ADVERTISEMENT

When It’s Worth Paying a Hacker’s Ransom

When It’s Worth Paying a Hacker’s Ransom

(Bloomberg Opinion) -- By the end of this week, we may know whether the unknown hacker who’s been holding the city of Baltimore’s computer systems hostage for the past month is prepared to carry out his threat to destroy all the data. He is demanding 13 bitcoins, or about $100,000, by June 7, although he has extended the deadline before.

Baltimore, whose systems have remained largely offline since early May, has made clear that it won’t pay a penny. The hacker has insisted that he’s serious. (He also seems given to racist rants, a habit that led recently to the suspension of what is apparently his Twitter account.) The city has estimated its losses at over $18 million, a sum that combines repair costs and lost revenue. The true figure may be much higher. Meanwhile, the hacker has released what appear to be documents downloaded from the city’s servers — including private medical information.

All of which leads to an interesting question: Should Baltimore have paid the ransom in the first place? Should other cities or governments? After all, Baltimore is not the first city to be hacked, and won’t be the last.

My answer, in which I take no pleasure: There’s certainly a case to be made.

Let’s go back a step. The hacker (let’s call him @robihkjn, his Twitter handle) apparently got into the city’s systems via a phishing email. Once inside, he encrypted Baltimore’s data (little of which was backed up) and generally wreaked havoc. In late May, the New York Times reported that @robihkjn used a hacking tool called Eternal Blue, developed by the National Security Agency, which in 2017 was posted online by the mysterious group known as the Shadow Brokers, which has been leaking NSA secrets since the summer of 2016.

But there are problems with this thesis. Although Eternal Blue has been used in previous ransomware attacks, experts reported this week that they found no trace of the code in the “pretty vanilla” program used in the Baltimore hack. The hacker himself has also denied using the NSA tool. Besides, a patch has long been available for the vulnerability in Microsoft Windows that Eternal Blue exploited. So even if the NSA tool had been used in the Baltimore hack, the losses would have been entirely preventable.

Moreover, like other cities, Baltimore has suffered crippling attacks before, and was warned about vulnerabilities. A report obtained by the Baltimore Sun warned that the city’s outdated equipment presented “a natural target for hackers and a path for more attacks in the system.” The report, written in late 2016 or early 2017, added presciently, “There is no way of estimating the financial loss that could occur in trying to counteract and clean up the resulting mess.”

In other words, the success that @robihkjn had infiltrating Baltimore’s systems resulted in part from the city’s own failures. I’m not excusing @robihkjn, who is clearly the wrongdoer here; the hacker, not the city, is to blame. Nevertheless, by listening to its own IT people, the city could have done much more to protect itself.

My point isn’t to single out Baltimore or to remind readers of the importance of updating their security software, although the importance can’t be overstated. I’m more interested in the politics of the problem. Is it really so clear that the right answer is never to pay ransom? I think not.

There’s a tendency to answer the question by sloganeering: Never negotiate with terrorists. Otherwise, so the reasoning goes, you will get more terror attacks. But while this argument makes sense for those who are likely to suffer repeated attacks, it’s not clear that those less likely to be regular targets should reason the same way.

Although the official position of the federal government remains that the ransomware target shouldn’t pay the hacker, businesses that have actually faced attacks are more realistic. Most companies seem to treat the attacks as nuisance rather than crisis. A 2016 study by IBM found that more than two-thirds of businesses paid the hackers to release their data, usually negotiating an amount in the five figures.

Baltimore has taken the we-won’t-negotiate position from the beginning, although the mayor recently said he now “might think about it.” And, as the economist Thomas Schelling pointed out more than 60 years ago in his classic paper “An Essay on Bargaining,” publicity itself can be a tactic. When a party “can arrange to be charged with appeasement for every small concession,” wrote Schelling, the counterparty may realize that compromise is “out of reach.” In theory this public hand-tying makes the counterparty more willing to step back and take less than the original demand.

But this approach works only when negotiations continue in private even as the target ties its hands in public. The fact that Baltimore has allowed the costs to mount is strong evidence that no back-channel discussions are taking place. Enduring $18 million in losses is not a rational negotiating tactic to reduce a demand of $100,000.  Thus we will never know whether @robihkjn would have settled for less than his original price for releasing the city’s data.

I’m not suggesting that bargaining with blackmailers is a good thing. But it’s also not always a bad thing. Strident insistence that the target should never yield obscures the complexities of the real world. When we make slippery slope arguments — “If you give in, what will they do next?” — we ask the victim to bear the cost of protecting others. But the victim might reasonably decide that avoiding large losses at small cost is the wiser response. That’s why ransomware hackers don’t demand millions; at higher prices, fewer targets would negotiate.

In short, there’s a good argument that the city should have bargained with @robihkjn in the first place. No, I don’t want to encourage blackmail, and I don’t like this result any more than you do. But here’s another unpleasant truth about the real world: Sometimes the bad guys win.

According to the Federal Bureau of Investigation, the total amount of ransomware paid by U.S. businesses and individuals in 2018 was a mere $3.6 million. (See page 20 of this study.) But as the FBI itself notes, this suspiciously small figure does not include the probably large number of institutions that negotiated private deals with hackers and never filed an official report.

Sometimes the blackmailer benefits in the long term by refusing to reduce his demands in the face of the target’s intransigence. The failure to reach a deal with Baltimore might actually make @robihkjn better off — at least if he has other exploits ready to use against other governments or institutions. (We can assume that everyone will be patched against this one.) The next target will know that @robihkjn refused to step back from the brink in negotiating with Baltimore. Unless that new victim is willing to bear Baltimore-like costs, a quiet deal becomes more likely.

To contact the editor responsible for this story: Michael Newman at mnewman43@bloomberg.net

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Stephen L. Carter is a Bloomberg Opinion columnist. He is a professor of law at Yale University and was a clerk to U.S. Supreme Court Justice Thurgood Marshall. His novels include “The Emperor of Ocean Park,” and his latest nonfiction book is “Invisible: The Forgotten Story of the Black Woman Lawyer Who Took Down America's Most Powerful Mobster.”

©2019 Bloomberg L.P.