Should Ransomware Payments Be Made Illegal?
Embedded Files
07/28/2023 :: Jeremy Pickett :: Become a Patron :: Buy Me a Coffee (small tip) :: @jeremy_pickett :: Discussion (FB)
As ransomware paralyzes systems worldwide, is outlawing payments to attackers the ethical solution?
TL;DR: The blog post explores the debate around whether ransomware payments should be made illegal, as policymakers grapple with the surge in attacks freezing critical systems until ransoms are paid, often in cryptocurrency. It discusses the current US legal context allowing generalized ransom payments and cyber insurance policies that cover extortion. The post notes that while some argue banning payments could deter attacks, others contend it leaves victims without options. High profile cases reveal the nuances around indirectly rewarding criminality versus resuming business operations. The post concludes that the spike in ransomware has outpaced policy response, forcing leaders to confront the ethical dilemmas around interventions to halt profitable schemes exploiting vulnerable victims, though solutions remain challenging.
Cybersecurity crises are intensifying, as ransomware attacks are on an alarming upward trend. These digital sieges immobilize vital computer systems and data, throwing businesses, hospitals, and infrastructure into chaos. When struck, victims grapple with a harsh dilemma - surrender to the demands of their faceless assailants, often through hard-to-trace cryptocurrencies, or stand their ground, potentially triggering crippling downtime. What's more distressing is that these decisions can directly affect lives. In light of these recurrent threats, should we consider criminalizing ransom payments? What impacts might this have on affected institutions and individuals, both immediately and in the long term? And what would be the implications for the fight against cybercrime?
As it stands, US law explicitly forbids the financing of terrorists or entities under sanctions but stops short of a universal prohibition on ransom payments. Specific jurisdictions have rules against paying ransoms in kidnapping cases, but these do not necessarily extend to the digital realm. As a risk mitigation measure, companies have the option of investing in cyber insurance policies. These products typically offer coverage for extortion but often come with strict limitations. However, one lingering question is whether a comprehensive ban on ransom payments to cybercriminals at a federal level is a viable solution. What might the effects of such a policy be, and how could it be effectively enforced?
The ransomware problem is mired in a complex web of ethical and legal conundrums. While paying ransoms may offer a quick fix, it fuels a dangerous cycle, effectively financing and encouraging future criminal activities. Conversely, not paying could have dire consequences, leaving the victims powerless and incurring potentially catastrophic losses. Are there alternative strategies we should consider to tackle this growing issue? Could enhancing cyber defenses or investing in digital literacy be more effective strategies in the long term? It's clear that we are far from definitive answers, but the stakes are too high for us to not seek them actively.
Examples of Ransom Payment Assisting:
In the healthcare industry, ransom payments have often been made to mitigate risks to patient safety. For instance, in 2017, the Hollywood Presbyterian Medical Center in Los Angeles chose to pay a $17,000 Bitcoin ransom to regain control of its computer systems. They justified this decision by emphasizing the urgent need to restore vital medical services, potentially saving lives.
Similarly, Travelex, a foreign exchange company, faced a ransomware attack on New Year’s Eve 2019. After weeks of attempting to recover their systems, they opted to pay a $2.3 million ransom to restore their services, which preserved their business operations and potentially protected the data of countless customers.
Advocates argue outlawing payments will deter attacks by eliminating incentive profits. But opponents note banning payments leaves victims struggling to recover. Ethically, organizations must balance aggrieved customers and shareholders against potentially rewarding criminality indirectly. Many see current options as lose-lose.
Examples of Ransom Payment Exacerbating Situations:
An example of ransom payment leading to more harm was seen in the Garmin ransomware attack in 2020. Garmin reportedly paid a multi-million dollar ransom via a third-party company to a group sanctioned by the US government, which raised ethical and legal questions and potentially invited further attacks.
In another case, the University of Utah in 2020 paid a ransom of over $450,000 to prevent sensitive student data from being released. Despite successfully preventing the data leak, the decision was criticized for incentivizing further attacks.
Notable cases reveal the nuances. Last year, top meat supplier JBS Paid $11 million in cryptocurrency to resume operations after a week-long closure. Some lauded avoiding food supply chain disruption. But the FBI said payments encourage hackers. Entertainment giant HBO paid $250,000 in Bitcoin to prevent leaked "Game of Thrones" episodes but faced criticism for signaling vulnerabilities.
The recent spike in ransomware outpaces US policy response. Legislators have introduced bills prohibiting federal ransoms. However, applying bans to private companies requires complex policy justification beyond national security. Halting profitable schemes that exploit victims in vulnerable scenarios certainly warrants consideration on ethical grounds.
References
1. Balbix. "Using Artificial Intelligence in Cybersecurity."[1]
2. Pennsylvania State University. "Artificial Intelligence and Critical Systems."[2]
3. Terranova Security. "AI in Cyber Security: Pros and Cons."[3]
4. CXOToday. "How is AI Revolutionizing the Battle Against Cyber Threats."[4]
5. Computer Society. "The AI-Cybersecurity Nexus: The Good and the Evil."[5]
6. Booz Allen Hamilton. "The Role of Artificial Intelligence in Cybersecurity."[6]
Citations:
[1] https://www.balbix.com/insights/artificial-intelligence-in-cybersecurity/
[2] https://www.osti.gov/servlets/purl/1713282
[3] https://terranovasecurity.com/ai-in-cyber-security/
[5] https://www.computer.org/csdl/magazine/it/2022/05/09967400/1IIYBEMIaoE
Page updated
Google Sites
Report abuse