Should Governments Ban Ransomware Payments?
According to The Economist, the recent wave of high-profile ransomware attacks on the likes of M&S and Jaguar Land Rover might have delivered one unexpected benefit: a lesson in humility.
These companies have been forced to confront the uncomfortable reality of just how vulnerable their systems were: IT outsourcing, lax vetting of contractors, and a failure to invest in robust cybersecurity have all created a climate in which ransomware gangs thrive.
Fixing a system with so so many leaks is going to prove difficult, so maybe a political solution is required: governments could potentially ban ransomware payments.
The Ransomware Business Model
Paying a ransom is obviously the last resort of companies that failed to patch a server, but it is also something the criminal gangs rely on at the end of the day!
The Economist frames the issue this way: so long as it remains “strongly in an individual’s interest to pay off extortionists,” the cycle will continue. And so far, governments have effectively outsourced the moral dilemma to private companies. As long as it’s legal to pay up, companies will suck it up and pay, given the that cost of rebuilding IT systems from scratch would be ruinous.
And the hackers, of course, know this!
A global ban on ransom payments would wipe that business model out in one fell swoop. If no one pays, the incentive to hack collapses.
But there is one MASSIVE political problem...
Consider the CEO of a major supermarket chain having to stand in front of the press and explain that all their data has been taken hostage, and they are legally bound, under a government ban, not to retrieve it - even at the cost of losing customer records, supplier data, payroll, logistics systems… maybe even stored card details.
This could be political suicide for any government who introduced such a law, as they would be at fault.
Forcing Disclosure: A Possible Middle Ground?
A middle ground might be for governments to force disclosure of ransomware attacks by companies and require public reporting of payments.
They could also take more preventative legislative actions by enacting more stringent cyber hygiene and punish negligence with financial penalties, and create pooled insurance schemes that refuse to reimburse ransom payments.
Tightening up disclosure alone could dramatically change behavior. If firms know they cannot sweep attacks under the carpet, they might finally start investing in cybersecurity like it is the 21st century, not the Windows 95 era.
And perhaps most importantly, they would be forced to collaborate-since secrecy is one of the hackers' best weapons. If victims don't talk, patterns go unnoticed and gangs get away with the same tricks over and over.
I thought I heard something about this, but it may have been just for government bodies. Some hospitals have had their systems infiltrated and that could be serious. Jaguar lost weeks of work when they got hacked, so it's not just about the cost of a ransom. Restoring systems and making them more secure is not trivial. This problem is not going away any time soon.
The ransomware attackers could maybe get around this by doing the virtual equivalent of sending the severed finger or ear of a kidnapped victim. Give the ransomware target a painful example of what non-compliance would entail.
Would be fine to try out for a year or two I would say. To see how it would impact hacks/ransomware