$12 Billion Government Contractor Booz Allen Facilitates Ransomware Payments—Even Though The FBI Says Never Pay

Back in his FBI days, Jerry Bessette witnessed firsthand the carnage caused by hackers. In 2014, he led the investigation into what was then one of the most significant digital security breaches of all time, an attack on Sony Pictures. Eventually blamed on North Korea, the hack led to the release of troves of Sony’s confidential information — including damaging internal emails, some written by Sony Co-Chair Amy Pascal, who left the company.

In recent years, the 24-year FBI veteran once again has a front seat to the ransomware scourge that’s damaging not just for high-profile executives like Pascal, but for the average consumer too. Recent incidents hitting health institutions, gas giant Colonial Pipeline and beef supplier JBS have all shown how disruptive such attacks, in which hackers steal data, lock up victims’ files, and demand a ransom in return for unlocking it, can be. Both Colonial and JBS ended up paying millions to the hackers. “They've really taken it to the next level,” Bessette tells Forbes. “They're highly-sophisticated criminal organizations, not much different from the drug organizations and the terrorist organizations that we've seen over the course of the past 10, 20 years.”

This time around, though, Bessette is leading the cyber incident response at consulting firm Booz Allen Hamilton, which he joined in 2019. His new team, when their clients ask for assistance, actually help coordinate payments to ransomware groups, something he never did at the FBI. The FBI and other U.S. government agencies also recommend companies never pay the ransom. “The FBI does not support paying a ransom in response to a ransomware attack,” the law enforcement agency writes on its website. “Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.” FBI director, Christopher Wray, testified before Congress earlier this month, reiterating the policy, despite Colonial and others paying the ransom.

This puts one of the best-known government contractors in the world in a strange position, though Bessette says sometimes businesses decide they need to pay and Booz Allen can work with law firms and digital currency brokers to help with that. “We are the largest provider of cybersecurity to the U.S. government,” he says. “But unfortunately, when companies find themselves in a situation where they're losing a million dollars a day, a ransom in the low millions of dollars... especially when there's cyber insurance to help alleviate some of the business impact, becomes a business decision to the victim organizations.”

Indeed, the payment of ransoms is fraught with risks. Amongst the biggest is inadvertently paying millions in Bitcoin to a sanctioned entity in a nation like North Korea or Iran. Bessette says that there are ways to mitigate that risk. Booz Allen and digital currency brokers who help organize the payment conduct a series of compliance checks so they do not knowingly pay a sanctioned body. Other companies along the chain - whether insurance providers, who may cover the cost of the payment, or law firms - will also go through the same compliance checks, to ensure they’re doing the adequate due diligence and not violating U.S. laws.