It’s 2021, and Black Americans still struggle harder to climb the socioeconomic ladder compared to whites. For many, the trip is now downward, a situation worsened during a pandemic that has impacted them disproportionately.
Economists William Lazonick, Philip Moss, and Joshua Weitz have been researching the key economic forces that have disadvantaged Black men for decades. In a new study focusing on those with only high school diplomas or less, they find that corporate greed - abetted by government policies designed by the wealthy – turned the dreams of once-upwardly mobile citizens into ashes.
From good times to hard times
To understand what happened, let’s time travel back fifty years to 1970.
Nixon was in office, the Temptations were topping the charts, and the first jumbo jet had just taken flight. Black people were moving up, their success fueled by the civil rights movement and opportunities in newly integrated workplaces. There was a mild recession, but Mike, a young Black man from Detroit, wasn’t lying awake at night. He had a good job at General Motors, and the union boss told him that any layoffs would be temporary -- and cushioned with the union’s extra unemployment benefits.
Mike was the son of sharecroppers who left the South in the Great Migration. He had graduated high school in 1964, the same year the Civil Rights Act was passed to guarantee everybody equal access to employment, Black or white. Mike had soon landed a unionized position as a machine operator for GM. He liked his job and performed well. As the year 1970 closed, he got a raise that would help fund the purchase of his dream car, the sleek Chevvy made in his division.
Mike saw GM as his home. The recession had passed and Mike kept his job. He planned to stay with the company long enough to buy a house, put his kids through school, and retire to enjoy his golden years in comfort. The American dream was fully within his grasp.
In 1970, young Black men like Mike were looking forward to joining the blue-collar middle class once closed to them. Up until then, only white men could expect to score the kind of post-World War II jobs that promised growing paychecks, decent conditions, solid benefits, and a career-long tenure at a single company. But now, with firms having expanded production in the ‘60s, plus support under the newly-created Equal Employment Opportunity Commission (EEOC) and federal subsidies for education, Blacks were leaving behind the dead-end jobs of Jim Crow.
For guys like Mike, determination and a high school diploma could translate into a life of security, and even better prospects for the kids. With parents able to save and plenty of good public schools, the children of the new Black blue-collar middle class could set their sights on the white-collar employment awaiting those with a college degree. They could do it because state higher education was inexpensive and sometimes even tuition-free.
By 1983, Blacks were only 9.2 percent of the U.S. labor force, but they made up 14.2 percent of all autoworkers and 13.7 percent of all union members. Well over a third of all Black men and one-quarter of all Black women in the country’s labor force were union members. They had every reason to assume that the future was bright.
But in the early ‘80s, a shadow began to fall over companies where Blacks held blue-collar jobs. Again there was a recession, but this time, a bunch of Mike’s co-workers got laid off. Mike was now a supervisor in his division, but he took a pay cut to help the company weather the storm. Still, he wasn’t too depressed. There had been hard times before at GM. Everybody had always come through it together, from the executive suite to the assembly line.
Soon, he, too, was let go. Mike’s boss said he would be rehired as soon as the economy improved. But somehow that never happened. The union that had always fought for GM’s employees, the United Auto Workers, suddenly seemed powerless. Mike had to take a non-union position as a forklift operator at a warehouse that paid half what he used to make.
Mike had always planned to send his daughter Janice to college. She liked computers and aspired to become a graphic designer. But that required a college education, and Mike just couldn’t swing it now. His income was unpredictable and tuition fees at the state university had gone way up. On top of that, the government had started charging extortionate interest rates on student loans.
Janice gave up the idea of a bachelor’s degree and enrolled at the community college a few years later. The boom in computer-related jobs of the 1980s and ‘90s happened without her. Instead, she became a receptionist at the city health department but lost her job in the Great Recession of 2007. Janice never found a similar position. Her husband, a laid-off transit worker, was serving time in prison on a marijuana charge. Their kids’ school was so neglected that she worried about their physical safety. Instead of growing up in safety and security, Mike’s grandchildren were learning survival skills on the street.
What social scientists call “intergenerational socioeconomic mobility” was not in the cards for Mike’s family and millions like it. Or at least not in the upward direction. Economic forces that clobbered one generation quickly toppled the next. And the next.
But what were those forces?
A meaner, leaner vision
Over the next two decades, the overall economy would prosper, but not for Black people like Mike. The Black blue-collar middle class shrank and shrank until it was all but obliterated. By the end of the century, white Americans without college degrees would find themselves on the same downward trajectory as Mike.
Some said what happened was the result of foreign competition. Others thought it was nervous consumers. Whatever it was, auto plants were closing and workers were cut loose, especially the Black ones with less seniority. Lazonick points out that if it had been whites getting kicked to the curb, companies and the government might have tried harder to intervene and see to retraining for workers displaced by international competition. But Blacks were on their own.
What Lazonick and his colleagues describe as “the most important socioeconomic progress for African Americans in the decade after the Civil Rights Act of 1964” was thrown into reverse.
The researchers also identify a culprit that nobody told Mike about: Wall Street.
They detail how in the late ‘70s, a new model of the economy was emerging that led corporate executives to look at workers differently. Instead of investing in them for the long run, many decided it was better to have a “flexible” workforce that could be hired and dispensed with at any time. Blacks were especially disadvantaged in the new model, explain the researchers, because of the “first last hired, first fired” mentality dominating the unions.
The new model really took off when business schools, starting with Harvard, started preaching the new “shareholder value” vision in the mid-‘80s. Proponents claimed that corporations should focus on making as much money as possible for their shareholders — the people who hold the company’s stock— and never mind anything else. Profits shouldn’t be used to pay workers more, to invest in research, or to build plants. They should be used for Wall Street games that would ensure the money flowed into the pockets of shareholders and the executives who increasingly began to be paid in stock.
Those who hold the opposite view, including Lazonick and his colleagues, favor “stakeholder capitalism.” This model says that companies should consider all their stakeholders—not just the shareholders, but also employees, customers, and taxpayers. Companies that don’t do this may end up wreaking havoc, from environmental damage to driving inequality. If you’re only worried about enriching shareholders and executives, then why spend money curbing emissions? Or bother to pay workers decently?
Shareholder value thinking could even hurt the company itself in the long run. After all, how do you keep making good products and services without experienced, dedicated workers and investments in innovation? But increasingly, America’s executives weren’t thinking about the long run. They were focused on Wall Street and the value of their own stock options. As the researchers observe, “leading corporations lost interest in the fate of the American working class” — and so did the politicians who depended on their donations.
As the ‘80s progressed, the anti-government Reagan Revolution swept the country, making things even worse for the blue-collar middle class in general. Federal and state governments stopped investing in public education. Unlike many white kids, those of Black people like Mike had no intergenerational wealth to fall back on. They would have a much harder attaining an ever-costlier college degree. Even attending a good public high school was increasingly out of reach.
Over the decade, government jobs that provided another source of security for upwardly mobile Black people were getting cut. Meanwhile, Republican administrations did little but toss big favors to corporate executives, from gutting regulation to lowering their taxes. Everyone was singing the praises of the “free market” as the answer to all economic and societal questions. As Lazonick and his colleagues note, it’s not surprising that in the decades since shareholder value capitalism took hold, America has experienced a concentration of income and wealth not seen since the Gilded Age. The researchers describe shareholder value capitalism as “the not-so-invisible hand” that chokes opportunity for the working class, especially for Black people.
It has helped to create a new Jim Crow that exacerbates the centuries of harm already endured by Black Americans.
Restoring American values
Hard work. Education. Better opportunities for your children. A fair shot for everybody. These core American values have receded in the 21st century, largely due to economic ideas that seem to value nothing but the rich getting richer. And Black people, the researchers show, have borne the brunt of the damage the longest.
Jobs like Mike’s probably aren’t coming back on a mass scale, but America can support other directions for Black upward mobility. Lazonick and his colleagues recommend that for starters, corporations and the rich should be made to pay their fair share in taxes so that the government can invest in things that support the middle class, like education. If Americans are serious about racial equality, then they have to support affordable public schools, a cornerstone of the Black middle class, and the advancement of its children into the white-collar economy.
The researchers also point out that America needs the secure business sector jobs it once had — the kind that allowed people like Mike to gain knowledge, skills, and experience for the long run and to contribute their talents over the course of a steady career. Government support for labor unions, they note, has been historically key to ensuring the benefits and conditions that translate into stability and security for middle-class families. It would help companies thrive and be more innovative, too, to retain and benefit from the talents of all the Mikes.
Lazonick and his colleagues believe it’s time to dump the shareholder value mentality into the dustbin of history. For them, that means taking steps to encourage companies to shift profits back to workers and into investments in capabilities and innovation. They are particularly down on stock buybacks, a form of Wall Street manipulation in which firms use their profits to buy shares of their own stock instead of using them to invest in more productive activities. Stock buybacks, says Lazonick, should be altogether banned. The Biden administration appears to be receptive to this argument.
The researchers also raise concerns about the types of relatively secure jobs that are today held disproportionately by Blacks — especially in policing and the mass-incarceration industries. They emphasize that prison reform movements have to take this into account when calling for the closure of facilities and defunding the police. People who become unemployed because of these closures need somewhere to go, and hopefully somewhere better. As Lazonick explains: “We don’t want to keep jobs in the mass-incarceration industries just because they are jobs. We advocate creating useful social services that could employ people who are now in the mass-incarceration industries—which is consistent with progressive demands for police reform.”
Bottom line: A thriving Black middle class is essential not only to racial and social justice in America but to the country’s future economic prospects. Nobody wins in the long run when the Mikes of America and their families end up living an American nightmare.
With US consumer prices rising at 4.2% on an annual basis in April, the fears of those who have recently been predicting a sharp rise in inflation seem finally to have come true. Shortages of some commodities and some types of labor are fueling the debate about the possibility that inflation has come back to stay, making its way into expectations and forcing the Federal Reserve to change soon its current very expansive monetary stance.
The debate about inflation was building before the latest data releases. It was especially heated in February and early March, when the $1.9 trillion stimulus package crafted by the Biden administration was up for legislative approval. If in 2020 the initial reaction of economists and commentators to the dramatic recession induced by the pandemic was unanimous, with almost everyone urging immediate measures both of relief and stimulus, the first Biden package stimulated criticism and misgivings in various quarters. Some economists, like Lawrence Summers and Olivier Blanchard, were especially vocal in pointing out the dangers associated with the stimulus package later approved by Congress, fearing that another major fiscal effort on top of those enacted in 2020, would be much more than what would be needed to close the recessionary gap, thus causing overheating and potentially stoking long-dormant inflation. Others, like Paul Krugman, have judged these fears to be excessive. Based on the general consensus on the very flat slope of the Phillips curve in recent decades, he has noted that even an overheated economy would be unlikely to produce serious inflation.
The latest numbers, far from entirely confirming the former view, reveal instead a rather nuanced situation. The increase of prices in April comes 12 months after the biggest drop due to the initial impact of the pandemic closures – which automatically produces high numbers. Moreover, it seems to be concentrated in particular items and sectors (used and rental cars, airfares, commodities such as copper and lumber) where a combination occurred, possibly of short duration, of bottlenecks in supply and a suddenly increasing demand. Various commentators suppose the surge in prices will fade away later during the year or next year, at most, when bottlenecks are removed and activity brought back to normal in all sectors. Also, labor shortages seem to be very selectively concentrated in particular sectors, especially leisure and hospitality. Josh Bivens and Heidi Shierholz of the Economic Policy Institute note that what seems a huge increase in the wages of the workers in the leisure and hospitality sector (about 18% at an annualized rate in the last three months) has in fact simply brought back those sectoral wages, enormously affected by the crisis, to their pre-Covid trend. With an overall unemployment rate as high as 6.1 percent, a labor shortage is far from being a generalized phenomenon.
Officials at the Federal Reserve do not seem to be much worried, at least for the time being. They expected some increase in the rate of inflation associated with the re-openings, and bet that it will be transitory. Expected inflation as implicit in long-term interest rates, though increasing in 2021, is still quite moderate.
Whether the US economy runs a serious risk of inflation will become clear in the next months. But one aspect of the debate is crucial, and it has to do with the supposed relationship between the size of the fiscal stimulus and the inflationary pressures. The main argument of those who predict a resurgence of inflation is that the big fiscal stimulus, even assuming cautiously small values for the various fiscal multipliers and even allowing for some savings on the part of the recipients of public transfers, could boost actual output several times well beyond the output gap – the distance between actual output and potential output. The latter is inferred from the estimates and projections produced by the Congressional Budget Office (CBO), particularly in its last release of February 2021.
Commenting on the April inflation data, Summers once again scores “the amount of money we are putting in the households’ hands relative to the capacity of the economy to produce,” invoking a need for tax increases to cool down an overheated economy. Based on IMF estimates, according to which the US economy is projected to run above potential in 2021, Martin Wolf believes the Fed should raise interest rates. Evidently, the question of how reliable output gap estimates are is crucial.
Actually, the question mixes several different questions. It’s not only a matter of the reliability of estimates – after all, as remarked by Claudia Sahm, the long history of frequent revisions of the estimates of potential output should invite much caution in using them as a basis for policy. More basically, there is the question of what the official institutions and mainstream economics define as potential output, how they measure in practice such an unobservable magnitude, and whether there is any stable relationship between the estimated output gaps and inflation. We addressed such basic questions in Fontanari et al. (2020) (preceded by an INET working paper in 2019), where we not only reviewed the fundamental flaws of the standard conception of potential output and the standard estimation methods but also proposed an alternative notion and measurement. In a new INET working paper, we now take up the issue both by proposing a refinement of our own method and reflecting on the appropriate measure of slack in the US economy.
The problems with the standard way of measuring output gaps
The standard notion defines potential output as the level of output compatible with stable inflation, thus corresponding to the ‘natural’ or non-accelerating-inflation rate of unemployment (NAIRU). Supposedly, standard estimation methods identify such natural rate empirically by observing the behavior of inflation. In practice, the unemployment-inflation relationship has revealed itself as particularly irregular over time, up to the point of the apparent and puzzling ‘disconnect’ observed in recent decades (see Del Negro et al 2020). This implies that inflation data play in practice a comparatively minor role in the procedures for empirical identification of the NAIRU (see the critical analysis on European economies in Brooks and Fortun, 2020). The main role is played by the theoretical idea that deviations of actual from equilibrium unemployment only occur on a temporary basis, so that standard estimation methods are based on the implicit assumption that the NAIRU must be the trend component of the time series of the actual rate of unemployment. Once this is fed into the elaborate models used for estimation of potential output, the latter ends up being measured in practice as very close to the trend of actual output. The procedure has obvious implications: if actual output is affected by a deep and long-lasting crisis followed by a slow recovery, as happened with the Great Recession, the estimated path of potential output is dragged down automatically and the measured output gaps, after the initial period of the recession, soon become of the order of few percentage points. There is nothing wrong in assuming that a protracted slowing down of actual output may seriously affect the long-term growth prospects – indeed, this is one of the main tenets of the demand-led growth approach. Over time, unused resources tend to dry up and progressively disappear – fixed capital is not replaced, firms close down, labor skills become obsolete in the unemployed. But these phenomena happen over long periods rather than in few quarters and happen precisely as a consequence of persistent underutilization. This means that big negative output gaps should be observable for protracted periods, a possibility that standard estimation methods rule out by construction.
Due to such excess sensitivity to the path of actual output, standard methods tend to underestimate systematically potential output and the output gaps, especially after a recession. The gross underestimation of output gaps for some European countries during the 2010s is something to which Blanchard himself has drawn attention in past works. But a further problematic feature of standard methods is that they produce output gaps that tend to be in fact poor predictors of inflation. The experience of the USA in the late 2010s may be instructive in this respect. According to the CBO’s estimates, the US economy has been in dangerous inflationary territory for years. Looking at real-time estimates, the unemployment gap (the difference between the actual rate of unemployment and the natural rate, a notion which is strictly linked to the output gap) has constantly been negative from 2017Q1 to 2020Q1, three full years. Yet, no uncontrolled acceleration in inflation happened in that period.
Instead, inflation has been oscillating around target, often below it. Figure 1 illustrates this. Even the multiple increases of the Federal Funds rate that the Federal Open Market Committee (FOMC) engineered from 2015 to 2018 were not justified on the basis of excessive actual inflation, but rather on estimates of inflation expectations and the presumption that very low unemployment rates would surely produce too much inflation later. Still more relevant, when the FOMC decided to lower the interest rates in July 2019, despite the estimated sign of the unemployment gap had been negative for 9 consecutive quarters, no appreciable burst of inflation took place. Inflation even declined in 2019Q3.
Clearly, it is not possible to base inflation fears on such flimsy measures because of their obvious failure to predict it or to be significantly correlated to it in the past. It is indeed ironic that measures of equilibrium unemployment and potential output entirely based on the definition of such magnitudes as the non-inflationary limit should prove in practice so utterly disconnected from the actual behavior of inflation.
Equally problematic is the uncertainty of the estimates of the output gaps and their variability across different agencies and institutions. Given that they employ different models to compute potential output – though all of them practically define it as some sort of trend component of actual output – and given the irregularity of the unemployment-inflation relationship in actual data, differences in model specification or in the value of particular parameters easily lead to different assessments of the output gaps. Uncertainty of estimates is well known since the same institutions producing estimates sometimes warn against putting too much weight on them (see for example Barkema et al. 2020).
To such traditional volatility and unreliability, the pandemic has added problems of its own, linked to the wild swings in economic activity and employment suffered by most economies and some practical difficulties in data collection. For its sudden and deep character, the pandemic recession has opened a wide output gap in 2020, but assessments of the size of the gap change quite remarkably across the different agencies.[1] Quite naturally, estimates also change as events unfold.
An alternative notion of potential output
It is not only a question of using estimates with more caution. The deeper problem lies with the notion itself, i.e. with the attempt at identifying a supposedly unique non-accelerating inflation rate of unemployment that in practice defies any quantification and the insistence in believing in a regular relation of some kind between unemployment and inflation that empirical evidence disproves. In our previous paper, we proposed to discard entirely the mainstream notion of potential output and turn back to the notion and measurement proposed by A.M. Okun in the 1960s, who defined and estimated potential output as an empirical approximation to a traditional Keynesian notion of full-employment output, understood as a sort of ‘maximum’ of production attainable in any given situation.
In updating Okun’s method and applying it to US data of the 1959-2018 period, we have shown that our measure is both immune to the flaws of the standard notion of potential output and consistent with the disconnect between inflation and unemployment so clearly borne out by empirical evidence in the last decades. Indeed, it entirely refrains from the use of inflation data, which implies that the deeply problematic Phillips relationship plays no role in it. It also avoids defining potential output as the trend component of actual output, allowing instead the opening up of sizeable, non-self-correcting divergences, in phases of slack, between actual and potential output. This reflects our theoretical idea, typical of the demand-side perspective, that no automatic mechanisms ensure the tendency of actual output towards potential.
What we propose, in other words, is to separate the analysis of inflation from the analysis of the level of unemployment, and to use the notion and measure of potential output to assess the distance of the economy from the full employment goal. The experience (but also the economic literature) of the last decades clearly shows the failure of models based on a strict link between activity level and inflation and the relevance of cost-push factors in determining inflation. This does not amount to renouncing the fight against inflation (if and when the April surge in prices becomes a true inflation process in the following months), but to renouncing the hypothesis that such a fight necessarily implies increasing unemployment and reducing the level of activity.
What is full employment?
The measure of full employment is necessarily conventional, since allowance must be made for some amount of irreducible unemployment that inevitably characterizes even a very healthy labor market. Based on this, in our 2020 paper, we proposed to consider different values of the rate of unemployment as possible targets and showed that in all cases the output gaps computed with our Updated Okun Method tend more often to be negative and are bigger in size than those obtained by the CBO.
Yet, both the experience of the late 2010s and, more recently, the turmoil that the pandemic has caused in the labor market have shown clearly that the (official) rate of unemployment may be a highly imperfect indicator of labor underutilization. The very low unemployment rates of the late 2010s went together, in the USA, not only with a sluggish growth of wages but also with comparatively low participation rates, even in the 25-54 age range. In other countries like Germany low unemployment was accompanied by a reduction of individual working time for various categories of workers. If doubts could already be cast on the reliability of the unemployment rate as an indicator of labor underutilization in the long recovery of the 2010s, the dramatic events associated with the pandemic have only reinforced these doubts. The contrasting cross-national policy responses to the crisis, which in most European countries have taken the form of short-time work schemes, have meant that the (possibly analogous) strong reduction in the labor input in 2020 has had enormously different effects on the unemployment rates in Europe and the USA. Moreover, the pandemic has brought remarkable changes in participation rates and working time, implying a rather more substantial amount of slack, in most economies, than that recorded by the official unemployment rates.
Our new paper addresses such questions. In it we review possible alternative indicators of labor underutilization, starting from the ‘broad’ indicators of unemployment computed by the Bureau of Labor Statistics (BLS), which take into account such phenomena as discouragement in participation and part-time employment for lack of full-time opportunities. We test Okun’s law – originally a regular empirical relationship between output growth and changes in unemployment – with some of these ‘broad’ unemployment indicators (both for the United States and for a panel of OECD countries) and find confirmation of the general validity of the law, both across countries and with different indicators of unemployment
But these broad indicators, although likely to be better indicators of actual unemployment than the official rate, may fail to properly account for the full degree of slackness in the labor market. After all, such indicators hit historically minimum values in 2019, along with the official unemployment rate, while data on labor force participation and the subdued growth of wages pointed to the existence of margins for further expansion of labor utilization.
We thus explore, in the paper, other indicators of labor underutilization that take into account working time, so as to capture that kind of underutilization that derives from people working fewer hours than they would be prepared to work. The literature review brings us to propose a new indicator of the labor input based on hours worked, which we regard as a more accurate expression of the actual extent of labor utilization. This indicator, which we obtain by dividing the total number of hours worked in the economy by the working-age population,[2] we label ‘standardized hours worked.’ On testing Okun’s law with such an indicator, we find again confirmation of the validity of the law, both on a panel of OECD countries and on US data.
Output gaps
In the final part of our paper, we offer estimates of the US output gaps. We focus on the last part of the 2010s and on a tentative assessment of the gaps opened up by the pandemic crisis in 2020. As a rule, we believe that all estimates of the output gaps – even our own – should be used with caution, due to the inevitable approximations and simplifying hypotheses that are implicit in the procedure (in any procedure). Especially real-time estimates may prove less than entirely reliable.
However, our calculations offer in our view some interesting insights. Our Updated Okun Method requires setting an appropriate target value for each indicator of labor utilization/underutilization, supposedly identifying a situation of full (or almost full) use of the labor input, against which potential output is estimated. Thus, in the first place, our calculations allow focusing on the comparative merits of the various indicators and their ability to correctly measure the quantitative dimension of labor underutilization. Due to the conventional nature of the full-employment measure, we may set different target values for each indicator, which implies that the measure of the output gaps varies according to both the indicator and the value chosen as a desirable policy target. This we regard as a positive feature of our method since it transparently links the extent of the gap to the policy objective and invites proper policy use of the gap notion.
In the second place, notwithstanding such possible multiple estimates, our method gives across all indicators uniformly wider output gaps than those calculated by the CBO or the IMF, thus revealing once more the strong tendency of standard methods to systematically underestimate the margins for output expansion. Particularly wide is the gap revealed by our indicator of standardized hours worked, pointing to the relevance of the time-related dimension of labor underutilization both in the long recovery of the 2010s and in the pandemic crisis of 2020.
The latest data on the labor market in the USA show a slowing down in the pace of recovery, with a slight increase in the unemployment rate and 8 million jobs still missing with respect to the pre-pandemic period. Not only does the unemployment rate still linger at 6%, well above the pre-pandemic level, but data on participation (particularly on women’s participation, doubly hit by low wages and lack of affordable child care) reveal how such figures grossly underestimate potential labor reserves. Current inflationary pressures are likely a temporary phenomenon, linked to the peculiarity of the pandemic crisis and the bottlenecks it has produced. Even if they are not, it is not an excessively tight labor market or a too rapid filling (or even overshooting) of the output gap that is to blame. If anything, the pandemic has reinforced the disconnect between unemployment and inflation already well established in the literature. The more relevant risk remains that of taking too seriously the official measures of the output gap, thus neglecting both the actual extent of slack that they are not able to reveal and subtracting vital stimulus and much-needed relief from a still suffering labor market. This would cause slow growth and stagnating demand, which, as past history has shown more than once, do not only produce underutilization and distress in the short period but also create long-term damage to growth.
References
Barkema, J., Gudmundsson, T., Mrkaic, M. (2020). What Do We Talk About When We Talk About Output Gaps? International Monetary Fund Working Paper, No. 2020/259.
Brooks, R., Fortun, J. (2020). Eurozone Output Gaps and the COVID-19 Shock. Intereconomics, 5, 291-296.
Del Negro, M., Lenza, M., Primiceri, G. E., Tambalotti, A. (2020). What’s up with the Phillips Curve? National Bureau of Economic Research, No. 27003.
Fontanari, C., Palumbo, A., & Salvatori, C. (2020). Potential Output in Theory and Practice: A Revision and Update of Okun's Original Method. Structural Change and Economic Dynamics, 54, 247-266. https://doi.org/10.1016/j.stru...
Okun, A. (1962). Potential GNP: Its measurement and significance. In: Proceedings of the American Statistical Association, Business and Economic Statistics Section, Washington. ASA, pp. 98–104.
Notes
[1] For example, the International Monetary Fund (IMF), in its World Economic Outlook of October 2020, calculated that the output gap in 2020 would be -3.2% for the USA (the figure is confirmed in the IMF’s WEO of April 2021), while according to the Economic Outlook of the Organization for Economic Co-operation and Development (OECD) of December 2020, it would amount to -6.0%. A still wider discrepancy regards the UK output gap, estimated at -4.4% for the IMF and -8.9 for the OECD.
[2] The ‘standardization’ ensures that the indicator is not influenced by the changing size of the economy. We actually build two different indicators, since the working-age population may be defined, alternatively, either as the population between the ages of 16-64 or as the whole population of 16 years or more. See the paper for details.
Ransomware Operators Are Increasingly Acting Like Terrorists
One brazen incident has created a sense of urgency and catalyzed an acute awareness of the impacts of ransomware. The flow of roughly 45% of the fuel consumed on the East Coast of the United States has been halted because Colonial Pipeline’s information technology (IT) systems (computers, applications, and data) were hijacked by DarkSide, a ransomware operator with links to Russia. Colonial’s temporary halt of its pipeline operations was a proactive measure to protect those systems from being fatally encrypted like other parts of its corporate network.
The result has been fuel shortages and a surge in prices. The timeline for full (and safe) restoration is still unknown. This event has broadly impacted millions of Americans and received significant media coverage, but it is not unique or isolated. In fact, the U.S. Department of Justice claims that at least 4,000 ransomware attacks occur daily[1] and security firm Check Point observed that an organization fell victim to a ransomware attack on average every 10 seconds in 2020.[2]
Ransomware gangs have been hijacking the IT systems, data, and operations of our hospitals, schools, corporations, and critical infrastructure services — thereby disrupting civil order and stability by interfering with the peace, security, and normal functioning of our communities. The ransomware operators’ principal tactics include intimidation, coercion, and extortion until the victim entity capitulates to their demands in order to avoid future injury or secondary effects. Hijacking institutions, intimidating people, coercing companies to pay a ransom, causing serious physical property damage, and disrupting civil order are all threats to the economic prosperity and security of the United States and should be treated as acts of terror. But little has been done to prevent such attacks; and it is time for authorities to start taking action including classifying ransomware activities as a form of terrorism.
A Threat to Healthcare Providers and Citizens’ Safety
Harm and injury are on the rise as the frequency and cost of ransomware attacks continue to grow exponentially. At the top of the list are often hospitals and healthcare facilities. In September 2020, Universal Health Services (UHS) fell victim to a human-operated ransomware by the Ryuk gang. The event crippled all of the UHS systems in the U.S. and caused outages to computers, phone services, internet connectivity, and data centers. Some facilities were forced to turn away patients and ambulances, cancel surgeries, and resort to filling all patient information on paper.[3] In order to prevent catastrophic harm and further spread of the malicious activity, UHS took down the rest of its systems used for medical records, laboratories, and pharmacies across about 250 of its U.S. facilities.[4] The Ryuk gang’s ransom demands typically range between 15 and 50 Bitcoins, or roughly between $100,000 and $500,000.[5] In October 2020, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a joint alert for the healthcare industry warning them of the imminent threat presented by the Ryuk and Conti ransomware gangs who are seeking financial gain.[6] In the midst of a global pandemic and as more COVID-19 patients were entering hospitals, these gangs exploited vulnerable institutions and citizens — threatening patient care and citizen safety. Lives are already at risk and these terrorists are taking advantage of the fragility, distraction, and fear of society to co-opt and coerce for economic gain.
A Threat to Educational Institutions
Between January and April 2021, there were over 20 disruptive ransomware attacks in the U.S. education sector, affecting over 550 schools. In March, for example, Broward County Public Schools in Fort Lauderdale, Florida — the nation’s sixth-largest school district with an annual budget of about $4 billion — fell victim to the Conti ransomware gang. Conti was able to encrypt Broward’s servers and exfiltrate more than one terabyte of data files that included personal information of students and employees as well as other important financial and contractual data.[7] The gang then threatened to erase the files and release the students' and employees' personal information unless a $40 million ransom was paid (the demand was later dropped to $10 million). After two weeks of negotiations, the district offered to pay $500,000 to retrieve the data, and on 31 March it announced it actually had no intention to pay the ransom (presumably because they couldn’t agree with the ransomware operators).[8] On 19 April, the Conti gang made good on their threat and released 26,000 of the stolen files, including Broward School District accounting and other financial records, such as invoices, purchase orders, travel and reimbursement forms, and hundreds of utility bills.[9] In addition to the reportable breach, the incident caused a brief shutdown of the district's computer system, and the school warned that the attack could affect the ability to pay employees. Soon after this incident, the FBI published a Flash Alert warning that the operators of PYSA (which stands for “Protect Your System Amigo”) — providers of ransomware-as-a-service (RaaS)[10] — were targeting higher education institutions, K-12 schools, and seminaries in at least 12 U.S. states and in the United Kingdom. The FBI explained that these malicious “actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use it as leverage in eliciting ransom payments.”[11] According to the Alert, the FBI has observed PYSA targeting government entities, educational institutions, private companies, and the healthcare sector since March of 2020.
In September 2020, the Fairfax County Public School system — just a few miles from the Nation’s Capital — fell victim to the Maze ransomware. While the school did lose protected information of both employees and students, the incident did not impact online education. At the time, the school’s Superintendent noted that it was just one of more than 1,000 educational systems to have suffered a ransomware attack in the past year.[12] Worth noting, however, is the fact that if an active shooter came into a school, as we have seen in Parkland, Texas and every other state in the U.S., we would activate emergency responders and treat it as a terror event. Ransomware attacks, instead, are still been treated as low-level crimes or an embarrassment to hide despite the significant disruption that they can cause. Our students and faculty are being stalked online, their information is being illegally copied and exposed, and worse, their community’s institutions are being hijacked for money and made no longer operational. Schools are no longer a safe place. This is more than a crime.
A Threat to Corporations and Critical Services’ Resilience
No sector is without compromise and 2021 proves to be an even more challenging year. Ransomware attacks increased by at least 485% in 2020 compared to 2019.[13] On 23 March 2021, CISA and the FBI issued a joint alert warning that another strain of ransomware, called the Mamba ransomware, “weaponizes DiskCryptor — an open source full disk encryption software — to restrict victim access by encrypting an entire drive, including the operating system…[and that] it has been deployed against local governments, public transportation agencies, legal services, technology services, industrial, commercial, manufacturing, and construction businesses.”[14]
The Mamba operators are just building on the progress made by other groups. For example, in 2020, Maze operators targeted many brand-recognizable companies, including Chubb, LG, Xerox, and Canon. They were one of the first ransom groups to initiate the double extortion scheme: steal unencrypted files before encrypting the victims’ data and business critical systems, and then threaten to publicly release the stolen data if a ransom is not paid. Companies often confront the difficult decision of having to pay the ransom to prevent public release of their corporate proprietary and/or protected data as well as to obtain the keys to decrypt their systems and data sets.
If the victim doesn’t pay the ransom demand, then the Maze operators and other malicious groups threaten to expose the data, making the event a reportable data breach as well. Maze was also the first group to include a press release on their dark web site to announce the victimized organizations. Between the threat of not recovering their encrypted files and the additional concerns of data breaches, government fines, and lawsuits, most companies feel compelled to pay the ransom and malicious actors are betting on that. Double extortion schemes increased by 59% in 2020 and the trend is only growing in 2021.[15] Since 2019, over 2,100 organization have had data stolen and posted online after a ransomware attack by at least thirty-four of the most sophisticated ransomware gangs. Of these operations, at least 266 leaks were posted by the Maze group, 338 by Conti, and 222 by REvil.[16]
In February 2021, the U.S. Financial Services Information Sharing and Analysis Center (FS-ISAC) announced that, in 2020, more than 100 financial services firms across multiple countries were targeted in a wave of ransom distributed denial-of-service (DDoS) attacks conducted by the same malicious actor. That malicious actor methodically moved across jurisdictions in Europe, North America, Latin America, and the Asia Pacific, targeting the full gamut of financial services companies, including consumer banks, exchanges, payments companies, card issuers, payroll companies, insurance firms, and money transfer services. In each instance, the criminals sent extortion notes threatening to disrupt the firms’ websites and digital services with a DDoS attack if the demanded ransom was not paid.[17]
In January 2021, Microsoft became aware of critical vulnerabilities in the on-premise version of its Exchange Server product that is used for email, calendar, and collaboration solutions. In March 2021, Microsoft released software updates to address these critical vulnerabilities. Yet, as soon as the vulnerabilities were publicly announced, malicious actors began trying to outpace corporate patch management by scanning the entire internet for vulnerable Exchange servers and targeting hundreds of thousands of organizations in the United States, Asia, and Europe. Companies fell victim to this compromise and lost sensitive business information including intellectual property and, in some cases, had their business operations disrupted. To make things worse, two weeks after the patch was made available, the Black Kingdom ransomware gang and other malicious actors also began exploiting still unpatched Exchange servers. The Black Kingdom group first gains access to a corporate network, performs some reconnaissance, and then starts its encryption, leaving behind a nifty ransom note entitled “decrypt_file.txt” to announce their return. It provides explicit instructions on how to contact them, the ransom amount demanded, the Bitcoin wallet ID to use, and a message stating that they exfiltrated data from the corporate network. The note also states that refusal to pay would lead them to publish the attack and stolen files on social media.[18]
In March 2021, Taiwanese electronics and computer manufacturer Acer was infected with the REvil/Sodinokibi ransomware. The malicious actors demanded $50 million in Monero (a digital currency that is secure, private, and untraceable) — the highest known ransom demand to date — to provide a decryptor, a vulnerability report, and proof of deletion of stolen files. They posted images of the alleged stolen files, including financial and bank information, on their website as proof, and threatened to double the ransom demand if Acer didn’t pay by the deadline. Security researchers believe the malicious actors exploited an unpatched Microsoft Exchange server on Acer's domain to execute the ransomware.[19] Of note, the REvil group also operates a RaaS business, offering material support to other “affiliates” who handle the technical details of the attack. The affiliate partners launch the initial infection, erase backups and exfiltrate the files (REvil affiliates get 70-80% of the ransom). REvil develops and delivers the target specific encrypted and ransom negotiates the ransom payment.
Yet, the ransom event that changed the risk calculus for many corporations occurred in July 2020, when the fitness brand Garmin suffered a worldwide outage of its systems. The Evil Corp. gang, a group linked to Russia, used the WastedLocker ransomware to successfully penetrate Garmin’s enterprise and knock it offline.[20] Garmin engaged Arete IR — an intermediary for negotiating ransom payments — and ended up paying $10 million to the criminals to restore its systems.[21]
Worth noting, however, is the fact that Evil Corp. and its principal operators are on the U.S. Treasury Office of Foreign Assets Control (OFAC) list of Specially Designated Nationals (SDN)[22] for their role in developing and distributing the Dridex malware, used to conduct crimes against hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft.[23] The Treasury Department performs a critical and far-reaching role in enhancing national security by implementing economic sanctions against foreign threats to the U.S., and paying ransom to criminal or terrorist organizations on their OFAC list can lead to fines and/or criminal offenses. When Garmin paid the Evil Corp. group — which Treasury considers a financial terrorist organization potentially acting for, or on behalf of, Russia — the company violated OFAC regulations.[24]
After the Garmin incident, the U.S. Treasury Department issued guidance to industry in October 2020, reminding them that “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations… OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.”[25]
There are hundreds of different ransomware organizations or families targeting our institutions. These transnational syndicates are not just hijacking our IT systems but they are also targeting the corporate operational technologies that deliver citizens’ essential services, like the distribution systems of water and oil and gas.
In 2019, Temple University began cataloging Critical Infrastructures Ransomware Attacks (CIRWAs), based on publicly available information. Between November 2013 and March 2021, they tallied more than 907 such events.[26] Attacks that affect critical infrastructures risk can have debilitating effects on the country’s ability to function. The incidents against critical services have increased in frequency and severity over the last two years, and data reveals that around five critical infrastructure ransomware attacks occur every week on average.[27]
In February 2020, a natural gas compression facility fell victim to ransomware that impacted its pipeline operations and forced the plant to shut operations for two days. The malicious actor used a phishing email to infect the corporate networks and move laterally to operational networks, while the company lost visibility of assets and operations and was no longer able to read and aggregate real-time operational data. The incident also halted operations in the different geographically distinct compression facilities because of pipeline transmission dependencies.[28]
The Colonial Pipeline ransomware attack resulted in the exfiltration of nearly 100 gigabytes of data from the corporate networks in support of a double extortion scheme, in addition to the disruption of fuel distribution along the East Coast.[29] Colonial Pipeline is the largest refined fuel pipeline network in the country, transporting over 100 million gallons per day or roughly 45% of the fuel consumed on the East Coast of the United States, and is the main conduit of refined gasoline, diesel fuel, and jet fuel from the Gulf Coast up to New York Harbor and New York’s major airports. The incident throttled gas supplies across the easter U.S. for at least a week, causing a surge in fuel prices and impacting fuel supply in the Southeast and Central Atlantic markets. It forced the Federal Emergency Management Agency (FEMA) and the Department of Transportation (DoT) to declare a regional state of emergency for 18 states to keep fuel supply lines open. Commerce Secretary Gina Raimondo stated that the government was “working closely with the company, state and local officials, to make sure that they get back up to normal operations as quickly as possible.”[30] President Biden invoked emergency powers to ensure oil and gas supplies kept flowing to big cities and airports along the East Coast, while Colonial continued to work to bring its pipeline back online in stages and “only when we believe it is safe to do so, and in full compliance with the approval of all federal regulations.” This was the most significant, successful attack on energy infrastructure in the U.S. to date. This event highlights the vulnerability of core infrastructures of the U.S. and demands a more forceful response.
Unfortunately, many victim entities choose to pay the ransom, for three principal reasons: (1) they have inadequate business continuity/disaster recovery processes and cannot restore their systems and, therefore, (2) they must pay the ransom to restore business-critical systems and data sets. Lastly, due to the growing number of data protection and privacy laws, such as Europe’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the new California Privacy Rights Act (CPRA), (3) companies fear having to pay the fines associated with data loss or for negligence in implementing security controls and would rather pay the extortionist to “promise not to post” about the incident in order to avoid paying the regulatory penalties for non-compliance.
Countries with a long record of hostility against the United States — China, Russia, Iran, and North Korea, among others — often benefit from ransomware attacks that can cripple U.S. organizations and critical infrastructures. The most sophisticated ransomware groups, including Iran’s Charming Kitten, North Korea’s Lazarus Group, Russia’s REvil Corp., and China’s APT27 and Winnti,[31] appear to have protection from their state that offers them a safe haven so long as they give a kick-back or act as proxies in other cyber operations. These loosely affiliated criminal groups often develop a symbiotic relationship with the state — intermittently working together for mutual benefit. The states can leverage these non-state actors (proxies) and their technical expertise and cyber capabilities to commit internationally wrongful acts using ransomware and other malicious software, without having to take responsibility.[32]
What Can Be Done?
The Role of Organizations. Organizations must recognize that the digital assets (software and hardware) that underpin their networks are commodities that have a shelf life that averages five to ten years. At the end-of-life of the commodity, the software/hardware product or service no longer receives the support of updates (that often remedy vulnerabilities) by the original manufacturer. Countless institutions are running legacy or unsupported products and services in their environments and are, therefore, vulnerable to exploitation. Moreover, for those digital assets that are supported with software/hardware updates, it is essential that organizations promptly update their systems when new updates (patches) are released. The so-called “Patch Tuesday” is inevitably followed by a “vulnerable Wednesday” — where malicious actors, who are now also aware of those newly disclosed vulnerabilities, can exploit unpatched systems and steal sensitive data, knock businesses offline and, in some cases, destroy the IT systems that power hospitals, schools, businesses, and essential services.[33]
The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls) is a prioritized set of technical best practices that, if implemented correctly, should provide an effective defense”[34] Most successful intrusions into an organization often occur because the organization has not implemented these basic controls. Organizations have largely been complacent about their responsibility to secure their digital assets and data sets. In fact, when insurance company American International Group (AIG) conducted an evaluation of the organizations that made cybersecurity policy claims in 2020, it found that at least 70% of those organizations did not have the appropriate controls in place.[35] Due to the frequency and severity of the ransom claims made in 2020 to insurance companies, AIG evaluated the control failures and prioritized 25 controls that it will seek organizations to have in place in order for AIG to underwrite a future policy. Many of these controls map directly to the CIS Top 20, which have been available for over a decade. At the top of AIG’s list are questions like: What is the applicant’s target time to deploy critical patches and what is the applicant’s year-to-date compliance with its own standards? Does the applicant maintain visibility and protect its end-point systems using behavioral-detection and exploit mitigation capabilities (e.g., desktops, laptops, mobile devices)? How does the applicant protect privileged credentials, and how and to what extent is the applicant dependent on Microsoft’s Active Directory for identity, access, authentication, and administration of the networked environment? Other important factors for evaluating an organization’s preparedness to minimize ransomware risks include whether the organization conducts regular backups of data, system images, and configurations; whether it tests backups, and keeps the backups offline; whether the organization knows its mean-time-to-recover from an incident and whether that is acceptable in terms of its risk appetite.
The Role of Insurance. The insurance industry has an important role in demanding and encouraging organizations to invest in the basic digital defenses of their networks and data. Yet, the insurance marketplace for cybersecurity policies still covers less than 30% of insurance policies underwritten so far, and this number may not reflect claims arising from cyber incidents that are submitted under non-cyber insurance policies. Regulators, like the New York State’s Department of Financial Services (DFS), have argued that the insurance market may “fuel the vicious cycle of ransomware” because some victims are specifically being targeted because they have [cyber] insurance.”[36] This may be an unfair claim, but nonetheless, the industry has seen a state change, where from early 2018 to late 2019, the number of insurance claims arising from ransomware increased by over 180%, and the average cost of a ransomware claim rose by 150%.[37] In 2020, the numbers were much higher and the average ransom demand is now in the tens of millions of dollars
In February 2021, Moody’s Investors Service Inc. reported that “a challenge for insurers is the potential for risk accumulations given that the same event can affect multiple policyholders across geographies and industries.”[38] These “ripple” claims can become very costly to the insurance industry. For example, one event can accelerate risk to many other organizations, like in the case of the thousands of vulnerable Microsoft Exchange servers that went unpatched and were exploited by nations and transnational organized crime syndicates in March and April 2021. An event like this could result “in multiple – theoretically, tens of thousands – of companies making insurance claims to cover investigation, legal, business interruption and possible regulatory fines.”[39] A similar event occurred in February 2021, when malicious actors exploited a critical software vulnerability found in the legacy large file transfer product made by software company Accellion. Despite the patch released by Accellion, at least 25 of its customers "suffered significant data theft” as a result of the compromise.[40]
A CISA joint advisory, published in conjunction with the cybersecurity authorities of Australia, New Zealand, Singapore, and the United Kingdom, said that the malicious actors had targeted “multiple federal, and state, local, tribal, and territorial government organizations as well as private industry organizations in the medical, legal, telecommunications, finance, and energy fields.”[41] In at least some cases, the Clop ransomware group that exploited vulnerabilities in compromised Accellion appliance contacted victim organizations attempting to extort money to prevent public release of the stolen data. Victimized organizations included the supermarket chain Kroger, cybersecurity firm Qualys, Canadian airplane manufacturer Bombardier, Singapore’s largest telecommunications company Singtel, Australia's Transport for New South Wales, Australian Securities and Investments Commission (ASIC), the Reserve Bank of New Zealand (the country’s central bank), and many more.
The combination of ripple claims and the frequency of ransomed victims are squeezing the industry to increase insurance rates between 20-30% and decrease the market’s capacity.[42] AIG and other insurers are reviewing their portfolios and instituting a higher standard for underwriting policies, which should lead to improved digital risk management and fewer victims.
The Role of Government. The government also must do its part but, to date, many government institutions keep pointing the responsibility back to industry. In February 2021, the National Cyber Investigative Joint Task Force (NCIJTF) released a fact sheet on current threats posed by ransomware and mitigation strategies and measures that organizations should take to de-risk their chance of becoming a victim.
Nonetheless, there are many steps the government should still undertake. First, the U.S. Department of the Treasury OFAC should expand its list of Specially Designated Nationals (SDN) to include as many of the ransomware gangs as possible. Of course, this will require support from the intelligence and law enforcement communities, but if we want to stop the flow of ransom payments to our adversaries and their proxies, these malicious actors must be clearly identified and named, so that authorities can begin to impose real costs and consequences.[45]
Second, the U.S. Department of Justice should determine and make clear that paying a ransom is illegal. This step would likely force organizations to further invest in their security and ability to withstand and recover from an incident (i.e., increase their resilience). Categorizing ransom payment as an illegal activity would also clearly remove coverage for these types of payments from insurance policies. Third, the parallel “epidemic” of ransomware attacks should be systematically and operationally dismantled, which requires the government to treat it like terrorism — working operationally across all government agencies and with its international partners. The government has shown that it can track transnational networks, follow their illicit finance, and prevent malicious activities before they can cause harm to society. This type of crime should be no different. These ransomware syndicates work for themselves and for nations as proxies. They have sophisticated services to launch their malicious attacks (ransomware as a service) and rely on infrastructures to turn their cryptocurrencies into cash. Supporting sustained operations that take down their servers of service and monitor and eliminate the cryptocurrency exchanges that launder their money would be a strong beginning.
Lastly, policymakers should prioritize identifying who is backing — or ignoring — these syndicates that are holding our institutions hostage with ransomware. U.S. Representative Jim Langevin recently stated that “if the international community can identify areas where a country is clearly looking the other way and it has a concentration of bad actors and they’re not doing enough to shut down these bad actors, there’s a role for international, multi-nation efforts to hold nations accountable.”[46] If governments around the world began to treat ransomware organizations similar to how they treat terrorist organizations, then a higher priority may be placed on dismantling their operations and refraining from harboring their activities in sovereign territories.
Conclusion
Hospitals, schools, businesses, critical services, and infrastructures are being hijacked by ransomware — rendering their systems and data inaccessible and inoperable. The individuals, groups, and countries conducting these activities are employing intimidation and coercion tactics like terrorists would do and preying on victims’ fears — fear that a hospital will have to turn away patients, or that a school cannot conduct learning activities, or that a corporation cannot deliver a critical product or service, or that critical infrastructure could be irreparably disrupted (serious physical damage), or that an organization may not be able to deliver an essential service to its customers/citizens. The fear goes beyond business disruption, it includes the fear that the malicious actor will expose protected data (e.g., personally identifiable information, protected health information, proprietary information, etc.) and thereby activate a regulatory penalty and possibly reputational damage.
Our corporations and civic institutions are literally paying our adversaries (and their proxies) to restore their network’s functions and data back to normal. It should be obvious that the U.S. and its allies need to know the full extent of the threat and understand how much money is being paid and to whom — whether directly or indirectly. The U.S. and its allies know how to dismantle terrorist networks and therefore should apply this know-how to systematically and operationally take down ransomware networks, the services that they provide to other criminals, and the operators’ ability to extort vulnerabilities for money. This requires a sophisticated, coordinated, transnational approach, where many entities have roles to play and responsibilities to fulfill. Ransomware activities should no longer be allowed to disrupt civil order, coerce organizations into paying large ransom demands, and threaten the economic prosperity, safety, and security of the United States and its allies. The U.S. government has identified the growing threat of ransomware as an epidemic causing grave harm to society; now, they should name the ransom operators as terrorists and neuter their ability to cause harm.
Endnotes:
[1] U.S. Department of Justice, “How to Protect Your Networks from Ransomware,” https://www.justice.gov/criminal-ccips/file/872771/download.
[2] Check Point Research, “Global Surges in Ransomware Attacks,” https://blog.checkpoint.com/20..., and “Cyber Security Report 2021,” https://www.checkpoint.com/dow....
[3] Lily Hay Newman, “A Ransomware Attack Has Struck a Major US Hospital Chain,” WIRED, 28 September 2020, https://www.wired.com/story/un....
[4] Jessica Davis, “UPDATE: UHS Health System Confirms All US Sites Affected by Ransomware Attack,” Health IT Security, 5 October 2020, https://healthitsecurity.com/n....
[5] Lucien Constantin, “Ryuk ransomware explained: A targeted, devastatingly effective attack,” CSO Online, 19 March 2021, https://www.csoonline.com/article/3541810/ryuk-ransomware-explained-a-targeted-devastatingly-effective-attack.html.
[6] Cybersecurity and Infrastructure Security Agency (CISA) Alert, "Ransomware Activity Targeting the Healthcare and Public Health Sector,” 28 October 2020, https://us-cert.cisa.gov/ncas/....
[7] DataBreaches.Net, “Broward County Public Schools Cyberattack was Ransomware Attack — New Details Emerge,” 27 March 2021, https://www.databreaches.net/b....
[8] Steve Zurier, “Conti ransomware gang hits Broward County Schools with $40M demand,” SC Magazine, 2 April 2021, https://www.scmagazine.com/hom..., and Terry Spences and Frank Bajak, “Large Florida School District hit by Ransomware attack,” Associated Press, 1 April 2021, https://sports.yahoo.com/large....
[9] "Hackers Post Files After Broward School District Doesn't Pay Ransom,” NBC Miami, 20 April 2021, https://www.nbcmiami.com/news/....
[10] Ransomware-as-a-service (RaaS) is a platform designed to enable someone with very little know-how about malware, code, or cyber attacks, to conduct a ransomware attack and turn a profit. RaaS is designed to operate with a user-friendly platform that allows the attacker to simply pick their victim, set the ransom, pick a payment deadline and bitcoin wallet address, and deploy a ransomware variant. The developers of many RaaS platforms take a percentage of whatever the attacker is paid.
[11] Federal Bureau of Investigation, “FBI-Flash: Increase in PYSA Ransomware Targeting Education Institutions,” 16 March 2021, https://www.ic3.gov/Media/News....
[12] Office of Communication and Community Relations, “Update on Cybersecurity Incident,” FCPS Blog, 9 October 2020, https://www.fcps.edu/blog/upda....
[13] BitDefender, “2020 Consumer Threat Landscape Report, https://www.bitdefender.com/fi....
[14] Federal Bureau of Investigation, "FBI Flash: Mamba Ransomware Weaponizing DiskCryptor,” 23 March 2021, https://www.ic3.gov/Media/News....
[15] IBM Security, “X-Force Threat Intelligence Index,” 2021, https://www.ibm.com/downloads/....
[16] The most sophisticated ransomware gangs that employ double extortion schemes include Team Snatch, MAZE, Conti, NetWalker, DoppelPaymer, NEMTY, Nefilim, Sekhmet, Pysa, AKO, Sodinokibi (REvil), Ragnar_Locker, Suncrypt, DarkSide, CL0P, Avaddon, LockBit, Mount Locker, Egregor, Ranzy Locker, Pay2Key, Cuba, RansomEXX, Everest, Ragnarok, BABUK LOCKER, Astro Team, LV, File Leaks, Marketo, N3tw0rm, Lorenz, Noname, and XING LOCKER.
Lawrence Abrams, "Ransomware gangs have leaked the stolen data of 2,100 companies so far," Bleeping Computer, 8 May 2021, https://www.bleepingcomputer.c....
[17] FS-ISAC, “More than 100 Financial Services Firms Hit with DDoS Extortion Attacks,” 9 February 2021, https://www.fsisac.com/newsroo....
[18] Dan Goodin, "Ransomware operators are piling on already hacked Exchange servers, Ars Technica, 23 March 2021, https://arstechnica.com/gadget..., and Steve Ramey, "Black Kingdom Returns to Exploit Zero-Day Vulnerabilities in Unpatched Microsoft Exchange Servers, Arete, 22 March 2021,
https://www.areteir.com/black-....
[19] Steve Zurier, "Microsoft Exchange exploit a possible factor in $50M ransomware attack on Acer,” SC Magazine,22 March 2021, https://www.scmagazine.com/hom..., and Lawrence Abrams,”Computer giant Acer hit by $50 million ransomware attack,” Bleeping Computer, 19 March 2021, https://www.bleepingcomputer.c....
[20] Lawrence Abrams, "Confirmed: Garmin received decryptor for WastedLocker ransomware,” Bleeping Computer,1 August 2020, https://www.bleepingcomputer.c....
[21] Tim Starks, "US advisory meant to clarify ransomware payments only spotlights widespread uncertainty, CyberScoop, 13 October 2020, https://www.cyberscoop.com/ofa....
[22] The Office of Foreign Assets Control (OFAC) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States.
[23] U.S. Department of the Treasury, “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware,” 5 December 2019, https://home.treasury.gov/news....
[24] Jeff Stone, "U.S. charges two Russians in connection with Dridex banking malware,” CyberScoop, 5 December 2019, https://www.cyberscoop.com/dri....
[25] U.S. Department of the Treasury, “ Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments," 1 October 2020, https://home.treasury.gov/syst....
[26] Temple University, "Critical Infrastructure Ransomware Attacks,” https://sites.temple.edu/care/....
[27] SentinalOne Blog, “How Ransomware Attacks Are Threatening Our Critical Infrastructure,” 17 September 2020, https://www.sentinelone.com/bl....
[28] Dan Goodin “US natural gas operator shuts down for 2 days after being infected by ransomware,” Ars Technica,18 February 2020, https://arstechnica.com/inform..., and DHS CISA Alert, “Ransomware Impacting Pipeline Operations,” 18 February 2020, https://us-cert.cisa.gov/ncas/....
[29] Jordan Robertson and William Turton, “Cyber Sleuths Blunted Pipeline Attack, Choked Data Flow to Russia,” Bloomberg, 10 May 2021, https://www.bloomberg.com/news... .
[30] CBS News, “Transcript: Secretary Gina Raimondo on ‘Face the Nation’,” 9 May 2021, https://www.cbsnews.com/news/t... .
[31] Phil Muncaster, "Chinese APT Group Linked to Ransomware Attacks,” InfoSecurity Magazine, 5 January 2021, https://www.infosecurity-magaz....
[32] Office of the Director of National Intelligence, “Annual Threat Assessment of the U.S. Intelligence Community,” 9 April 2021, https://www.dni.gov/files/ODNI... .
[33] Melissa Hathaway, “Patching our Future is Unsustainable and Dangerous, CIGI Paper No. 219, June 2019,https://www.cigionline.org/art....
[34] Center for Internet Security, "The 20 CIS Controls & Resources,” https://www.cisecurity.org/con....
[35] Author’s interview with Tracie Grella, Global Head of AIG Cyber Insurance, 12 February 2021.
[36] NY Department of Financial Services, “Cyber Insurance Risk Framework,” 4 February 2021, https://www.dfs.ny.gov/industr....
[37] NY DFS Cybersecurity Regulation 2020, Cyber Survey of reported events (See 23 NYCRR 500.17).
[38] Claire Wilkinson, “Cyber insurance prices increase on ransomware claims: Moody’s,” Business Insurance, 5 February 2021, https://www.businessinsurance.....
[39] Continuity Insurance & Risk, “MS Exchange attacks could lead to thousands of insurance claims,” 26 March 2021, https://www.cirmagazine.com/ci....
[40] Accellion, “Update to recent FTA security incident,” 1 February 2021, https://www.accellion.com/comp....
[41] DHS CISA, “CISA Releases Joint Cybersecurity Advisory on Exploitation of Accellion File Transfer Appliance,” 24 February 2021, https://us-cert.cisa.gov/ncas/....
[42] Judy Greenwald, “Cyber insurance rates to increase 20-50% this year: Aon,” Business Insurance, 4 March 2021, https://www.businessinsurance.....
[43] “Ransomware - What it is & What to do about it,” https://www.ic3.gov/Content/PD....
[44] Maggie Miller, "DHS Secretary Mayorkas announces new initiative to fight 'epidemic' of cyberattacks,” The Hill, 25 February 2021, https://thehill.com/policy/cyb....
[45] U.S. Department of the Treasury, “Office of Foreign Assets Control - Sanctions Programs and Information,” https://home.treasury.gov/poli....
[46] Shannon Vavra, "New global model needed to dismantle ransomware gangs, experts warn,” CyberScoop, 17 March 2021, https://www.cyberscoop.com/ran....
