How much will it cost before the public and private sector work together to stop ransomware attacks? Is $50 million the breaking point, as in the recent REvil ransom demand from Apple? Or will ransomware cost human lives, like it did at a German hospital, before law enforcement and cybersecurity practitioners will join forces?

Last week news broke that the U.S. Department of Justice formed a ransomware task force. In December, several private-sector security companies announced their own Ransomware Task Force, and tomorrow the group will unveil its recommendations to combat this threat.

It sounds like these groups are moving on parallel tracks. I hope I’m wrong.

“DOJ has the tools and reach to tackle this [ransomware] challenge in an effective manner,” Thomas Gann, chief public policy officer at McAfee’s Enterprise Division, wrote in an email last week. McAfee is a founding member of the private-sector group.

“We believe that the private sector Ransomware Task Force, scheduled to make similar announcements … will also provide valuable tools to support the work of the DOJ’s fight against ransomware,” he added.

Gann didn’t mention the two task forces working together.

When it comes to ransomware, Tanium’s Egon Rinderer says he gets “spun up” about what security vendors do wrong. Rinderer is global VP of technology and federal CTO for the endpoint security vendor. He says sometimes the vendor community chooses profits over doing the right thing. “We like money,” Rinderer said. “Every vendor out there that I’ve ever encountered likes to make money.”

And this conflicts with the end goal of securing IT infrastructure and data.

There’s two ways to combat ransomware, which is essentially just another form of malware, according to Rinderer.

“One is to have baseline controls,” he said. “That is to say if I properly control my baseline at scale across the entirety of my estate, then it doesn’t matter if ransomware or malware lands on the endpoint or if a hacker gets into my enterprise, they’re not going to be able to move freely, it’s not going to be able to spread, it’s not going to do whatever it’s designed to do. The problem is: That’s really difficult.”

He points to the Center for Internet Security (CIS) Controls, a set of 20 best practices for securing IT systems and data. It’s worth noting that Tanium partners with CIS. “CIS one and two are basically what do you have, and what is it doing? And still, every day, somebody’s got a new way of answering just the first two control sets in CIS,” Rinderer said. “We’re still struggling with this 30-plus-years later.”

The second options is to have compensating controls — security tools that promise to solve a very specific problem. “You throw in the towel and say well, you know, we can’t properly secure these things because it’s too difficult,” he explained. “So instead of doing that, we’re gonna put compensating controls on, and then it becomes an arms race. Now everybody builds a niche capability around a niche problem.”

This snowballs into next-gen everything and acronym soup, and it seems to be the route that vendors prefer.

“The vendor community has done a really, really good job of teaching the consumers that this is the answer,” Rinderer said. “I’ve built this new thing. It’s shiny, and it addresses that thing you saw in the news a few weeks ago, and it’ll keep you out of the headlines. It’s the promise of: I’ll make you safe. And all you’ve got to do is read the news to know if any one of those products did what it says it does, there’d only be one vendor at RSA, not 1,600.”

This isn’t to say there’s no place in the security market for point products, Rinderer added. But he does believe that vendors and their customers need to re-evaluate how they secure IT systems and data. “We need to take a step back and say what do we need to solve this baseline control problem? That ultimately is the answer,” he said. “But there’s no money in that, because there’s so much money to be made over in the compensating control space by just coming up with new things.”

Both private-sector vendors and public agencies have a responsibility to rally around a security baseline, and this is where the Department of Justice’s ransomware efforts fit in to the equation. “Let’s create a computing baseline that is by nature secure so that we aren’t constantly in this arms race with adversaries,” he said.

Tanium isn’t a member of the private-sector Ransomware Task Force, and Rinderer said he doesn’t have any insider knowledge about what’s happening at the DOJ. While it’s still early in the process, and we don’t know any specifics about the Department of Justice’s plan, Rinderer said he’s worried that “we run the risk of just doing the same thing we’ve always done. Which is, let’s dump a bunch of money into R&D, on the compensating control side of things, and come up with the next 10 shiny things and say this would have stopped the SolarWinds attack.”

He also worries that this is the approach that security vendors favor because it guarantees new revenue streams. “But as a vendor community, sometimes we just have to do the right thing, even if it’s not the most profitable.”

Fighting ransomware also requires more than lip service to public-private collaborations, which both the Biden administration and security vendors say they support. But so far it’s been primarily talk. We’ll get our first hint of whether these two groups will work together against a common foe tomorrow, during the Ransomware Task Force event. I hope they do, because livelihoods and lives depend on it.