Cybersecurity may increasingly rely on informants

The U.S. State Department is offering a $10 million bounty for information related to the identification or location of members of the Clop ransomware gang, which is thought to be behind cyberattacks exploiting the MOVEit Transfer vulnerabilities that have been aimed at federal government agencies or other commercial entities.

At the end of May, Progress Software released a security advisory warning of a SQL injection flaw that could be exploited for remote code execution in the file transfer software it provides that might have existed for years prior to discovery.

The Clop ransomware gang subsequently claimed responsibility for attacks that resulted in data being stolen from hundreds of victims. In all, three MOVEit vulnerabilities have now been disclosed, with each one requiring cybersecurity teams to apply patches or change the ports the software uses to transfer files.

It’s not clear what impact a $10 million bounty will have, but rewarding informants for information has been a tried and trued technique ever since countries began offering them to help capture pirates. In the Old West and right on through to the Great Depression era, various banking associations provided rewards for the capture of bank robbers.

It’s also not apparent to what degree providers of cyber insurance or various industry associations might provide similar rewards for capturing cybercriminals, but the U.S. Federal government has offered $10 million bounties previously. The hope is that one or more of the cohorts that make up a cybercriminal gang will be happy to share information in much the same way that many mobsters eventually turned on their colleagues.

Moving beyond bounties

Offering a reward for information is one thing, but providing incentives that encourage individuals or entities to take their assistance to another level by launching counterattacks against cybercriminals is another matter. There is a Computer, Fraud, and Abuse Act that technically makes it illegal for private entities to launch a counterattack against cybercriminals. In addition, if the systems being employed by cybercriminals reside in another country there is potential such attacks might be seen as an act of war.

However, the U.S. government can, according to the constitution, hire privateers to protect its interests, so it’s conceivable counterattacks are being launched in the name of protecting the interests of the U.S. government.

Of course, organizations that decide to go down that path might be risking a significant amount of escalation depending on the level of capability a cybercriminal might have at their disposal. Many cybercriminals are using a kit that was created by some other entity that they are paying a fee to use. It does not always follow they are going to be able to rain down hellfire if their systems are knocked offline. Nevertheless, organizations might want to investigate a little bit to determine who it is they are dealing with before they decide to poke the proverbial bear.

Regardless of approach, it’s also becoming apparent that artificial intelligence (AI) might one day soon make it a lot easier to reliably identify the source of a cyberattack. The question that will inevitably arise is what to do with that information once it has been provided. After all, knowing who did the crime is not quite the same thing as being able to exact some measure of justice.