In recent memory, ransomware has gone from major nuisance to international crisis. Criminal gangs that target computers, encrypt their contents, and demand a ransom in order to provide a decryptor tool have struck critical infrastructure around the world. They have disrupted Ireland’s entire healthcare systems, shut down hundreds of food retailers in Sweden, and disrupted fuel delivery to the U.S. Eastern Seaboard, among countless other examples.
At the heart of the ransomware phenomenon is a misalignment of economic and policy incentives that allow criminals to operate successfully and with impunity. But as ransomware has proliferated, addressing this problem most often falls on the shoulders of its victims—businesses facing difficult decisions about whether or not to pay ransoms to regain access to critical systems and data. And as victims have paid up in order to mitigate damage, there are now growing calls for businesses to be banned from paying ransoms.
But these calls to ban ransom payments outright fail to capture what is an enormously complicated policy issue. As it stands, the ransomware model favors the criminal, but will banning ransom payments outright reverse this imbalance of incentives? We hail from different countries and different cybersecurity backgrounds; one of us is mostly experienced in the private sector and the other in government. One begins from a presumption in favor of a ban, the other against one. Here, we examine the vexing issue of whether or not to ban ransom payments and wider ideas about how to disrupt the flow of money to the criminals and use our differing perspectives to offer some solutions.
Understanding the ransomware landscape
To be clear, the payment of ransoms is an extremely serious problem that perpetuates ransomware, and no sane person is in favor of it. So let’s assume that critics of a ban are acting in good faith: Many would accept and even support a ban if they thought it would work. But arriving at sensible public policy outcomes requires examining the incentives and obstacles to making such a ban effective. If the G7’s tough words on tackling the money in ransomware are to mean anything, it’s the sort of issue those countries could look at together, aiming for the sort of financial squeeze on cyber criminals that terrorist groups faced after 9/11.
So, what are those incentives and obstacles?
First, there are currently no incentives for the mostly Russian-harbored criminals to act with restraint. Even the most malign state has to moderate its hostile activity in cyberspace for fear of the consequences. This is one of the reasons why nation-state cyber attacks that threaten the safety of civilians have been very rare. But the criminals behind the ransomware crisis appear to work under no such constraints and face few consequences, for now at least. In his recent summit meeting with Russian President Vladimir Putin in Geneva, President Biden sought to change that by pushing his counterpart to stop sheltering criminality. Similar work to encourage states to stop harboring cyber criminals is underway at the United Nations. These are welcome and necessary efforts, but there is no guarantee of success, and early elimination of the problem appears unlikely.
Second, the Western companies who make the software and hardware exploited by ransomware gangs lack the commercial incentives necessary to properly prioritize security in the design of their products. The costs of a breach are not borne by the manufacturers of software, and they therefore have little incentive to prioritize security in development. This is a broad problem in cybersecurity, but it is made acute by ransomware, which provides an easy financial incentive for criminal hackers to attack poorly-built software. In too many cases the insurance model incentivizes paying criminals instead of having good security in place beforehand. Companies are not even obliged to report payment of ransoms to criminal gangs, and in the United States at least, there are even tax incentives that favor the payment of ransoms—but not for better security.
Then there are the corporate micro-incentives that favor the payment of ransoms. When, for example, Colonial Pipeline—the operator of the pipeline that delivers a major portion of fuel to the Eastern Seaboard and was recently shut down due to a ransomware attack—paid a $4.4 million ransomware payment, many were surprised to learn that the payment would be tax-deductible. Right now, U.S. companies can simply write off ransomware payments as “ordinary, necessary, and reasonable” expenses on their profit and loss statements like they’re pencils or Friday lunches. That is a pass-through loss to U.S. taxpayers, and when companies can use insurance coverage to cover ransom payments and also deduct remaining expenses, paying the ransom makes good business sense.
Third, and perhaps most important, the individual, often private-sector responsibility for responding to ransomware is entirely misaligned with the collective public harm caused by ransomware. American healthcare is surely the best example of this. When Russian-harbored criminals hack an American hospital and put patient care at risk few disagree that this is a national security issue. But the entire response, including whether to pay the ransom, is in the hands of the hospital’s private-sector leadership. Their duty in this lonely, desperate situation is to get the hospital back online. It is not their job to consider the public-interest implications of payment. So they pay, and more ransomware inevitably follows. The problem is that there is no mechanism to consider the collective public interest. When it comes to support and finding help in a crisis, at least in the United States, there is insufficient support to rapidly process and help critical infrastructure companies when they need it and ask for it. Many don’t even know where to report their attacks. (For US companies, it’s here; for UK companies, it’s here.)
It is this misalignment of legitimate private and public interest which, in our view, lies at the heart of the tortured debate about the legality of ransom payments.
Unless these incentive problems are addressed, a ban will do nothing. Ransomware victims include small and medium businesses large enough to have something worth stealing but small enough to not have world-class infosec talent on staff. Taking away their ability to pay without wider reform of the incentives simply won’t stick—and it’s cruelly unequal in enforcement. We will end up with a system that, relatively speaking, more severely punishes small and medium businesses. Even if ransomware payments were banned, it is difficult to imagine such a law being enforced: What prosecutor would seek to imprison hospital executives or trucking companies for paying off criminals in order to save lives and transport food?
When someone is in a desperate situation, banning their only way out of that situation doesn’t stop them from using it; it only makes the cost of doing so higher and the victim more vulnerable. Banning unauthorized migration doesn’t stop migration. It just guarantees that the only service providers for those desperate people have no check on their ability to victimize without impunity. If banning economic behavior that is required for survival worked, then there would be no drug trade or black market for human organs.
Exploring policy solutions
For these reasons, a hurried, sweeping ban on ransom payments would certainly be counterproductive. But that is a reason to tackle the underlying obstacles to a ban, not to dismiss one out of hand. Governments should look at ransomware in the round and conduct serious policy reviews of the options.
This includes useful things that can be done short of a ban while the case for one is reviewed. One obvious reform while ransom payments remain legal is mandatory reporting of them. Currently, there are only open source initiatives to gather data on the extent of the problem. (The best-known is https://ransomwhe.re.) Anecdotally, we are aware of some payments, such as when JBS Meats paid $11m, Colonial Pipeline paid $4.4m, and a small hair salon in England with four employees paid about $2,000 to their attackers. There are anecdotal examples of anything and everything in between. But we lack systematic data, because victims don’t have to tell.
A second potential reform is to consider mandating greater transparency in cryptocurrency transactions, like the Treasury Department’s recent requirement that cryptocurrency transactions in excess of $10,000 be reported to the IRS. Cryptocurrencies play a major role in enabling ransomware, and this sort of regulation, along with know-your-customer rules, could help at the margins.
A third is promoting awareness of the help available from government authorities and improving that support. If governments are going to ban desperate people from paying then there must be proper support to businesses for incident response and advice in handling attacks. There may even be a case for financial support to affected businesses who don’t pay. During Northern Ireland’s years of civil conflict, for example, insurers stopped insuring shops against bombings of commercial premises. So the government stepped in and set up a scheme to cover losses instead. That’s unusual, but an emergency situation requires unusual measures—and there can be no doubt that ransomware constitutes an emergency.
A fourth is making sure victims understand the limited utility of paying. There is now abundant evidence, including from Colonial Pipeline, that decrypter keys are often ineffective. Backups, whilst imperfect, can help retrieve data, and plenty of threats to leak sensitive data never materialize. When a network of London schools run by the Harris Federation charity was hit this year, the doors of some of the schools couldn’t open, administrators couldn’t pay the schools’ bills, and the attackers threatened a data dump. The ransom demanded was $4 million, an “insane” amount in the words of the schools’ chief executive. Advised by an Israeli response firm, they focused on recovery, ignored the ransom demand, and recovered at a cost of less than $1 million. There is no evidence any data has ever been leaked. Nor have fears about the publication of Irish health data following the government’s resolute refusal to pay off those who attacked the country’s health system led to any such disclosures.
All this would make for a much better discussion between government, corporate leadership, and the insurance industry. Too often (though not always) the answer calculated by an insurance risk model is that paying the ransom is the most effective way out of the crisis. The Harris case is one of several examples where this is demonstrably untrue. The narrative of existential threat to organizations is one that suits the attackers; those assisting victims should not promote it unless they’re sure of the evidence.
The cold reality is that some ransomware attacks pose a potentially fatal risk to a business, and some do not. Opponents of a ransom ban often cite a threat-to-life situation or a scenario in which a company might go out of business. But these overlook the mundane reality that many decisions to pay are business decisions that are the most convenient option. When the meat giant JBS paid $11 million to REvil, the company’s systems were fully operational and no data had been exfiltrated, but they chose to pay to prevent “potential” harm—as far from an existential threat as possible. Such all-too-common scenarios are legitimate areas for policymakers to seek to counter. Attacks on critical public services cause inconvenience, but have only rarely involved direct threats to life. That said, the disruption has become sufficiently serious for ransomware to be regarded correctly as a national security threat.
And this brings us back to the greatest misalignment of all: between public harm and private response. To the Briton or Irish person, the idea that the response to a cyber attack on healthcare would be dealt with by anyone other than the national government appears absurd (both countries suffered major attacks in 2017 and 2021 respectively, with the response led by the government). By contrast, in the Colonial Pipeline case, the decisions to switch off the pipeline and pay the ransom were taken at the corporate level.
Hospitals, private companies, and other nongovernmental organizations are not capable of fighting these kinds of attacks on their own but are incentivized at every turn to act alone according to the dictates of the free market or whatever brand management firm they’ve hired. This is no way to run a national-security strategy. And make no mistake, permitting other countries to harbor computer criminals who are attacking civilians across borders is a national security choice—if a truly terrible one.
If a ban on ransom payments is to be a credible part of a strategy to stop the flow of money to such criminals, then surely an essential precondition is more effective state intervention in the response to attacks, reflecting the gravity of the problem as a national security threat. Whether or not payments are banned, a more activist approach is needed anyway, even if it means legislating for more interventionist levers over privately-owned critical infrastructure.
Some may choose to see this as unwarranted state interference in private commerce: the nationalization of cybersecurity risk, if you will. On the contrary, we believe a coordinated country level response would rectify the glaring deficiency in our current reality: the near-total privatization of national security risk.
Tarah Wheeler is a contributing editor to TechStream, a Cyber Project Fellow at the Belfer Center for Science and International Affairs at Harvard University‘s Kennedy School of Government, an International Security Fellow at New America leading a new international cybersecurity capacity building project with the Hewlett Foundation’s Cyber Initiative, and a US/UK Fulbright Scholar in Cyber Security for the 2020/2021 year.
Ciaran Martin is a professor of practice in the management of public organizations at Oxford University and the former Chief Executive of the National Cyber Security Centre.