Criminalize Ransomware Payment? A Bad Solution for a Bad Problem

On June 24, the Washington Post came up with a simple solution for the ransomware problem that is plaguing the U.S. critical infrastructure in general, and municipalities in particular. The Post opined that the solution to malicious ransomware was for Congress to “pass a federal law barring ransomware payments.” Not banning ransomware, mind you; banning ransomware payments. The Post also suggested that DHS “set up a digital ghostbusters task force to help municipalities come back online after an attack. Those that had implemented adequate defenses could get aid from the feds in footing the bill. Those who surrender to hackers would face fines sufficiently larger than the ransom.”

H.L. Menken, the Bard of Baltimore, once opined: “For every complex human problem, there is a solution that is neat, simple and wrong.” This is one of them. The Post suggested that only entities that have “adequate [cyber]defenses” would be compensated for their costs of data recovery after a ransomware attack, suggesting that ransomware vulnerability is somehow evidence of moral corruption or lack of will. Entities “good” and “bad” are hit by all manner of cyberattacks including ransomware—for all manner of motives, including, as we now see, response to U.S. cyberattacks. Entities with comprehensive cybersecurity programs may reduce the likelihood or impact of a ransomware attack, but we should not condition government response and coordination on “moral blame.” Punishing the victim of a cyberattack through increased response costs is probably not an effective deterrent.

Certainly ransomware, extortionware and threatened denial-of-service attacks that are motivated by financial gain could be discouraged if everyone around the world refused to pay a ransom. This would mean, as the cities of Atlanta and Baltimore learned, paying tens or hundreds of millions of dollars in ransomware “cleanup” costs to avoid paying thousands of dollars in ransom.

The goal of companies should focus on not just mitigating the likelihood and impact of ransomware, but also being prepared for it with accessibility of effective threat intelligence services (to know the enemy and negotiate with them) as well as access to cryptocurrency, training and awareness, cyber defenses and data and program backup/restoration programs that are effective and tested. Paying ransom should not be the first response, but ultimately, it may be a reasonable one. Ransomware may be sophisticated and targeted, and it may be random. An attack may go after tens of millions of systems, in search of a fraction of a percentage of victims willing to pay. Making paying ransom a crime just forces victims underground and ensures that the victims don’t cooperate with law enforcement entities. Punishing them with fines or refusal to assist with a response is similarly counterproductive.

There are reasons not to pay ransom wholly apart from economics. Hackers, governments, terrorists and others may use ransomware payments to finance other attacks, terrorism or other criminal activity, or to blunt the impact of economic sanctions. Companies that pay ransom risk inadvertently supporting these activities and the decision of whether to pay should be based on a broad-ranging risk/reward program that is not simply “it’s cheaper to pay.” Entities of all types should be encouraged to cooperate with (and rewarded for doing so) law enforcement agencies, Treasury Department regulators such as the Office of Foreign Asset Control and cybersecurity and forensic companies that can share information about threat actors, their motives, tools and tactics. The problem includes extortionware—threatening to release stolen files or emails, threatening to turn over secrets to governments, selling trade secrets, threatening distributed denial of service attacks, doxing, revenge porn attacks, reputation-based attacks and even “pump and dump” SEC trading scams that rely on manipulating the reputation of a company with either accurate or inaccurate information. Any of these attacks—or threatened attacks—can be weaponized through the demand for extortionate payments.

While federal law criminalizes things such as computer fraud and destruction of electronic property, extortion, threats or threats of “violence” to property, only a few states including California: Calif. Penal Code § 523 (2016 S.B. 1137), Connecticut: CGS § 53a-262 2017 H.B. 7304, Public Act 17-223, Michigan: Mich. Penal Code §§ 750.409b, 777.16t (2018 H.B. 5257, Public Act 95, 2018 H.B. 5258, Chap. 96), Texas: 2017 H.B. 9, Chap. 684 and Wyoming: Wyo. Stat. §§ 6-3-506, 6-3-507 expressly address “ransomware” and/or computer extortion in their statute. We may need to modernize our statutes to provide more effective responses to extortionate activities.

Current U.S. policy appears to be that, while law enforcement does not encourage the ransomware payment, and it presents legal issues with respect to things such as U.S./U.N. sanctions, money laundering and cryptocurrency regulation and providing “material support” to bad guys, law enforcement will turn a blind eye to such payments—neither encouraging them nor outright prohibiting them. This is similar to the U.S. position about physical kidnapping and ransom. It may violate some laws, and the official position is to discourage it, “but if it was MY family …” Indeed, U.S. insurance companies provide KRE (Kidnap, Ransom and Extortion) policies and cybercrime policies that are part of an effective program to respond to physical or electronic hostage-taking.

The Post concluded (without empirical evidence) that “An anti-ransom law would be a dramatic step, but it’s the route to a dramatically positive result.” If you were on the operating table when the robot performing your surgery was shut down because the hospital refused to pay $500 to get it up and running, I’m not sure you would agree with the “dramatically positive result.”  Paying may be a last resort, but sometimes you have to resort to the last resort without fear of prosecution.

Featured eBook
The Next Generation of Application Security

The Next Generation of Application Security

Application security is usually done by finding, fixing and preventing vulnerabilities, with an emphasis on finding solutions to prevent cybersecurity events in the future. However, many of the breaches we’re seeing are caused by a vulnerability related to the application, often because developers move so quickly to push out new code. AppSec promises to become ... Read More
Security Boulevard
Mark Rasch

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 50 posts and counting.See all posts by mark