The way to stop companies from getting attacked by ransomware is simple: outlaw ransom payments

By Josh Barro

This time it's JBS, the Brazil-based meatpacking concern that produces nearly a quarter of the beef in the US. Before that, it was Colonial Pipeline. And before that, it was countless mid-size firms, hospital systems, and local government agencies. Foreign hackers keep encrypting the systems of US organizations, and demanding payment in exchange for decryption keys and promises not to publish stolen data.

And in many cases, the organizations are paying up in an attempt to resolve the problem quickly, which in turn encourages ever more ransomware attacks.

To tackle this issue, the US needs cybersecurity improvements in the public and private sectors to defend against these attacks. But that's a daunting challenge and our solutions will always be imperfect. We also have a non-technological response that is available and easier to implement: Stop organizations that operate in the US from making ransom payments. If hackers know that US entities can't or won't pay ransoms, that will make them much less attractive targets.

Ransomware is a collective action problem

If your company has been attacked, you might have good reason to pay a ransom. Paying the ransom may allow you to get your business back online faster than if you tried to rebuild your systems without hackers' assistance. Time is money, and a faster restoration means fewer angry customers and less apparent, immediate effect on the US economy from the attack on you. Paying is the easy way out, and easy choices are supposed to be the first preference of businesses and governments. There is a logic to paying.

But ransom payments also create negative externalities. Ransom payments finance the groups that commit these attacks, and they encourage them to make more attacks. When you pay a ransom, it hurts everybody else, by making future attacks more likely.

Activities that cause negative externalities — like companies pouring pollutants into rivers — call for government regulations. So the government should stop companies from pouring ransom payments into ransomware organizations.

Indeed, the government discourages victims from paying cyber ransoms. It even offers mealy-mouthed guidance noting that paying (or facilitating payment of) such ransoms may be illegal, if the entity receiving the ransom is sanctioned. But this isn't enough. The government needs to set a clear, blanket policy: paying a ransom is illegal, and you will be punished if you do it.

We can prevent ransom payments

Restricting the behavior of crime victims is not always a feasible way to fight crime. A law prohibiting people from handing their wallets to muggers might discourage mugging, but it would be impossible to enforce well, and it would expose mugging victims to an unacceptable level of personal risk.

But the structure of ransomware attacks, which places perpetrators usually well out of the US government's reach, lends itself well to restricting victim behavior.

Ransomware victims need to be fairly large to be worth attacking. You need an organization with a reasonably complex computer system and the financial ability to pay a significant ransom. These organizations have many employees. They are regulated by existing agencies, such as the Securities and Exchange Commission. In some cases, they are government agencies.

Ransomware attacks are also noticeable. They knock computer systems offline, causing serious disruptions to operations — that's why people pay the ransom. And even when organizations pay ransoms, it typically takes days to return computer operations to normal.

So even when ransomware victims don't seek help from the government, ransomware attacks may not be easy to hide. That provides an opportunity for regulators to ask questions — so hey, that huge IT problem, was that ransomware? Did you pay a ransom? Did you suddenly start buying bitcoin and transferring it to strange wallets?

Organizations will have good reason to believe they can't pay an illegal ransom quietly and get away with it. And the government can make clear that ransom payers will get punished — civil fines, SEC actions, criminal liability, whatever it takes.

The government just needs to dial those punishments up high enough that paying the ransom starts to look more painful than not paying it. And we can offer whistleblower payments to encourage people to snitch when organizations they work for — or organizations that are their clients — pay ransoms.

We can probably stop crypto-denominated ransom payments without prohibiting cryptocurrency

If you follow me on Twitter, you know I am not a fan of cryptocurrency.

I think hard-to-trace financial transactions are undesirable, because they are mostly useful to criminals. Ransomware is a prime example: Bank wires would produce a paper trail that could lead to hackers' identification and arrest, and can also be reversed. It's impractical to send a $5 million cash ransom to eastern Europe. But crypto makes the ransomware business model possible by enabling the flows of huge, illegal, untraceable payments across international boundaries. That's bad.

(The usual pro-crypto response I hear to this is, "har har, you don't like untraceable money, so do you think cash is bad too?" Well let me tell you: Yes, I also think cash is bad. Crypto takes the existing problems with cash and makes them worse, because cash at least is bulky. Cash also is an extremely longstanding feature of our financial system and there are a number of reasons it can't practically be abolished, at least not yet. But I do think we should consider ceasing production of $50 and $100 bills in order to reduce the usefulness of cash to criminals.)

All that said, while I hate crypto, I understand how (sigh) popular it is, and we probably don't need to get rid of it to fix the specific problem we're discussing here. Because the ultimate source of ransoms is not criminal organizations or distressed high-net-worth individuals but reasonably complex legitimate organizations that have many existing touchpoints with the government, it should be possible to stop ransom payments by telling those organizations they are not to generate and send ransom payments.

We can watch and see if they're moving their legitimate traceable cash into cryptocurrency, even if we don't see where it's going.

Paying ransoms is shameful

I believe the government can and should stop ransoms by explicitly penalizing those who pay them. But there is a role for society, too: We need more of a sense of solidarity that says helping cybercriminals is bad, and that paying ransom to them is wrong, even when that serves the narrow interest of your organization.

Colonial Pipeline CEO Joseph Blount says he paid a $4.4 million ransom because it was in the best interests of the country, because it helped get the pipeline back online. Of course, the next CEO facing an attack can and will say the same thing — my organization is essential, so it's necessary to pay the hackers off this time. This is nonsense. Blount paid the ransom because it was in the best interest of Colonial Pipeline, which would reap most of the financial benefits of a faster restart, while the negative effects of encouraging future attacks would be shared broadly across the whole of America.

This was a selfish choice, not a patriotic one. So where is the social sanction that is supposed to come with a selfish choice like this? Blount should be ashamed to show his face at the country club. His friends should be refusing to get dinner with him. But in America, we no longer impose expectations of solidarity or patriotism.

The lack of social norms around business transactions is causing a number of problems in efforts to protect the US from foreign threats. The Chinese government decides what sort of films American movie studios can make and what political views NBA staff can express. And consumers in the US don't give a crap, so American firms just do what makes them the most money, which is to say they prioritize Chinese government cultural priorities and not American cultural priorities. It's not terribly different from paying cyber ransoms.

The government can make paying ransoms more financial and legal trouble than it's worth. But only we can make it social death to sell out America in related contexts that do not easily lend themselves to criminalization.