This article makes the point that law enforcement agencies take the stance that paying a ransom further encourages this behavior from hackers.
In the case of state or public institutions like this, would it be advisable for legislatures to make it illegal for state entities to pay ransoms, and then very publicly announce these laws? I.e. can/should we make credible, public commitments in advance to not pay ransom, or to remove that choice from the organization-level administrators? Would this make these organizations less appealing targets?
"Sorry, we are not authorized to pay you any ransom due to SB-XYZ. If you can get several hundred thousand signatures from CA residents to petition for a referendum to overturn this law, we may be able to pay you a ransom after ... well not the upcoming election but maybe the one after that."
Interestingly, this is pretty much the split we've seen regarding terrorist hostage-taking in North Africa. While European governments have generally paid ransoms for the return of their citizens, the US Government steadfastly refuses to pay.
In early years, this generally led to better outcomes for European citizens, but as time wore on, it's come to a point where the terrorists actively avoid kidnapping Americans and prefer Europeans. Assuming the these types of hacks are explicitly targeted, I imagine we'd see a similar dynamic play out.
I’ve traveled a lot in the Sahara and an old expression amongst the expats was “The French send troops, the Germans send money and the British send regrets”.
Pretty sure I heard on a NYT podcast that proxies are used for US citizens who are kidnapped. Specifically, a high-profile US citizen kidnapped by ISIS and they were returned via payment via a proxy.
Wealthy private citizens will pay, but the government says it will not. In the case of a private citizen paying a ransom for another you run into money laundering laws and trade restrictions.
This doesn't work in practice, companies that aren't allowed to pay those ransoms usually use proxies (some other company that doesn't have to follow those restrictions) that will pay the hackers
There are ways to prevent the "bags of money" from happening. The Foreign Corrupt Practices Act (FCPA) comprehensively prohibits even using the most obscure arrangements to pay bribes. Large institutions hire expensive lawyers to ensure their ongoing compliance with FCPA, because the penalties for failing to prevent your organization from paying bribes are extensive. You can't completely eliminate a practice through law, but you can come close, and FCPA has done more for this problem globally than nearly any other measure enacted by a government.
The Foreign Corrupt Practices Act (FCPA) comprehensively prohibits even using the most obscure arrangements to pay bribes
You can have all the laws you want in words on paper, but if they're not enforced, for all practical purposes, they don't exist.
The people who enforce the FCPA must be understaffed or undermotivated or underfunded because I've worked for several companies that regularly paid bribes as part of doing business.
One example: I worked for a large media company that would send TV crews to cover stories in Mexico on a fairly regular basis. Almost every time the crews tried to return to the United States, the Mexican border personnel would seize their very expensive gear. The only way to get it back was to pay a bribe.
This was so common that everyone was told to just mark it down on their expense reports as "Airport tax." I only found out about it when I started asking why I kept seeing "Airport tax" on expense reports for trips I knew were done in cars.
Your example would be a _very_ far stretch for FCPA.
The law is about bribes for "obtaining or retaining business". It's one thing if you were paying a bribe to say, a local minister to get exclusive access to some sort of scene...
But low-level crooks pretty much sticking you up and you try to buy your stuff back from them under the guise of "government business" is not the kind of thing FCPA is about. It's for concerted attempts to pay off foreign officials to strengthen your business.
Which surely still happen, but not in the manner you're describing. FCPA violations wouldn't be the sort of thing that "everyone" is told about.
IIRC the kind of phrasing used is “external security consultants”.
“We didn’t hand duffel bags of money to the perpetrator group’s courier, we hired a professional external individual security consultant to handle the situation”
News from a few months ago: You just had your servers hacked into and all your database are belong to them. The black hats demand X number of BitCoins as ransom, but you cannot pay because it violates certain laws. So you hire an intermediary who pays for you, thereby avoiding the legal problem.
By very loose analogy, either when playing chicken, or when you and a person walking towards you both repeatedly veer in the same direction to avoid collision, one tactic is to very conspicuously cover your eyes. The other person can then see that you will not re-correct based on their behavior. Though I know this option exists, I have never successfully used it. It's always difficult to truly intentionally commit to limit your options to respond to future circumstance.
I heard of this as a kid, something along the lines of 'when walking down a street make an effort to look forward, through people (and not at them)'.
Same concept applies, and in my experience it seems to work. Though this was before the era of phones (and people not looking where they're going regardless)
Pass the law to 1) forbid public entities from paying ransom; 2) stringent public timely (less than 24 hours) reporting incidents; 3) stringent public reporting on root cause analysis/resolution/future remediation.
If it is a legal requirement of my job to do the right thing, I'm gonna do the right thing.
Money laundering has the benefit of Federal law working to help the State laws. I think in an environment where there are 50 different legal regimes it's inevitable people will develop workarounds. You see legal arbitrage in every instance where legal differences exist between states. From corporate law to family law. I don't know why this would be any different.
If you want to stop the hackers, make it a Federal crime to pay anyone. In that environment, there would be no circumventing the restriction at all.
But it would remove public institutions from the target list. Also, in the case of private institutions, if it were a criminal offense to use such a proxy, an investigator could discover this. The threat of prison for any officer of a corporation who arranged such a payment would be a powerful deterrent.
Not that it undermines your overall point, but it might prove to disincentivize attacking smaller companies that aren't in as strong a position to use proxies -- which I would still count as a win.
But at least it's difficult and illegal. It makes them less of a target for hackers since they're less likely to pay and it places liability on anyone who tries to work around the law.
Banning ransom payments won't magically fix the underlying vulnerabilities that allow these gangs to deploy their ransomware.
If ransoms weren't being paid, criminals would find other ways to monetize the data. "Honest" ransomware is actually good for the public in the sense that should the ransom be paid, the data is indeed destroyed by the gang. Make ransoms impossible and they will start selling the data or monetizing it in other ways (identity theft, card fraud, etc), at the expense of the public.
Given that we can't eradicate this kind of crime entirely by improving security, I think ransomware is the least bad option in the sense that it punishes the offending company while minimizing the risk of the data being leaked which would hurt the data subjects themselves (the public).
> Given that we can't eradicate this kind of crime entirely by improving security, I think ransomware is the least bad option in the sense that it punishes the offending company while minimizing the risk of the data being leaked which would hurt the data subjects themselves (the public).
There is nothing to guarantee that attackers will destroy the data and not further exploit it even if you pay them. Improved security isn't going to fix the problem, but we can make it less profitable and make that profit more difficult. If our policy is to pay we're just making it highly profitable with very little effort on the part of the attackers. If we refuse to pay, they will have to pour over our data looking for what may or may not be valuable to anyone, spend time searching for those people who might pay them for it, and then spend time convincing them to pay enough to justify their time/efforts.
We should be refusing to pay and making sure we've got backups of our own stuff so that we'll never have to.
> There is nothing to guarantee that attackers will destroy the data and not further exploit it even if you pay them
Their business model relies on them being honest. If they don't follow through on their promise of destroying the data they'll kill the ransomware market entirely. So far, I haven't heard of major instances where ransomware gangs didn't fulfil their part of the bargain.
> Their business model relies on them being honest.
Truthful at least, "honest" isn't a word I'd use for these types.
> So far, I haven't heard of major instances where ransomware gangs didn't fulfil their part of the bargain.
The point is that you wouldn't. They can't publish the data or publicize its sale, but (if they were willing to invest the time) they could still sell it privately, or use it themselves to further attack/exploit you without you ever being able to trace anything back to them directly. They could wait months or years if they wanted and still find value in it (bait for use in spear-phishing for example).
and say they do make it illegal for state entities to pay ransoms... then what? what is going to happen when a ransom attack does happen? they contact the fbi... great... now what? how do they get their data back? what obligation does the fbi have to tracking down the gang and getting the data back? what's the time line?
see... the issue i see with making it illegal for state entities to pay ransoms is that you tie the hands of the victim without any guarantees that law enforcement will help and help in a timely manner. i see this as a lose, lose situation.
The point is that there's no incentive for hackers to target state entities.
Hackers can target state entities for other reasons, but no rational hacker would do it for the ransom, since there won't be any ransom paid.
The FBI can simply say "We'll never catch the hackers, but if you pay them you'll go to jail". It accomplishes the same goal of reducing the reward for hacking to zero.
It seems this law is intended to benefit those with the most resources to implement the best security, leaving smaller businesses to pretty much pound sand.
We have arrived at why "a pretty basic backup" is no longer feasible for...any business. A hard sell for a four person business with no dedicated IT team.
Sure, but to a general at HQ, 1 dead soldier is better than 10. The policy is devastating to that 1 soldier (and family), but that's not enough reason to adopt an opposing policy that would save the 1 but kill the 10.
Similarly, I can appreciate the logic in making American companies less likely to be targeted by ransom hackers, even if it means some companies are hit harder in the short term.
You've made the implicit assumption that it is acceptable and desirable for the government to sacrifice some companies to save some others. I'm not so sure that's the government's business, and it sounds a lot like a taking to me. Perhaps it is acceptable in the era of Kelo.
OK, fair, although even with the example public goods listed in that Wikipedia page their provision in reality still does end up supporting certain companies and harming others - e.g. if I'm in the business of selling air purifiers, government efforts to reduce air pollution are going to negatively impact my sales.
I totally agree that government policy can shape the market, and my issue is not at all with that happening as a by-product of public goods, but only when it is a direct and deliberate action.
Got it. I think where I lost you was in your use of "picking companies out" - I didn't realize that you meant only intentionally as opposed to incidentally.
Right, today the logic is: If the risk-adjusted cost of a ransom is less than the cost of implementing proper backups, then it makes sense to just not do backups. If paying ransom was illegal, maybe they'd actually invest in those backups.
>because they care about their data and/or the privacy of their data.
>Making it illegal for them to pay just means that they can't look after that interest. Why would that be a good thing to do?
You only have the criminal's word to stand on when they claim to delete data. It's far too easy to simply hang on the to troves of collected data and wait for a rainy day.
The point is that ramsomware is only written because hackers can get high payouts. If the penalty for paying a ransom is higher than the costs of not paying the ransom (and losing the associated data), then no one pays the ransom, and if no one pays the ransom, no one makes ransomware (or at least no one targets institutions who can't pay ransoms).
I believe this is discussed in Schelling's book "Strategy of Conflict", which I've never read but has been much discussed online[1]. Indeed the article I've linked specifically mentions this case.
It's a public institution. It's not "their" data. It's their shareholder's data-- the public.
Whether or not trusting the judgement of administrators over the judgement of law enforcement is the best way to handle these situations is an open question.
I'm not sure I trust public university administrators to do much beyond stimulate the local construction economy and wider investment banking industry.
The problem with that scenario is that it's probably the same public legislatures that have failed to fund adequate information security for these public institutions. If such a law was paired with appropriate funding then sure, go ahead. If not then what you'll get is more public institutions getting hacked and officially prevented from paying the ransom to get files back.
Consider fake ransomware that doesn't decrypt even after payment is made.
Would it be moral/societally good to write and distribute this software? If it became prevalent enough, it would damage the ransomware model as people would be much less likely to pay if they thought there was a significant chance of payment not fixing their issue.
"Sorry, we are not authorized to pay you any ransom". I think that's a much harder pill for the victim to swallow than the hacker, especially if they otherwise would pay, because they need to get the data back.
One thing that might work is if white hat hackers outnumber the black hat hackers and create ransomware that doesn't have a decrypt option. At a certain point, people will stop paying the ransom.
Another option is: forbid bitcoin and other cryptocurrencies.
And then the “committee” meets and they take a majority decision to pay with a secret vote, and another committee makes the actual payment (by majority).
Who do you prosecute?
Would you close the University to huge harm to the students and researchers?
What you're describing is conspiracy to commit embezzlement; everyone who participated in that conspiracy gets a tenured position at Folsom. And why would you close the university? Are you seriously claiming that everyone in management is determined to do everything possible to hand money to criminals?
Really? In a secret voting? Who is to blame? Are you sure people are really at their best when their positions are in play and they can hide behind a committee and the solution is “grey”?
What if you had a secret vote on whether to murder someone? Who would you blame?
You would charge the people who recorded the outcome of the vote and did the killing with murder, and you would charge everyone who participated in the vote while knowing one of the outcomes was illegal with conspiracy and failure to report.
In the case of state or public institutions like this, would it be advisable for legislatures to make it illegal for state entities to pay ransoms, and then very publicly announce these laws? I.e. can/should we make credible, public commitments in advance to not pay ransom, or to remove that choice from the organization-level administrators? Would this make these organizations less appealing targets?
"Sorry, we are not authorized to pay you any ransom due to SB-XYZ. If you can get several hundred thousand signatures from CA residents to petition for a referendum to overturn this law, we may be able to pay you a ransom after ... well not the upcoming election but maybe the one after that."