The decision to pay a ransom to hackers falls on the organization that has become victim of an attack, but as ransomware attacks rise so have concerns and calls for a ban on payments to try to prevent them from occurring.
In a July 26 op-ed published in Tech Stream, Tara Wheeler and Ciaran Martin explore the possibility of banning companies from paying hackers ransoms. The ransomware model currently works in favor of the criminal, but will banning "payments outright reverse this imbalance of incentives?" the co-authors ask.
Six insights:
1. There are no incentives for criminals, who mostly reside in Russia, to hold back from orchestrating attacks, Ms. Wheeler and Mr. Martin wrote. President Joe Biden is working to address the lack of consequences for cybercriminals in nation states and recently asked Russian President Vladmir Putin to stop sheltering criminality.
2. Insurance models incentivize paying criminals instead of having strong security in place to prevent an attack, the co-authors wrote. The U.S. has tax incentives that favor paying ransoms; companies can "write off ransomware payments as 'ordinary, necessary and reasonable' expenses on their profit and loss statements like they're pencils or Friday lunches," they wrote.
3. There is not enough support for rapidly processing and helping critical infrastructure of companies when they are under attack. One example of this, the co-authors wrote, is the U.S. healthcare industry. When a U.S. hospital gets hacked and patient care is put at risk, few disagree that it's a national security issue. But the hospital's response is left up to its private-sector leaders.
"Their duty in this lonely, desperate situation is to get the hospital back online. It is not their job to consider the public-interest implications of payment," Ms. Wheeler and Mr. Martin wrote. "So they pay, and more ransomware inevitably follows. The problem is that there is no mechanism to consider the collective public interest."
4. Without addressing the incentive issues, a ban on ransomware payments "will do nothing," the co-authors wrote. Taking away small and medium-sized businesses' choice to pay ransoms is unequal in enforcement, as the system will negatively affect these sized companies, the co-authors claimed.
5. Even if ransomware payments were banned, it is also hard to enforce the law, the co-authors wrote, adding "What prosecutor would seek to imprison hospital executives or trucking companies for paying off criminals in order to save lives and transport food?"
6. Some potential solutions for decreasing ransomware attacks without banning payment include making it mandatory for businesses to report when paying a ransom; requiring greater transparency in cryptocurrency transactions; and promoting awareness of the help available from government authorities during an attack, the co-authors wrote.
Ms. Wheeler is a cyber project fellow at the Belfer Center for Science and International Affairs at Harvard University‘s Kennedy School of Government. Mr. Martin is a professor of practice in the management of public organizations at Oxford University and former CEO of the National Cyber Security Centre.