Paying Off Ransomware Criminals Shouldn’t Be Illegal
(Bloomberg Opinion) -- Lots of companies have lately been victimized by ransomware hackers — cybercriminals who infiltrate and encrypt IT systems, then demand money to unlock them. In addition to the much-publicized attack on Colonial Pipeline, recent victims have included one of the biggest U.S. meat packers and the Irish health care system. Cyber pirates might have derailed my family’s annual Martha’s Vineyard vacation by targeting the Steamship Authority — which controls ferry service to the Island — and blocking access its reservation systems.
In response to the growing threat, more and more observers have become attracted to the theory that the best way to stop ransomware attacks is to make paying the ransom illegal. Biden administration officials have suggested that the notion has merit.
May I suggest, politely, that this is a terrible idea.
Extortion is always and everywhere wrong. But that doesn’t mean it’s never rational to give in. Even the most upstanding citizen might yield to a threat sufficiently severe. To try to alter this by legislation is to outlaw human nature.
Consider a simple example. Suppose a state legislature, sick and tired of the number of people being robbed on the street, decides to make it a crime to give money to a mugger. The legislation might well reduce the supply of muggings, but only by imposing the cost of this public good — fewer robberies — on the victims. Yet handing my wallet to the mugger who is pointing a gun at my head is completely rational. Punishing me to lower the crime rate is a peculiar way for a free nation to behave.
But maybe agreeing to a ransomware demand is less rational than it seems. Even for those who pay, the chances of full data recovery are slim. An April 2021 report from Sophos places the likelihood of getting all the data back at 8%. (On average, the amount of data recovered was 65%.) To take the most prominent current example, after Colonial Pipeline forked over $4.4 million in Bitcoins to the hackers at DarkSide, the decryption tool the company received in return proved so ineffective that the company wound up rebuilding its network from scratch.
Still, businesses keep trying. The Sophos report estimates that 32% of targeted organizations pay up in the end. And the cost is rising. Between 2019 and 2020, the average ransomware payout nearly tripled, from $115,123 to $312,493, according to a February report from Palo Alto Networks.
Hijacking computer networks has become big business. And the threat is going to get worse. The rise of cloud computing has created fresh vulnerabilities. And consider cryptocurrency itself. An analysis published in November 2020 found that the growing appeal of smart contracts run though the blockchain might make ransomware attacks more feasible — and nearly impossible to defeat.
Another bad proposal is banning cryptocurrencies, the form of payment favored by digital extortionists everywhere. Once more, we’re going after a crime by punishing the victim. To continue the previous metaphor, to fight ransomware by banning Bitcoin and Ethereum would be a bit like saying “Okay, we won’t make it illegal for you to give your wallet to a mugger, but you’re forbidden to carry cash. Unless you pay the mugger with something authorities can trace, there will be more muggings.”
There are better solutions. Improved training, for instance. Unlike the way hacking is portrayed in the movies, most ransomware attacks don’t occur because some clever coder breached the firewall from a remote location. They arise because an employee with sufficiently high-level access clicks on a malicious attachment or uses an unsafe password.
Or we might require all companies above a certain size to carry insurance against ransomware attacks. The companies will then be subject to the requirements of the insurers, who will have an incentive to work out the optimal balance of risk and cost.
In the long run, however, the answer lies in cyberspace. Firms vary greatly in how thoroughly they’ve hardened their systems against attack. Many have moved toward Zero Trust Architecture, a standard which President Biden last month ordered all federal agencies to meet. (Well, this is the federal government, so technically Biden ordered that all agencies develop plans.) One may think of Zero Trust policies as securing the many doors and windows through which digital attackers slip, at the cost of inconveniencing legitimate users, who might be required repeatedly to prove their identities.
In the end, though, closing more doors won’t be enough. Future battles will be fought within the attacked systems, defended by algorithms that learn to distinguish the characteristics of ransomware from those of more benign internal operations. A defensive program might, for example, patrol for the rapid locking or encrypting of large numbers of files, an action that rarely has a good reason. Given the evolution of software, there will likely come a time in the not-too-distant future when such machine learning software is priced about the same as strong antivirus programs.
Meanwhile, though, we’re where we are, with regulators racing to outdo each other with hasty, poorly thought-out proposals. Let’s just agree on this much: Whatever we decide to do, let’s not turn victims into criminals.
The average will pop a bit next year once the $4.4 million ponied up by the Colonial Pipeline is accounted for, even though more than half has been recovered.
Punishing companies that pay hackers who have been sanctioned by the federal government is another bad idea.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
Stephen L. Carter is a Bloomberg Opinion columnist. He is a professor of law at Yale University and was a clerk to U.S. Supreme Court Justice Thurgood Marshall. His novels include “The Emperor of Ocean Park,” and his latest nonfiction book is “Invisible: The Forgotten Story of the Black Woman Lawyer Who Took Down America's Most Powerful Mobster.”
©2021 Bloomberg L.P.