Great, now with the same logic the US Treasury Department should impose fines on parents who want to pay the ransom for their kidnapped children, because obviously (paying the ransom) benefits and promotes the illicit objectives of the kidnappers... Jesus Christ.
Anyone have any reasonable explanation for this? Wouldn't it be better to fine companies that don't have a security standard for their data?
edit: An example with apples:
Jhon is a guy who does not care about the security of his company and does not create backups, suddenly he receives a ransomware attack and all his data is now encrypted, he has no option but to pay the ransom or all his intellectual property will be unusable , so he pays, and since he paid the criminals, he also pays a fine for incentivizing ransomware ... At the end of the day nothing was fixed and the ransomware groups are happier than ever.
In a parallel universe we have an improved system, here it is regulated that all companies have either a backup of their information or a very robust system without back doors. Here Jhon also does not care about the security of his company, then it is discovered that Jhon does not have a backup copy and he is fined, Jhon pays and is forced to improve the security of his company, then he does it, then he receives an attack of ransomware, but Jhon refuses to pay because his company already has better security ... At the end of the day Jhon paid a fine, but the ransomware teams didn't get what they wanted, the problem was fixed here.
Not all companies have backups, but it's not possible to check this at scale. You can't verify everyone's software environment and verify that the DR plans actually work. Also some cases don't care about data loss - there are areas where you can repave everything and ignore the incident happened.
Where it's actually required, we already have checks like PCI-DSS, data retention laws, government policies, etc. and you'll be audited. But again - this is very selective to make it realistic. Can you imagine there's a government entity which can come to your independent company at any point and say "show us your recent backups, how you restore it, and validate it's complete"? There's no way anyone would agree to this, or fund it.
What we know is that backups are the lowest barrier and if you don't have them for data you're prepared to pay for, you are pretty much sponsoring the ransomware business.
>Oh yes, all companies have backups. I think you didn't understand the point.
I assume you're using sarcasm in the first part there, but that in turn it's you who aren't getting the point. All companies may not have backups, but all companies could have backups. And the industry as a whole could be taking far more measures to mitigate ransomware, it's not some impossible problem. As well as prevention measures, ransomware is quite detectable actively because it necessarily changes the entropy of stored data in extremely obvious ways that a watchdog could detect. Or there could just be automated systems that constantly sample backups and verify they're restorable. If companies don't do that and choose to externalize some of the costs onto society (by funding criminals who will go on to hurt others in this case) it's completely appropriate for government to step in and stop them. There are lots of situations where people and organizations are expected to exercise reasonable diligence or face the consequences.
In contrast, at least for now backing up humans is not in fact an option. People aren't being lazy or failing to make reasonable efforts by failing to back themselves or their dependents up because that just doesn't exist. It's not the "same logic" at all, and how you made the mental leap of equating perfectly reproducible digital data with children is a real question.
Jhon is a guy who does not care about the security of his company and does not create backups, suddenly he receives a ransomware attack and all his data is now encrypted, he has no option but to pay the ransom or all his intellectual property will be unusable , so he pays, and since he paid the criminals, he also pays a fine for incentivizing ransomware ... At the end of the day nothing was fixed and the ransomware groups are happier than ever.
In a parallel universe we have an improved system, here it is regulated that all companies have either a backup of their information or a very robust system without back doors. Here Jhon also does not care about the security of his company, then it is discovered that Jhon does not have a backup copy and he is fined, Jhon pays and is forced to improve the security of his company, then he does it, then he receives an attack of ransomware, but Jhon refuses to pay because his company already has better security ... At the end of the day Jhon paid a fine, but the ransomware teams didn't get what they wanted, the problem was fixed here.
The target of this isn't Jhon. It's Jhon's insurance company. His insurance will have requirements for him to have a backup plan instead of them being willing to maybe pay the ransom. And they can just not cover him if the backups don't work.
So, we should allow shitty companies without backups to fund criminal organizations without penalty?
I hope they start enforcing this stuff with an iron hand, actually. Suddenly the CFO would have to put "ransomware fines" on the budget with enough zeros to make the C-suite put "reliable backups" on the budget.
>the US Treasury Department should impose fines on parents who want to pay the ransom for their kidnapped children
Some countries does actually criminalize paying ransom for kidnapped children. The logic being that if society make it harder to pay ransoms (both via criminalization and strong currency controls at the bank), then less kidnappers will get paid, which leads to less kidnapped children (hopefully).
The vast majority of people in this thread probably disagree with such a law. I certainly do. But on the other hand I realize that if I had been born in one of these countries and lived there my whole life, I would probably be a fervent defender of such a law.
From my cursory reading of the topic, three is basically no precedent for jailing such ransom-paying parent, and securing a conviction with a jury is very unlikely
Yes, I should probably clarify: the point of such a law is to _discourage_ the behavior, but not to actually _punish_ the ransom payer, since no jury is going to vote on putting grieving parents in jail. So you end up deterring ransom payments without actually introducing negative externalities.
The Hacker News vocal minority gives off this vibe that they'd rather have something like the fda stop by at your office each week with an inspector who logs into the backup system and checks off boxes if your local tech union is complying with the regulations. I feel like I'm going to gag.
I believe paying ransoms for people already is illegal, at least in circumstances where the payment would be going to terrorist organizations. I'm under the impression this is the case in both the US and UK.
> with the same logic the US Treasury Department should impose fines on parents who want to pay the ransom for their kidnapped children, because obviously (paying the ransom) benefits and promotes the illicit objectives of the kidnappers
This is actually sound logic. If 90% of parents pay ransom, kidnappers will kidnap a hundred kids a year. 90 will come home whole, 10 will have their fingers, toes, eyeballs, and various other body parts mailed home one per week in plastic baggies, or whatever unpleasant fate awaits kidnap victims who can't come up with their ransom.
Then what happens if we make ransom illegal, and we have the police watching the bank accounts of kidnapped kids' families like hawks so usually even if parents try to flout the law, the police can successfully freeze a transfer before the funds get to the kidnappers? In that case kidnappers will kidnap three or four kids, most likely none of the parents will pay. Those kids will be horribly murdered, but then the kidnappers will decide it's not profitable and give up.
Horrible if you're the parent of one of the 3 kids, especially if you end up in jail for trying to save your child's life.
But from a standpoint of social policy, having 3 kids get horribly murdered and then no more is a way, way better outcome for society as a whole than having 10 kids a year get horribly murdered, plus 90 kids a year get kidnapped and their parents have to pay ransom.
The problem is the 3 kids that actually get murdered have names and faces and sad / angry / incarcerated parents. The 7 kids a year who were saved from coming home in baggies, and the 90 kids a year who were saved from being kidnapped but ransomed, and the 90 sets of parents who weren't impoverished paying a giant ransom when their kids were kidnapped? They're statistical and unknowable.
I suppose it's a variant of the trolley problem: Is it ethical to save a specific person whose name and face you know, if by doing so you're condemning to death many others, whose identities are currently completely unknown since they will be randomly chosen at a future date?
You could also make an argument in the other direction from individual rights. Society shouldn't sanction a person who's trying to save a family member being directly threatened with death, even if their actions indirectly cause the deaths of many others. The right to protect your family is important and should be protected.
I guess it depends on whether you have a utilitarian perspective (3 dead kids is better than 10 dead kids full stop) or a rights-based perspective (you always have a right to protect the life of a threatened family member full stop.)
> Then what happens if we make ransom illegal, and we have the police watching the bank accounts of kidnapped kids' families like hawks so usually even if parents try to flout the law, the police can successfully freeze a transfer before the funds get to the kidnappers?
Pretty obvious: the parents will not involve the police, say "no, Timmy is on a holiday with his uncle" when somebody asks where their son is, and do whatever they need to get their child back.
And it's not certain that fewer children would get kidnapped if returning them for profit wasn't an option. The kidnappers might just switch to human trafficking and sell the children into slavery. Since the hand-over and payment for that business is probably much lower risk than getting a ransom payment and returning a child, they might find that it's a much more efficient system and increase their kidnapping frequency.
> Anyone have any reasonable explanation for this? Wouldn't it be better to fine companies that don't have a security standard for their data?
Well, your second question is basically impossible to do, as "security standards" are a constantly evolving landscape and being compliant with whatever the latest certification will not necessarily prevent you from being hacked. Also, it is much more difficult and expensive and potentially unconstitutional to enforce such a law, whereas enforcing a law that requires companies not to transfer money to certain countries or organizations is comparatively easier. It's also easier tell which side of the bright line any given action is on.
The explanation for the law is obvious and you seem to know it from the previous paragraph so I'm not sure what the question is. Is it controversial? For sure. Is it without any logic? By your own admission, there is an argument to be made.
In my comment above I talked about applying security standards or backups, I see that forcing companies to have backups is more viable...
To better understand my point of view, read my example above and the comment of "luckylion ". Companies are simply not going to report because their intellectual property becomes more valuable than the ransom payment. This law does not mitigate anything, instead a backup regulation would mitigate the problem (because it would not be necessary to pay the ransom, if you need such explicit help to understand things).
Anyone with a modicum of sense will just ignore these laws and act in accordance with their best judgment. History is full of examples of bullshit regulations.
All the comments so far seem incredibly hostile to this idea so I will play devils advocate.
* Paying a ransom is literally facilitating a criminal enterprise which is already illegal in almost all other aspects in most of the world.
* In a ransomware attack there is no guaranteed assurance the criminal enterprise will restore the data once paid, because this an unreported expenditure to a criminal party.
* Legally compelling parties to cooperate with law enforcement provides addition investigative materials for future law enforcement investigations.
* The more frequently reported a crime becomes the more investigative attention it receives with increased investigative budget. Federal investigators aren’t compelled to take this problem seriously so long as it is drastically under reported.
* The Justice Department is compelled to criminalize ransomware payments as a consumer protection, because the loss of data ultimately hurts the impacted consumers most.
>* Paying a ransom is literally facilitating a criminal enterprise which is already illegal in almost all other aspects in most of the world.
giving your wallet when you're being robbed at the gun point falls into that category too. And if the robbery proceeds are used for buying drugs, how about charging you with drug financing?
The differentiator is immediacy of choice. Putting a gun to your head isn’t there for your benefit of choice. It’s there so that the criminal is liable for robbery instead of a capital crime, because they could more easily kill you and take the wallet off your body.
1. It's possible for the advantages of restoring data to outweigh the societal cost of facilitating a criminal enterprise. For example, a patient has died in a hospital due to a ransomware attack. Would you prioritise saving human lives over sending some Bitcoin to some malware writer?
2. While there's no guarantee, it is exceedingly demonstrated that if you pay the ransom, you will get your data back. Ransomware writers have a collective reputation to uphold (strange, huh), and a typical negotiation involves requesting decryption of a few files to prove this capability exists.
3. Parties can legally comply with law enforcement AND pay a ransom (see #1 and #2). When paid with bitcoin, it leaves a strong and permanent evidence trail, especially with Bitcoin de-mixing techniques discovered all the time.
4. The solution to your problem is mandatory and visible disclosure of security breaches, you do not need to criminalise paying ransoms to get here; nor does it achieve as much as a broad "obligation to disclose".
5. By criminalising ransomware payments, the Justice Department has already made hundreds of corporations criminals. We know this Justice Department is known for selective prosecution: it is entirely plausible, if not likely, for companies against the current political party (e.g. donations to other candidates) to receive enhanced scrutiny and criminal charges.
Point 5 is not "conspiracy theory": we know the Qwest CEO was arrested on selectively enforced "insider trading" charges because he refused to spy on his customers for the NSA.
True, but "potential deaths" leads you down some pretty weird rabbit holes.
Also, you have to answer the question what's the right timeline to optimize for then?
For example, centralizing power makes the federal government a more tempting target for authoritarians in the long term (next 100 years). Given the death statistics of previous authoritarian (from both internal violence and wars), you're probably looking at millions of deaths.
Centralizing power is also what makes the modern social safety net and regulatory regime possible. Are the thousands of lives saved by those systems every year worth a low chance at a much larger number of deaths? (rhetorical question, there probably isn't an objective answer to that)
> 1. It's possible for the advantages of restoring data to outweigh the societal cost of facilitating a criminal enterprise. For example, a patient has died in a hospital due to a ransomware attack. Would you prioritise saving human lives over sending some Bitcoin to some malware writer?
There's already overriding exceptions to all laws that allow you to do otherwise illegal in emergency circumstances. That's why we can say "You are not to vandalize someones house" without needing to add all the contrived ways that it could be done in a way to save someone (or yourself) etc.
The "loss of data" is the company's choice not to safeguard their data with proper backups and their systems with proper security. It's a false situation because it's giving-in to external locus-of-control logic that somehow it's an uncontrollable "accident" that happened to them with no blame of their own when the company failed to take their duties seriously.
I imagine you could say the same thing regardless of outcome. The mere fact they allowed themselves to be vulnerable to such exploitation is the larger concern.
If paying a ransom is literally facilitating a criminal enterprise is giving a mugger with a knife your wallet so he doesn't stab you also facilitating a criminal enterprise?
This is a really good example of both a prisoner's dilemma (more precisely a collective action problem), and a common way to try to overcome the suboptimal equilibrium that a prisoner's dilemma naturally ends up in.
Society as a whole will be better off if no one pays the ransom. If truly no one paid, ransom attacks would end. However, if you are attacked by a ransom attack, your best individual course of action is likely to pay; your paying or not (as an individual) isn't going to be the deciding factor in the ransom industry continuing, and the ransom is likely cheaper than the cost of not paying. The rational response as an individual is to pay.
You therefore end up with a suboptimal overall situation, even though everyone is making the rational choice.
One way to break out of the prisoner's dilemma is to place an outside cost on 'defecting' from the socially optimal choice; in this case, the government announces loudly that they will fine companies more than their losses if they pay. The idea is to shift the equilibrium to not paying a ransom being the logical choice, which will, in the long run, will put an end to ransoms.
Of course, it really sucks for the people caught by ransom attacks in the meantime, and requires consistent and predictable enforcement of the outside penalty.
however the single biggest area is when lower it companies choose to skimp and get pwned.. paying 50k is better than filing chapter 13 even if the govt charges you another 25k pound of flesh.
>the government announces loudly that they will fine companies more than their losses if they pay.
No, they do it to enforce sanctions, not to break out of the prisoner's dilemma. Criminals not connected with sanctioned subjects will happily continue their ransom attacks, now that the government has crippled their most capable rivals.
A prisoner’s dilemma doesn’t require actual prisoners; it was the first example of this type of problem, which is why the name is used for all sorts of problems with the same characteristics; namely, that there is some optimal outcome for everyone that could be reached if everyone chose a particular decision, but their is always an individual incentive to ‘defect’ and choose the other option.
Yes I'm aware of that definition, and I still think it is a legitimate example of tragedy of the commons.
The commons here is an abstract one: it's the lack of incentive within a society to perform a kidnapping, which is a shared benefit/resource.
The family of the victim who decides to pay the ransom is taking from this commons (by decreasing the lack of incentive), making everyone worse off in expectation, in order to benefit only themselves and the specific victim they're trying to help.
In the 80s Italy had a problem with kidnappings. An ingredient of the solution was freezing the assets of the relatives of kidnapping victims. The strategy worked.
In France, it’s illegal to pay ransoms too. So somebody impersonated a Minister, video-called a bunch of rich people saying somebody was kidnapped and asked them to pay the ransom since the government couldn’t.
They bilked a bunch of rich people out of 55 mln EUR:
In practice, no one renounces their child or their intellectual property or important information (looking from the skin of companies), no matter how much you impose a thousand fines, only when the fines exceed the value of the person or information seized, you could be renounced to this, for example: to be fined a million dollars if you rescue your son.
But this is a stupid solution... Instead of punishing yourself for something that isn't your fault (or something you overlooked like not creating a backup, or, in the case of children, not taking good care of your son), well this problem can be prevented and the irresponsible punished BEFORE the tragedy happens. I propose that companies that do not have a backup of their information be fined, or in the case of companies (financial, social networks that do not want the information to be disclosed), regulate the security of their company or otherwise be fined. With this, he punishes himself BEFORE the tragedy and not AFTER.
If the fines come AFTER, the ransomware is not mitigated, the hijackers get what they want.
> One way to break out of the prisoner's dilemma is to place an outside cost on 'defecting' from the socially optimal choice;
There might exist additional effective measures:
1. requiring by law that companies, hospitals and so on, do effective backups; controlling that this actually does happen and handing stiff fines to companies that do not.
2. the government acting as an insurance for damages in companies which fall prey to ransomware, covering their losses completely if they provide proof that they did not pay.
Also, there is an additional problem with ransom payments: As you cannot prove who is the recipient, how can you refute the suspicion that the company is not victim to ransomware but one of the company's owners is extracting profits without paying taxes? I mean, if you work as a cashier in a supermarket, you cannot tell your boss that somehow the money in the cash register got lost or that it was taken away by an armed robber which is not visible on any security video picture.
The counter-measure would be to put full regular taxes on profits on any kind of proclaimed ransom payment.
That's how it All works! And everyone goes along with it.
Idiots, which is a Greek word for people who do not understand or follow polotics. All Greeks knew what was going on more due to them paying attention and understanding that polotics is involved in everything g you and others do.
Today, your just all dump has a block of ice! True idiots today, who like to think of people back then as stupid!
Basically it will be an issue if a company wants to pay ransom and keep it secret. Which is really reasonable and probably if authorities won't be able to help you and last option will be paying it is not going to be a problem.
"OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus."
If you're a small business just put your data in the cloud dude. For example if you use online email services then a robot will put your data on a tape cassette and a guy will load it on a truck and drive it to a mountain made of iron for free. Ryuk can't ransom that.
Why not just legalize the ransom payments? In a world where the IC was directed to fuck ransomware authors up, the money could be clawed back in most cases, or even fronted by the taxpayers as bait for CNE:
67 comments
[ 4.5 ms ] story [ 159 ms ] threadAnyone have any reasonable explanation for this? Wouldn't it be better to fine companies that don't have a security standard for their data?
edit: An example with apples:
Jhon is a guy who does not care about the security of his company and does not create backups, suddenly he receives a ransomware attack and all his data is now encrypted, he has no option but to pay the ransom or all his intellectual property will be unusable , so he pays, and since he paid the criminals, he also pays a fine for incentivizing ransomware ... At the end of the day nothing was fixed and the ransomware groups are happier than ever.
In a parallel universe we have an improved system, here it is regulated that all companies have either a backup of their information or a very robust system without back doors. Here Jhon also does not care about the security of his company, then it is discovered that Jhon does not have a backup copy and he is fined, Jhon pays and is forced to improve the security of his company, then he does it, then he receives an attack of ransomware, but Jhon refuses to pay because his company already has better security ... At the end of the day Jhon paid a fine, but the ransomware teams didn't get what they wanted, the problem was fixed here.
Where it's actually required, we already have checks like PCI-DSS, data retention laws, government policies, etc. and you'll be audited. But again - this is very selective to make it realistic. Can you imagine there's a government entity which can come to your independent company at any point and say "show us your recent backups, how you restore it, and validate it's complete"? There's no way anyone would agree to this, or fund it.
What we know is that backups are the lowest barrier and if you don't have them for data you're prepared to pay for, you are pretty much sponsoring the ransomware business.
I assume you're using sarcasm in the first part there, but that in turn it's you who aren't getting the point. All companies may not have backups, but all companies could have backups. And the industry as a whole could be taking far more measures to mitigate ransomware, it's not some impossible problem. As well as prevention measures, ransomware is quite detectable actively because it necessarily changes the entropy of stored data in extremely obvious ways that a watchdog could detect. Or there could just be automated systems that constantly sample backups and verify they're restorable. If companies don't do that and choose to externalize some of the costs onto society (by funding criminals who will go on to hurt others in this case) it's completely appropriate for government to step in and stop them. There are lots of situations where people and organizations are expected to exercise reasonable diligence or face the consequences.
In contrast, at least for now backing up humans is not in fact an option. People aren't being lazy or failing to make reasonable efforts by failing to back themselves or their dependents up because that just doesn't exist. It's not the "same logic" at all, and how you made the mental leap of equating perfectly reproducible digital data with children is a real question.
Jhon is a guy who does not care about the security of his company and does not create backups, suddenly he receives a ransomware attack and all his data is now encrypted, he has no option but to pay the ransom or all his intellectual property will be unusable , so he pays, and since he paid the criminals, he also pays a fine for incentivizing ransomware ... At the end of the day nothing was fixed and the ransomware groups are happier than ever.
In a parallel universe we have an improved system, here it is regulated that all companies have either a backup of their information or a very robust system without back doors. Here Jhon also does not care about the security of his company, then it is discovered that Jhon does not have a backup copy and he is fined, Jhon pays and is forced to improve the security of his company, then he does it, then he receives an attack of ransomware, but Jhon refuses to pay because his company already has better security ... At the end of the day Jhon paid a fine, but the ransomware teams didn't get what they wanted, the problem was fixed here.
I hope they start enforcing this stuff with an iron hand, actually. Suddenly the CFO would have to put "ransomware fines" on the budget with enough zeros to make the C-suite put "reliable backups" on the budget.
Some countries does actually criminalize paying ransom for kidnapped children. The logic being that if society make it harder to pay ransoms (both via criminalization and strong currency controls at the bank), then less kidnappers will get paid, which leads to less kidnapped children (hopefully).
The vast majority of people in this thread probably disagree with such a law. I certainly do. But on the other hand I realize that if I had been born in one of these countries and lived there my whole life, I would probably be a fervent defender of such a law.
This is actually sound logic. If 90% of parents pay ransom, kidnappers will kidnap a hundred kids a year. 90 will come home whole, 10 will have their fingers, toes, eyeballs, and various other body parts mailed home one per week in plastic baggies, or whatever unpleasant fate awaits kidnap victims who can't come up with their ransom.
Then what happens if we make ransom illegal, and we have the police watching the bank accounts of kidnapped kids' families like hawks so usually even if parents try to flout the law, the police can successfully freeze a transfer before the funds get to the kidnappers? In that case kidnappers will kidnap three or four kids, most likely none of the parents will pay. Those kids will be horribly murdered, but then the kidnappers will decide it's not profitable and give up.
Horrible if you're the parent of one of the 3 kids, especially if you end up in jail for trying to save your child's life.
But from a standpoint of social policy, having 3 kids get horribly murdered and then no more is a way, way better outcome for society as a whole than having 10 kids a year get horribly murdered, plus 90 kids a year get kidnapped and their parents have to pay ransom.
The problem is the 3 kids that actually get murdered have names and faces and sad / angry / incarcerated parents. The 7 kids a year who were saved from coming home in baggies, and the 90 kids a year who were saved from being kidnapped but ransomed, and the 90 sets of parents who weren't impoverished paying a giant ransom when their kids were kidnapped? They're statistical and unknowable.
I suppose it's a variant of the trolley problem: Is it ethical to save a specific person whose name and face you know, if by doing so you're condemning to death many others, whose identities are currently completely unknown since they will be randomly chosen at a future date?
You could also make an argument in the other direction from individual rights. Society shouldn't sanction a person who's trying to save a family member being directly threatened with death, even if their actions indirectly cause the deaths of many others. The right to protect your family is important and should be protected.
I guess it depends on whether you have a utilitarian perspective (3 dead kids is better than 10 dead kids full stop) or a rights-based perspective (you always have a right to protect the life of a threatened family member full stop.)
Pretty obvious: the parents will not involve the police, say "no, Timmy is on a holiday with his uncle" when somebody asks where their son is, and do whatever they need to get their child back.
And it's not certain that fewer children would get kidnapped if returning them for profit wasn't an option. The kidnappers might just switch to human trafficking and sell the children into slavery. Since the hand-over and payment for that business is probably much lower risk than getting a ransom payment and returning a child, they might find that it's a much more efficient system and increase their kidnapping frequency.
It is not a problem that parents care about their children and will sop on national tv.
I will stop here because comments like yours make me rationally angry.
Well, your second question is basically impossible to do, as "security standards" are a constantly evolving landscape and being compliant with whatever the latest certification will not necessarily prevent you from being hacked. Also, it is much more difficult and expensive and potentially unconstitutional to enforce such a law, whereas enforcing a law that requires companies not to transfer money to certain countries or organizations is comparatively easier. It's also easier tell which side of the bright line any given action is on.
The explanation for the law is obvious and you seem to know it from the previous paragraph so I'm not sure what the question is. Is it controversial? For sure. Is it without any logic? By your own admission, there is an argument to be made.
To better understand my point of view, read my example above and the comment of "luckylion ". Companies are simply not going to report because their intellectual property becomes more valuable than the ransom payment. This law does not mitigate anything, instead a backup regulation would mitigate the problem (because it would not be necessary to pay the ransom, if you need such explicit help to understand things).
Odd to me that it doesn't make the news cycle.
The logic is simple:
If fed caused loss, then get paid
It could be the most esoteric or even antiquated status quo regulation, just go argue it
* Paying a ransom is literally facilitating a criminal enterprise which is already illegal in almost all other aspects in most of the world.
* In a ransomware attack there is no guaranteed assurance the criminal enterprise will restore the data once paid, because this an unreported expenditure to a criminal party.
* Legally compelling parties to cooperate with law enforcement provides addition investigative materials for future law enforcement investigations.
* The more frequently reported a crime becomes the more investigative attention it receives with increased investigative budget. Federal investigators aren’t compelled to take this problem seriously so long as it is drastically under reported.
* The Justice Department is compelled to criminalize ransomware payments as a consumer protection, because the loss of data ultimately hurts the impacted consumers most.
giving your wallet when you're being robbed at the gun point falls into that category too. And if the robbery proceeds are used for buying drugs, how about charging you with drug financing?
2. While there's no guarantee, it is exceedingly demonstrated that if you pay the ransom, you will get your data back. Ransomware writers have a collective reputation to uphold (strange, huh), and a typical negotiation involves requesting decryption of a few files to prove this capability exists.
3. Parties can legally comply with law enforcement AND pay a ransom (see #1 and #2). When paid with bitcoin, it leaves a strong and permanent evidence trail, especially with Bitcoin de-mixing techniques discovered all the time.
4. The solution to your problem is mandatory and visible disclosure of security breaches, you do not need to criminalise paying ransoms to get here; nor does it achieve as much as a broad "obligation to disclose".
5. By criminalising ransomware payments, the Justice Department has already made hundreds of corporations criminals. We know this Justice Department is known for selective prosecution: it is entirely plausible, if not likely, for companies against the current political party (e.g. donations to other candidates) to receive enhanced scrutiny and criminal charges.
Point 5 is not "conspiracy theory": we know the Qwest CEO was arrested on selectively enforced "insider trading" charges because he refused to spy on his customers for the NSA.
What if you end up incentivizing the deaths of many more patients as a result?
Also, you have to answer the question what's the right timeline to optimize for then?
For example, centralizing power makes the federal government a more tempting target for authoritarians in the long term (next 100 years). Given the death statistics of previous authoritarian (from both internal violence and wars), you're probably looking at millions of deaths.
Centralizing power is also what makes the modern social safety net and regulatory regime possible. Are the thousands of lives saved by those systems every year worth a low chance at a much larger number of deaths? (rhetorical question, there probably isn't an objective answer to that)
There's already overriding exceptions to all laws that allow you to do otherwise illegal in emergency circumstances. That's why we can say "You are not to vandalize someones house" without needing to add all the contrived ways that it could be done in a way to save someone (or yourself) etc.
Society as a whole will be better off if no one pays the ransom. If truly no one paid, ransom attacks would end. However, if you are attacked by a ransom attack, your best individual course of action is likely to pay; your paying or not (as an individual) isn't going to be the deciding factor in the ransom industry continuing, and the ransom is likely cheaper than the cost of not paying. The rational response as an individual is to pay.
You therefore end up with a suboptimal overall situation, even though everyone is making the rational choice.
One way to break out of the prisoner's dilemma is to place an outside cost on 'defecting' from the socially optimal choice; in this case, the government announces loudly that they will fine companies more than their losses if they pay. The idea is to shift the equilibrium to not paying a ransom being the logical choice, which will, in the long run, will put an end to ransoms.
Of course, it really sucks for the people caught by ransom attacks in the meantime, and requires consistent and predictable enforcement of the outside penalty.
however the single biggest area is when lower it companies choose to skimp and get pwned.. paying 50k is better than filing chapter 13 even if the govt charges you another 25k pound of flesh.
No, they do it to enforce sanctions, not to break out of the prisoner's dilemma. Criminals not connected with sanctioned subjects will happily continue their ransom attacks, now that the government has crippled their most capable rivals.
It is a collective action problem, which is really a type of prisoner's dilemma.
https://en.wikipedia.org/wiki/Collective_action_problem
https://en.wikipedia.org/wiki/Tragedy_of_the_commons
A tragedy of the commons is ALSO a collective action problem, but is not the same kind as what we are seeing here.
The commons here is an abstract one: it's the lack of incentive within a society to perform a kidnapping, which is a shared benefit/resource.
The family of the victim who decides to pay the ransom is taking from this commons (by decreasing the lack of incentive), making everyone worse off in expectation, in order to benefit only themselves and the specific victim they're trying to help.
They bilked a bunch of rich people out of 55 mln EUR:
https://www.bbc.com/news/world-europe-51842898
https://www.washingtonpost.com/world/how-scammers-used-a-sil...
But this is a stupid solution... Instead of punishing yourself for something that isn't your fault (or something you overlooked like not creating a backup, or, in the case of children, not taking good care of your son), well this problem can be prevented and the irresponsible punished BEFORE the tragedy happens. I propose that companies that do not have a backup of their information be fined, or in the case of companies (financial, social networks that do not want the information to be disclosed), regulate the security of their company or otherwise be fined. With this, he punishes himself BEFORE the tragedy and not AFTER.
If the fines come AFTER, the ransomware is not mitigated, the hijackers get what they want.
There might exist additional effective measures:
1. requiring by law that companies, hospitals and so on, do effective backups; controlling that this actually does happen and handing stiff fines to companies that do not.
2. the government acting as an insurance for damages in companies which fall prey to ransomware, covering their losses completely if they provide proof that they did not pay.
Also, there is an additional problem with ransom payments: As you cannot prove who is the recipient, how can you refute the suspicion that the company is not victim to ransomware but one of the company's owners is extracting profits without paying taxes? I mean, if you work as a cashier in a supermarket, you cannot tell your boss that somehow the money in the cash register got lost or that it was taken away by an armed robber which is not visible on any security video picture.
The counter-measure would be to put full regular taxes on profits on any kind of proclaimed ransom payment.
Lol.
Talk about problem, reaction, solution!
That's how it All works! And everyone goes along with it.
Idiots, which is a Greek word for people who do not understand or follow polotics. All Greeks knew what was going on more due to them paying attention and understanding that polotics is involved in everything g you and others do.
Today, your just all dump has a block of ice! True idiots today, who like to think of people back then as stupid!
Oh, the irony!
"OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus."
Fully-automated deployment
Never pay
... ransomware becomes moot
For small companies, what we really need is built in ways of doing daily versioning in the popular NAS solution they use.
Backups do nothing against contemporary ransomware attacks where the MO is to publish stolen information if the company doesn’t pay up.
If you’re a hospital or say a school district “never pay” is simply an unconscionable attitude.
https://news.ycombinator.com/item?id=20971785
Heck, foreign APTs probably already masquerade as ransomware profiteers.
Isn't that also equally "enabling criminals"?