves “nation-to-nation diplomatic efforts to raise the stakes of ransomware activity, outlining it as a threat that countries are going to take seriously.” Essentially, countries must mobilize a global and public shift to prioritize cybersecurity, signaling to bad actors that cybercrime can and will be punished to deter the behavior.
To this end, Grossman believes there has been “a growing global sense that this is a real problem.” Indeed, the United Nations adopted a global treaty in December 2024 to increase cooperation to combat cybercrime. Grossman highlighted that there has been “more of an acknowledgment that there are countries that either can’t or won’t clamp down on this sort of behavior,” emphasizing that the United States needs to continue its work to “call that behavior out or offer assistance if it’s a capacity issue.”
Through the Cybersecurity and Infrastructure Security Agency (CISA), a federal agency dedicated to cybersecurity, the United States has both the capacity and willingness to take cybersecurity seriously. However, other nations — such as Russia, which lacks a willingness, as well as Nigeria and Romania, which lack full capacities — do not, and the U.S. needs to step in and work to fill that gap. As Bridgett Bean, Executive Director of CISA, commented in an interview with the HPR, “cybersecurity doesn’t have borders.” A group based in one small town can hit any nation or organization globally; if even one haven for ransomware groups exists across the world, it poses a massive threat to companies everywhere.
In making cybersecurity an international priority, CISA has seen much success. Bean stated that “every nation wants to make sure that their citizens have the resources and services that they rely on every day.” As such, CISA has “built very solid relationships with international partners” like the European Union Agency for Cybersecurity (ENISA), and while “different laws [and] regulations” can get in the way, Bean has noticed “a very universal commitment to sharing as much information” on cybercrime as possible. In this regard, CISA has launched the International Strategic Plan for the 2025–2026 year to expand and use these relationships for global cybersecurity.
However, since cybercriminals target both the public and private sectors, deterrence also requires cooperation between governments and businesses. Unfortunately, as Grossman points out, for any organization with “a list of ten priorities, cybersecurity is number eight, and they can really only fund five.” However, for a problem as big as cybercrime, which consumes on the low end nearly one percent of the world’s Gross Domestic Product per year, there needs to be a shift on all fronts.
To deter cybercrime, the United States must continue its push for international support, working with the United Nations and foreign states to present a united front against cybercriminal organizations through pledges and treaties. Turning inward, it must make cybersecurity a priority domestically as well, providing sufficient resources to both private and public bodies to maintain cybersecurity measures. For Miller’s First Circuit Court of Florida, this meant hiring “a full-time cybersecurity expert.” While the Florida Legislature did have enough to spend on the position, the federal government should be ready to provide help for similar situations if needed.
Disrupt
Disruption goes hand-in-hand with deterrence, but while deterrence seeks to prevent cybercrime through cooperative signals, disruption is the operational work to take down bad actors. To Grossman, it involves “targeting and attacking groups, getting into their operations and actually dismantling them.”
While necessary for every pillar, disruption is the most information-reliant. Ransomware organizations thrive and survive off of darkness; their very business model requires them to stay hidden. If stakeholders want to find and stop them, they need to be willing to share as much as they have about them.
However, there remains a serious privacy concern regarding sharing information, particularly in the private sector. It is certainly understandable that firms hesitate to share potentially sensitive data with government agencies. However, from private firms, CISA generally only needs information about the defensive measures built into their systems and indicators when said systems encounter a cyberthreat, neither of which constitutes particularly critical data. As such, this information sharing between CISA and private organizations ultimately protects, rather than reduces, privacy. Grossman notes that, when a ransomware attack occurs, “a lot of this information that’s been stolen, it’s going to end up on the dark web.” Entities are faced with a trade-off: give up some information to government agencies, who will safeguard and use it to enhance broader cybersecurity measures, or lose all of it to nefarious actors who will publish it. It is an unfortunate reality, but an obvious choice.
The ransomware business model heavily relies upon cryptocurrency as a purely digital, anonymous means of exchange. Grossman emphasized its importance “to obfuscate what they’re doing and then to funnel funds into fiat currencies…but also to reinvest in their infrastructure so that they can perpetrate more attacks.” She further elaborated that, in the cryptocurrency world, “there are a lot of entities that are underregulated or are simply operating illicitly.” Bitcoin, particularly, is a popular choice used by ransomware organizations, though they can use any cryptocurrency. For example, the previously mentioned $22 million paid to BlackCat by the UnitedHealth Group was in the form of 350 Bitcoins. Information from and regulations on centralized exchanges, wallet providers, stablecoin issuers, and blockchain analytics firms would have a tremendous effect in stopping ransomware actors, and sharing this information with the government is the logical progression.
In collecting and then using key information, the Joint Ransomware Task Force (JRTF) and Joint Cyber Defense Collaborative (JCDC) work in tandem. The JRTF, co-chaired by CISA and the FBI, works to investigate and dismantle cybercriminal organizations, and it does so mainly, as Bean states, through “international cooperation.” This cooperation typically pools resources and targets foreign cybercriminal organizations with the support of the country the group is based in.
According to Bean, the JRTF also works to minimize damages by “giving good guidance, good advice, and advanced warnings” to potential targets of cyberattacks, which are typically private firms. Still, the JRTF relies upon information, and the JCDC is the main provider of this information. As Bean describes it, the JCDC is “a trusted partner, collaborator, coordinator, orchestrator, and convener” of information sharing between the federal government, local and state authorities, and private firms in “all sixteen sectors.” It has helped produce “multiple cyberdefense plans” and is “very effective.” In one case, after CISA received an imminent ransomware warning from “a very large public transportation system,” the federal agency successfully evicted the bad actor and saved “a multi-million dollar ransomware note.” Bean emphasized that this was “just one example of millions of dollars that” CISA has saved. The best thing CISA can do is to continue forward on its charted course, building connections both within and outside of the country to disrupt the ransomware business model.
Prepare
To Grossman, “the prepare pillar is really the foundation” of cybersecurity, as to “ultimately get rid of ransomware as an issue, you need organizations that are prepared.” To prepare is not only to create systems that are hard to target but also to ensure those systems can minimize damages and bounce back quickly when targeted.
How does this look? Grossman believes that creating backups of operational systems and important information is a strong first step, as it is possible for even small organizations without many resources to “get up and running fairly quickly” with “good backups.” It is also important for organizations to have good data hygiene practices, that is, “being really careful about PII [personally identifying information] and really sensitive information, how you’re storing it, [and] who has access.” This deep understanding of an organization’s systems allows it, as Grossman says, to be “aware of what the ransomware actor has actually gotten hold of,” so it can respond more effectively.
The end goal of preparedness is to have systems that are secure by design, or do not have exploitable flaws. As Bean says, “you wouldn’t buy a car without a seatbelt, so why would you buy a software that has known vulnerabilities?” To this end, CISA has been working with almost three hundred leading technology companies that signed a pledge to make “secure by design” a core policy. However, results from this pledge are not guaranteed, and CISA ought to work to ensure “secure by design” remains a lasting principle through stricter regulation if needed.
Respond
While the other three pillars focus on preventing cyberattacks, the response pillar focuses on what to do when an attack actually occurs: how to report it, how to bounce back, and how to rebuild. As the main focus of cybersecurity is on preventing incidents from occurring, the response pillar is the least emphasized, but it still plays an important role in designing policy.
For the federal government, Grossman describes the response pillar as “pointing folks to the right resources, streamlining how organizations can seek help and how organizations can engage with law enforcement to report incidents.” To Grossman, CISA ought to be a “collector of information,” a governmental organization that can learn from harmful cyberattacks and apply these lessons for others’ protection, even if it means “mandatory reporting” that requires organizations to report incidents. Essentially, CISA ought to study security breaches, learn from weaknesses, and prepare every organization for the next one. Furthermore, when there are damages after a cyberattack, CISA should help organizations “recover and rebuild.”
Bean reports that while “people report to [CISA] extensively” because of its “strong partnerships,” there are few requirements to report cyberattacks. However, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) promised a “Final Rule” to come in the future that will mandate the reporting of all cyber incidents. This requirement is a clear next step given the existing high voluntary reporting.
In terms of recovering after cyberattacks, the federal government plays a small role. For example, rebuilding after the cyberattack on Miller’s circuit was handled mostly by Mandiant, a cybersecurity firm and subsidiary of Google, which had been contracted by the State of Florida. The FBI did play a role, but, according to Miller, it was only “to diagnose, investigate, and develop systems to prevent future attacks.” In terms of rebuilding, “the state of Florida is in charge of that.” This should not have to be the case. Cybercrime threatens the whole nation equally, and unified action is necessary to effectively combat it. There needs to be federal resources capable of helping every layer in the country, from federal agencies to local governments to key private firms.
Progress
Unfortunately, public funding remains a roadblock. While organizations and individuals would like to live in a secure world, actually prioritizing cybersecurity and funding it over other projects is an entirely different issue. In many cases, such as the First Circuit Court of Florida, it takes a large-scale attack to begin taking cybersecurity seriously.
However, this model of waiting for public support is ineffective. Cybersecurity is an incredibly pressing issue that becomes more and more pertinent as we progress further in the digital age. We live in a world where a cyberattack can be as devastating as a hurricane, and we ought to start treating cyber threats accordingly. We build levees and dams and fund relief organizations like the Federal Emergency Management Agency (FEMA), but we tolerate vulnerable digital systems and neglect the damage caused to them. Quoting the old adage, Bean states that “we could always do more with more,” and for something as important as cybersecurity, we need to do a whole lot more.
