Criminalize Ransomware Payment? A Bad Solution for a Bad Problem
On June 24, the Washington Post came up with a simple solution for the ransomware problem that is plaguing the U.S. critical infrastructure in general, and municipalities in particular. The Post opined that the solution to malicious ransomware was for Congress to “pass a federal law barring ransomware payments.” Not banning ransomware, mind you; banning ransomware payments. The Post also suggested that DHS “set up a digital ghostbusters task force to help municipalities come back online after an attack. Those that had implemented adequate defenses could get aid from the feds in footing the bill. Those who surrender to hackers would face fines sufficiently larger than the ransom.”
H.L. Menken, the Bard of Baltimore, once opined: “For every complex human problem, there is a solution that is neat, simple and wrong.” This is one of them. The Post suggested that only entities that have “adequate [cyber]defenses” would be compensated for their costs of data recovery after a ransomware attack, suggesting that ransomware vulnerability is somehow evidence of moral corruption or lack of will. Entities “good” and “bad” are hit by all manner of cyberattacks including ransomware—for all manner of motives, including, as we now see, response to U.S. cyberattacks. Entities with comprehensive cybersecurity programs may reduce the likelihood or impact of a ransomware attack, but we should not condition government response and coordination on “moral blame.” Punishing the victim of a cyberattack through increased response costs is probably not an effective deterrent.
Certainly ransomware, extortionware and threatened denial-of-service attacks that are motivated by financial gain could be discouraged if everyone around the world refused to pay a ransom. This would mean, as the cities of Atlanta and Baltimore learned, paying tens or hundreds of millions of dollars in ransomware “cleanup” costs to avoid paying thousands of dollars in ransom.
The goal of companies should focus on not just mitigating the likelihood and impact of ransomware, but also being prepared for it with accessibility of effective threat intelligence services (to know the enemy and negotiate with them) as well as access to cryptocurrency, training and awareness, cyber defenses and data and program backup/restoration programs that are effective and tested. Paying ransom should not be the first response, but ultimately, it may be a reasonable one. Ransomware may be sophisticated and targeted, and it may be random. An attack may go after tens of millions of systems, in search of a fraction of a percentage of victims willing to pay. Making paying ransom a crime just forces victims underground and ensures that the victims don’t cooperate with law enforcement entities. Punishing them with fines or refusal to assist with a response is similarly counterproductive.
There are reasons not to pay ransom wholly apart from economics. Hackers, governments, terrorists and others may use ransomware payments to finance other attacks, terrorism or other criminal activity, or to blunt the impact of economic sanctions. Companies that pay ransom risk inadvertently supporting these activities and the decision of whether to pay should be based on a broad-ranging risk/reward program that is not simply “it’s cheaper to pay.” Entities of all types should be encouraged to cooperate with (and rewarded for doing so) law enforcement agencies, Treasury Department regulators such as the Office of Foreign Asset Control and cybersecurity and forensic companies that can share information about threat actors, their motives, tools and tactics. The problem includes extortionware—threatening to release stolen files or emails, threatening to turn over secrets to governments, selling trade secrets, threatening distributed denial of service attacks, doxing, revenge porn attacks, reputation-based attacks and even “pump and dump” SEC trading scams that rely on manipulating the reputation of a company with either accurate or inaccurate information. Any of these attacks—or threatened attacks—can be weaponized through the demand for extortionate payments.
While federal law criminalizes things such as computer fraud and destruction of electronic property, extortion, threats or threats of “violence” to property, only a few states including California: Calif. Penal Code § 523 (2016 S.B. 1137), Connecticut: CGS § 53a-262 2017 H.B. 7304, Public Act 17-223, Michigan: Mich. Penal Code §§ 750.409b, 777.16t (2018 H.B. 5257, Public Act 95, 2018 H.B. 5258, Chap. 96), Texas: 2017 H.B. 9, Chap. 684 and Wyoming: Wyo. Stat. §§ 6-3-506, 6-3-507 expressly address “ransomware” and/or computer extortion in their statute. We may need to modernize our statutes to provide more effective responses to extortionate activities.
Current U.S. policy appears to be that, while law enforcement does not encourage the ransomware payment, and it presents legal issues with respect to things such as U.S./U.N. sanctions, money laundering and cryptocurrency regulation and providing “material support” to bad guys, law enforcement will turn a blind eye to such payments—neither encouraging them nor outright prohibiting them. This is similar to the U.S. position about physical kidnapping and ransom. It may violate some laws, and the official position is to discourage it, “but if it was MY family …” Indeed, U.S. insurance companies provide KRE (Kidnap, Ransom and Extortion) policies and cybercrime policies that are part of an effective program to respond to physical or electronic hostage-taking.
The Post concluded (without empirical evidence) that “An anti-ransom law would be a dramatic step, but it’s the route to a dramatically positive result.” If you were on the operating table when the robot performing your surgery was shut down because the hospital refused to pay $500 to get it up and running, I’m not sure you would agree with the “dramatically positive result.” Paying may be a last resort, but sometimes you have to resort to the last resort without fear of prosecution.
