Roland Turner

 about | contact

Coming to terms with ARRL sponsoring cybercrime

Roland Turner

A lot of people are up in arms about ARRL coughing up a $1M ransom to regain access to its data. There are several common objections, but they overlook any/all of:

Yes, ARRL has made some very serious information security mistakes but they were made in the decades leading up to the incident, rather than during the incident itself (on the information that is public anyway). As with most organisations that have just suffered their first serious incident, we can reasonably assume that ARRL is about enjoy a step improvement in its information security stance.

The business model of extortion

It is axiomatic for any extortioner that — before they threaten their victim — they must create a situation in which the victim will be much worse off if they don’t cooperate than if they do.

One of the objections that I’m seeing is that ARRL should instead have taken the damage on the chin, cleaned up, and got on with life. Noting that the FBI, counsel, the insurer, and other experts were all consulted during a months-long process, we can reasonably infer that this was not a realistic option; that failure to give up almost 1/3 of its current assets (2022 Annual Report page 28) (nett of any insurance cover) would have done much more serious damage than that.

Even looking at the figure as being a relatively small amount because it’s only about 3 weeks’ revenues (same report, page 30) and therefore well within “taking it on the chin” range overlooks that an organisation deprived of its records may incur an enormous costs and disruption depending upon which records are in question. For example, if the extortioners had deprived ARRL access to its membership records, recovery would take many years; it might reasonably lose about half of the next 12 months’ revenues alone (~$9M). The nett loss over the next decade could readily be three or four times that.

How much is virtue worth? Would it really have been appropriate for ARRL to incur a $27M loss in order to avoid paying out $1M to skilled extortioners? I’ve not seen any of the people threating to rage-quit ARRL over the future increases in membership dues because they’re not willing to fund this expense (~$6 for each of 160k members) expressing their great enthusiasm for instead paying a much larger amount had ARRL fought the good fight and refused to pay ($170/member on the numbers above).

How sure are you that you want to blame the victim?

ARRL’s avoided information security costs to date

Another objection that I’m seeing frequently is that this payment will materially increase membership dues (because of the direct expense and/or the increase in insurance premiums).

In a narrow sense this is true, but it overlooks that ARRL’s expenses have been artificially low for years or decades because it hasn’t been incurring the costs of running an adequate information security program. I’d hazard a guess that establishing an adequate program will cost something in the vicinity of half a million dollars a year for each of the next two years, and then perhaps a quarter of a million dollars a year thereafter to operate, maintain, and continually improve. Had ARRL been doing this to date, the associated expenses would have been more than the ransom.

This is not say that the failure to establish an adequate program was a good choice because it saved all of this money — there was no way to know in advance what ransom would be agreed, the disruption to revenue service (and to the broader public good objectives of LoTW) is not an acceptable impact, and the organisation allowing itself to be placed in an extortioner’s clutches in the first place is pretty offensive — just that the increase in dues resulting from the ransom isn’t a realistic objection.

(The numbers above are open to dispute of course. By way of example, EU personal data protection regulators can levy a fine of 4% of turnover for certain kinds of GDPR breaches. The fines are intended to be larger than the reasonable costs of compliance in order to avoid to motivate compliance. US compliance costs tend to be a little bit lower. Assume 2% of revenues for the sake of argument, or ~$344k/year in ARRL’s case. The $250k/year estimate above is only 1.4% of revenues. That may in fact be a bit on the low side.)

How ARRL views itself

In the Report to Members about the incident, ARRL describes itself as:

a small 501(c)(3) organization with limited resources

This is demonstrably not true. ARRL has ~$39M in total assets (2022 Annual Report page 28, as above), putting it somewhere in the top 14% of 501(c)(3)s (Table 1. Form 990 Returns of 501(c)(3) Organizations: Balance Sheet and Income Statement Items, by Size of Total Assets, Tax Year 2020 row 6), and presumably closer to the top 5% as that 14% is all 501(c)(3)s with total assets exceeding $10M (N.B.: total, not nett of any restrictions on use).

The other big issue is that ARRL has failed to recognise that it is now — with LoTW — very much in the SaaS business. Like it or not, it’s now in the arena with the worst criminals and the most determined military adversaries in the world. Failure to secure against incursion by adversaries of this type is a serious error. Failure to even recognise the need to do so is even more so.

The “we are small” viewpoint motivates some poor choices, in particular that recruiting and retaining a competent Chief Information Security Officer (CISO) is something that only “big” organisations need to do. Hopefully it is now obvious to ARRL and its membership that this is not a tenable position. I note that ARRL did hire an IT director in 2022 (same annual report) who clearly had a relevant background, but apparently that hire didn’t work out. Hopefully, ARRL will now be motivated to take the need for relevant expertise more seriously and therefore to try again.

How information security matures in the real world

Another common objection is that ARRL should never have allowed itself to get into the this situation.

Depending upon how you define “should” this position has some strength. As a practical matter however, one of the major drivers for organisations to take information security seriously is to suffer a serious-but-non-fatal incident, as ARRL has just done. Yes, in an ideal world, every organisation would diligently identify and evaluate its risks and risk acceptance criteria, and then implement appropriate protections. In practice however, most organisations still don’t take Internet-related risks anywhere near as seriously as they should until something goes seriously wrong.

In one sense, ARRL’s case is particularly bad. Offline and off-site backups have been minimal protective measures for decades. That ARRL wasn’t doing something as rudimentary as regularly making offline backups is rather dismaying but, again, the entire business of ransomware relies upon the fact that an enormous number of organisations make this same mistake, routinely. If ARRL doesn’t sort its information security program out in the wake of this incident then, sure, there’s a very real problem, but the fact that it fell into this situation in the first place arises from a pretty commonplace underestimation of risk, not some sort of extraordinary negligence.

So, what’s next?

Most obviously for ARRL: make offline backups of everything regularly, and test them periodically, from now until the end of time!

This is however just one aspect of hundreds that are required for an adequate information security program. The broader picture is for ARRL to recognise that it is both amongst the largest 501(c)(3)s in existence and that it’s now very much in the SaaS business. It will never stop being a target. All of those SKs who made substantial bequests would hardly thank ARRL for — for example — leaving their cash lying around unattended in an unsecured building. No lesser diligence should be applied to protecting digital assets that are developed and employed in promoting amateur radio, often with the aid of those very same bequests.

For everybody else, especially those who are now taking to opportunity to score cheap shots at the ARRL’s expense: I’d encourage leaning in! The ARRL is not only amongst the oldest and largest amateur clubs in the world (I can’t quickly determine whether it’s bigger or smaller than JARL), not only did it secure much of the spectrum that we now take for granted, not only is it trustee for millions of dollars in bequests that fund activities to promote amateur radio, it’s the best available option for US amateurs to act to defend amateur spectrum — all of which is under pressure — both domestically (at the FCC and Congress) and internationally (at the ITU). Perhaps an alternative US national body could garner sufficient support to warrant replacing ARRL as the IARU member body for the US within a decade, however the fight isn’t a decade away, we’re already in the middle of it. For better or worse, strengthening ARRL is the best available option, and that can only be achieved if a significant number of US members involve themselves in strengthening the organisation, not merely by paying dues but by standing and backing (or becoming!) candidates in ARRL elections and by pushing for rational governance, adequate risk management, values appropriate to a contemporary membership, etc.

About me

For those curious about where I’m coming from. On amateur radio, I:

On information security, I:

Extortion by IYIKON is licensed under CC BY 3.0

Updates:

2024-09-02