Hacker News new | past | comments | ask | show | jobs | submit login

This article makes the point that law enforcement agencies take the stance that paying a ransom further encourages this behavior from hackers.

In the case of state or public institutions like this, would it be advisable for legislatures to make it illegal for state entities to pay ransoms, and then very publicly announce these laws? I.e. can/should we make credible, public commitments in advance to not pay ransom, or to remove that choice from the organization-level administrators? Would this make these organizations less appealing targets?

"Sorry, we are not authorized to pay you any ransom due to SB-XYZ. If you can get several hundred thousand signatures from CA residents to petition for a referendum to overturn this law, we may be able to pay you a ransom after ... well not the upcoming election but maybe the one after that."




Interestingly, this is pretty much the split we've seen regarding terrorist hostage-taking in North Africa. While European governments have generally paid ransoms for the return of their citizens, the US Government steadfastly refuses to pay.

In early years, this generally led to better outcomes for European citizens, but as time wore on, it's come to a point where the terrorists actively avoid kidnapping Americans and prefer Europeans. Assuming the these types of hacks are explicitly targeted, I imagine we'd see a similar dynamic play out.

Source: https://www.nytimes.com/2014/07/30/world/africa/ransoming-ci...


I’ve traveled a lot in the Sahara and an old expression amongst the expats was “The French send troops, the Germans send money and the British send regrets”.


^French^Americans probably.


You are ill informed:

- https://en.wikipedia.org/wiki/Operation_Barkhane

- https://en.wikipedia.org/wiki/Operation_Serval

- https://en.wikipedia.org/wiki/Op%C3%A9ration_Licorne

- https://en.wikipedia.org/wiki/Operation_Sangaris

- https://en.wikipedia.org/wiki/Operation_%C3%89pervier

And these are just _some_ of the terrestrial missions, to say nothing of air operations.

France's Army is small, but it does most of Europe's fighting, and is generally regarded as accomplishing a lot with very little.

----

Edit: You might appreciate this mini-documentary about operation Serval. It's in English.

https://youtu.be/-QDnB6dMAb0


Africa is probably more likely to have experienced French or British occupation than American.


Pretty sure I heard on a NYT podcast that proxies are used for US citizens who are kidnapped. Specifically, a high-profile US citizen kidnapped by ISIS and they were returned via payment via a proxy.


Wealthy private citizens will pay, but the government says it will not. In the case of a private citizen paying a ransom for another you run into money laundering laws and trade restrictions.


This doesn't work in practice, companies that aren't allowed to pay those ransoms usually use proxies (some other company that doesn't have to follow those restrictions) that will pay the hackers


There are ways to prevent the "bags of money" from happening. The Foreign Corrupt Practices Act (FCPA) comprehensively prohibits even using the most obscure arrangements to pay bribes. Large institutions hire expensive lawyers to ensure their ongoing compliance with FCPA, because the penalties for failing to prevent your organization from paying bribes are extensive. You can't completely eliminate a practice through law, but you can come close, and FCPA has done more for this problem globally than nearly any other measure enacted by a government.


The Foreign Corrupt Practices Act (FCPA) comprehensively prohibits even using the most obscure arrangements to pay bribes

You can have all the laws you want in words on paper, but if they're not enforced, for all practical purposes, they don't exist.

The people who enforce the FCPA must be understaffed or undermotivated or underfunded because I've worked for several companies that regularly paid bribes as part of doing business.

One example: I worked for a large media company that would send TV crews to cover stories in Mexico on a fairly regular basis. Almost every time the crews tried to return to the United States, the Mexican border personnel would seize their very expensive gear. The only way to get it back was to pay a bribe.

This was so common that everyone was told to just mark it down on their expense reports as "Airport tax." I only found out about it when I started asking why I kept seeing "Airport tax" on expense reports for trips I knew were done in cars.


Your example would be a _very_ far stretch for FCPA.

The law is about bribes for "obtaining or retaining business". It's one thing if you were paying a bribe to say, a local minister to get exclusive access to some sort of scene...

But low-level crooks pretty much sticking you up and you try to buy your stuff back from them under the guise of "government business" is not the kind of thing FCPA is about. It's for concerted attempts to pay off foreign officials to strengthen your business.

Which surely still happen, but not in the manner you're describing. FCPA violations wouldn't be the sort of thing that "everyone" is told about.


IIRC the kind of phrasing used is “external security consultants”.

“We didn’t hand duffel bags of money to the perpetrator group’s courier, we hired a professional external individual security consultant to handle the situation”


News from a few months ago: You just had your servers hacked into and all your database are belong to them. The black hats demand X number of BitCoins as ransom, but you cannot pay because it violates certain laws. So you hire an intermediary who pays for you, thereby avoiding the legal problem.

https://www.theverge.com/2020/8/4/21353842/garmin-ransomware...


Same thing in The Big Lebowski.


So this is what security consultants do. Always wondered.


In limited context of ransomware attacks


There's always a loophole, I suppose.

By very loose analogy, either when playing chicken, or when you and a person walking towards you both repeatedly veer in the same direction to avoid collision, one tactic is to very conspicuously cover your eyes. The other person can then see that you will not re-correct based on their behavior. Though I know this option exists, I have never successfully used it. It's always difficult to truly intentionally commit to limit your options to respond to future circumstance.


I heard of this as a kid, something along the lines of 'when walking down a street make an effort to look forward, through people (and not at them)'.

Same concept applies, and in my experience it seems to work. Though this was before the era of phones (and people not looking where they're going regardless)


Also known as the crazy bastard strategy: when playing chicken, throw away the steering wheel.


What if the other person covers their eyes at the same time. Thank god for quantum mechanics


Pass the law to 1) forbid public entities from paying ransom; 2) stringent public timely (less than 24 hours) reporting incidents; 3) stringent public reporting on root cause analysis/resolution/future remediation.

If it is a legal requirement of my job to do the right thing, I'm gonna do the right thing.


Isn't this the same problem that money laundering laws have to solve? It's hard, but its not insurmountable.


Money laundering has the benefit of Federal law working to help the State laws. I think in an environment where there are 50 different legal regimes it's inevitable people will develop workarounds. You see legal arbitrage in every instance where legal differences exist between states. From corporate law to family law. I don't know why this would be any different.

If you want to stop the hackers, make it a Federal crime to pay anyone. In that environment, there would be no circumventing the restriction at all.


With strict and timely reporting requirements to the FBI.


Not really: money laundering typically is an on-going activity, while ransomware/hostages is (hopefully) incidental.

That means that money laundering laws are up against a dedicated adversary with resources, while laws preventing ransoms... not so much.

Of course, with cyber insurance, incentives for the insurer may lean towards dedicated circumvention.


But it would remove public institutions from the target list. Also, in the case of private institutions, if it were a criminal offense to use such a proxy, an investigator could discover this. The threat of prison for any officer of a corporation who arranged such a payment would be a powerful deterrent.


Not that it undermines your overall point, but it might prove to disincentivize attacking smaller companies that aren't in as strong a position to use proxies -- which I would still count as a win.


But at least it's difficult and illegal. It makes them less of a target for hackers since they're less likely to pay and it places liability on anyone who tries to work around the law.


Banning ransom payments won't magically fix the underlying vulnerabilities that allow these gangs to deploy their ransomware.

If ransoms weren't being paid, criminals would find other ways to monetize the data. "Honest" ransomware is actually good for the public in the sense that should the ransom be paid, the data is indeed destroyed by the gang. Make ransoms impossible and they will start selling the data or monetizing it in other ways (identity theft, card fraud, etc), at the expense of the public.

Given that we can't eradicate this kind of crime entirely by improving security, I think ransomware is the least bad option in the sense that it punishes the offending company while minimizing the risk of the data being leaked which would hurt the data subjects themselves (the public).


> Given that we can't eradicate this kind of crime entirely by improving security, I think ransomware is the least bad option in the sense that it punishes the offending company while minimizing the risk of the data being leaked which would hurt the data subjects themselves (the public).

There is nothing to guarantee that attackers will destroy the data and not further exploit it even if you pay them. Improved security isn't going to fix the problem, but we can make it less profitable and make that profit more difficult. If our policy is to pay we're just making it highly profitable with very little effort on the part of the attackers. If we refuse to pay, they will have to pour over our data looking for what may or may not be valuable to anyone, spend time searching for those people who might pay them for it, and then spend time convincing them to pay enough to justify their time/efforts.

We should be refusing to pay and making sure we've got backups of our own stuff so that we'll never have to.


> There is nothing to guarantee that attackers will destroy the data and not further exploit it even if you pay them

Their business model relies on them being honest. If they don't follow through on their promise of destroying the data they'll kill the ransomware market entirely. So far, I haven't heard of major instances where ransomware gangs didn't fulfil their part of the bargain.


> Their business model relies on them being honest.

Truthful at least, "honest" isn't a word I'd use for these types.

> So far, I haven't heard of major instances where ransomware gangs didn't fulfil their part of the bargain.

The point is that you wouldn't. They can't publish the data or publicize its sale, but (if they were willing to invest the time) they could still sell it privately, or use it themselves to further attack/exploit you without you ever being able to trace anything back to them directly. They could wait months or years if they wanted and still find value in it (bait for use in spear-phishing for example).


and say they do make it illegal for state entities to pay ransoms... then what? what is going to happen when a ransom attack does happen? they contact the fbi... great... now what? how do they get their data back? what obligation does the fbi have to tracking down the gang and getting the data back? what's the time line?

see... the issue i see with making it illegal for state entities to pay ransoms is that you tie the hands of the victim without any guarantees that law enforcement will help and help in a timely manner. i see this as a lose, lose situation.


The point is that there's no incentive for hackers to target state entities.

Hackers can target state entities for other reasons, but no rational hacker would do it for the ransom, since there won't be any ransom paid.

The FBI can simply say "We'll never catch the hackers, but if you pay them you'll go to jail". It accomplishes the same goal of reducing the reward for hacking to zero.


ah.... yeah... they still will.

just cause they can't get a ransom, doesn't mean the data it's valuable as they can still sell it on the black market to carders and other gangs.

it's very ignorant to think that just because you cut off one area of revenue for these gangs that the problems will stop.


This works for targeted attacks, but doesn't work for untargeted, shotgun-ransom-ware attacks.

Shotgun attacks aren't discouraged if some X% of their targets can't/won't pay the ransom.


It seems this law is intended to benefit those with the most resources to implement the best security, leaving smaller businesses to pretty much pound sand.


You mean a pretty basic backup, that your grandma probably has enabled on her phone?


A backup won't protect you from full data disclosure.


You presume the attacker does not know the location of these backups.

Smart attackers do extensive research on their targets before performing the attack.


Isn’t this literally one of the reasons WORM storage solutions exist?


We have arrived at why "a pretty basic backup" is no longer feasible for...any business. A hard sell for a four person business with no dedicated IT team.


It's losing the battle but winning the war ...


Which sounds better to a general at HQ than to a private in a foxhole.


Sure, but to a general at HQ, 1 dead soldier is better than 10. The policy is devastating to that 1 soldier (and family), but that's not enough reason to adopt an opposing policy that would save the 1 but kill the 10.

Similarly, I can appreciate the logic in making American companies less likely to be targeted by ransom hackers, even if it means some companies are hit harder in the short term.


You've made the implicit assumption that it is acceptable and desirable for the government to sacrifice some companies to save some others. I'm not so sure that's the government's business, and it sounds a lot like a taking to me. Perhaps it is acceptable in the era of Kelo.


> You've made the implicit assumption that it is acceptable and desirable for the government to sacrifice some companies to save some others.

That's how governments operate. Every time a government "sneezes" is harms some companies and benefits others.


No, when governments provide public goods (their most widely-accepted role), they are not picking companies out for the gallows.


In that case I'm sure you won't mind if we repave all of the roads to my store twice as often and let the ones you rely on fall apart.


Roads are not exactly public goods, and can be 'club goods' or something between the two; the Wikipedia definition matrix has some nice examples, and the page is quite good overall: https://en.wikipedia.org/wiki/Public_good_(economics)#Defini...


OK, fair, although even with the example public goods listed in that Wikipedia page their provision in reality still does end up supporting certain companies and harming others - e.g. if I'm in the business of selling air purifiers, government efforts to reduce air pollution are going to negatively impact my sales.


I totally agree that government policy can shape the market, and my issue is not at all with that happening as a by-product of public goods, but only when it is a direct and deliberate action.


Got it. I think where I lost you was in your use of "picking companies out" - I didn't realize that you meant only intentionally as opposed to incidentally.


I mean they clearly want to pay the ransom, because they care about their data and/or the privacy of their data.

Making it illegal for them to pay just means that they can't look after that interest. Why would that be a good thing to do?


They might take off-site backups a bit more seriously if it is made illegal to pay the ransom.

I don't think it will have any effect on privacy. The hackers say they will delete the data, but how can you trust them?


Right, today the logic is: If the risk-adjusted cost of a ransom is less than the cost of implementing proper backups, then it makes sense to just not do backups. If paying ransom was illegal, maybe they'd actually invest in those backups.


> If the risk-adjusted cost of a ransom is less than the cost of implementing proper backups, then it makes sense to just not do backups.

Then again you have people who do it just for the lulz (err...meows?) -> https://news.ycombinator.com/item?id=23957510


Because it is an action with a huge negative externality? You're funding criminals.

We've banned voluntary actions with externalities in the past.


By that line of reasoning, every blackmail and robbery victim funds criminals, thus subject to similar punishment.


>because they care about their data and/or the privacy of their data.

>Making it illegal for them to pay just means that they can't look after that interest. Why would that be a good thing to do?

You only have the criminal's word to stand on when they claim to delete data. It's far too easy to simply hang on the to troves of collected data and wait for a rainy day.


The point is that ramsomware is only written because hackers can get high payouts. If the penalty for paying a ransom is higher than the costs of not paying the ransom (and losing the associated data), then no one pays the ransom, and if no one pays the ransom, no one makes ransomware (or at least no one targets institutions who can't pay ransoms).

I believe this is discussed in Schelling's book "Strategy of Conflict", which I've never read but has been much discussed online[1]. Indeed the article I've linked specifically mentions this case.

[1] https://www.lesswrong.com/posts/tJQsxD34maYw2g5E4/thomas-c-s...


It's a public institution. It's not "their" data. It's their shareholder's data-- the public.

Whether or not trusting the judgement of administrators over the judgement of law enforcement is the best way to handle these situations is an open question.

I'm not sure I trust public university administrators to do much beyond stimulate the local construction economy and wider investment banking industry.


Because the criminals won't hack them if they know there's no ransom to be paid.


That's the assumption. Alternatively, the ransom is changed to "change the law".


Typical turn the victim into the guilty tactics. Why not hunt down the extortionist?


How about the victim applies security fixes in a timely manner and creates backups? The excuses at the end of the article are rather weak.

Edit: Also https://news.ycombinator.com/item?id=12870150


The problem with that scenario is that it's probably the same public legislatures that have failed to fund adequate information security for these public institutions. If such a law was paired with appropriate funding then sure, go ahead. If not then what you'll get is more public institutions getting hacked and officially prevented from paying the ransom to get files back.


I thought the article mentioned a 5 billion budget? Isn't it the university's decision how much of that to invest in security?


Consider fake ransomware that doesn't decrypt even after payment is made.

Would it be moral/societally good to write and distribute this software? If it became prevalent enough, it would damage the ransomware model as people would be much less likely to pay if they thought there was a significant chance of payment not fixing their issue.


"Sorry, we are not authorized to pay you any ransom". I think that's a much harder pill for the victim to swallow than the hacker, especially if they otherwise would pay, because they need to get the data back.


I agree, it should be illegal. The headline of this should be "California government supplies bitcoin to illegal terrorist hackers"


One thing that might work is if white hat hackers outnumber the black hat hackers and create ransomware that doesn't have a decrypt option. At a certain point, people will stop paying the ransom.

Another option is: forbid bitcoin and other cryptocurrencies.


I wouldn't call that white hat. ...like at all.

Greyhat is even a bit of a stretch. It's like Dr. Doom. He has good motives but he's still the bad guy.


I think a ransomware that says "Your data is fucked, restore from backups, we'll try again soon" would probably be more of a evilhat, not blackhat :D


It is already illegal if the payment is to a group that is sanctioned by the US gov


And then the “committee” meets and they take a majority decision to pay with a secret vote, and another committee makes the actual payment (by majority).

Who do you prosecute?

Would you close the University to huge harm to the students and researchers?


What you're describing is conspiracy to commit embezzlement; everyone who participated in that conspiracy gets a tenured position at Folsom. And why would you close the university? Are you seriously claiming that everyone in management is determined to do everything possible to hand money to criminals?


Really? In a secret voting? Who is to blame? Are you sure people are really at their best when their positions are in play and they can hide behind a committee and the solution is “grey”?

Never understood the power of anonymity...


What if you had a secret vote on whether to murder someone? Who would you blame?

You would charge the people who recorded the outcome of the vote and did the killing with murder, and you would charge everyone who participated in the vote while knowing one of the outcomes was illegal with conspiracy and failure to report.


This seems like it would only be a deterrent if these institutions are targets explicitly. If the attacks are random, this will not help at all.


Aren't ransomware attacks frequently undirected?


In the words of Munger, "Show me the incentives and I'll show you the outcome"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: