Note: This article is part of the Cyber Law and Policy article series, authored by Uduak Ekott.
“[I]f we ban ransom payments, now you are putting U.S. companies in a position to face yet another extortion…, but it is our position that banning ransom payments is not the road to go down – Bryan Vorndran – Assistant Director of the FBI’s Cyber Division.”
Introduction:
In May 2021, Colonial Pipeline, one of the largest oil pipelines in the United States, was a victim of a ransomware attack. The cyber-attack, attributed to the ransomware gang Darkside, caused the company to shut down its systems, triggering panic and fuel shortages across most parts of the country. The attackers requested almost $5 million as ransom payment. The CEO of Colonial Pipeline, Joseph Blount, faced with the dilemma of either paying or refusing to pay the ransom, explained that they paid the ransom of 75 bitcoins (approximately $4.4 million) because the company was not certain of the extent of the breach and the period it would take to recover the systems. Similarly, hospitals and other critical infrastructure, when facing a ransomware attack, are confronted with the desperate situation of trying to get the services back online by paying the ransom.
The Federal Bureau of Investigation (FBI) defines ransomware “as a type of malicious software that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return.” Ransomware can cause substantive disruptions to operations, as in the Colonial Pipeline case, and loss of critical information. Ransomware remains arguably the most prominent cyber risk facing organizations today. When faced with ransomware attacks, companies and C-Suite executives must weigh complex trade-offs. On the one hand, ransom payments may speed up recovery time. On the other hand, there is no guarantee that once the payment is made, the attackers will provide access to the systems or that the companies’ data will be recovered.
Professors at the University of Minnesota School of Public Health report that ransomware is estimated to have killed between 42 and 67 Medicare patients from 2016 to 2021. According to Statista, global ransomware attacks surged by over 50% in the last two quarters of 2022, increasing from over 102 million to nearly 155 million cases. This increase in ransomware attacks has necessitated regulatory strategies to address the issue. According to Sophos, a leading cybersecurity firm, over 46% of organizations that suffered cyber-attacks paid ransom. The U.S. Treasury Department also prohibits ransom payments to entities under U.S. sanctions, while the White House is considering a ban on ransom payments. North Carolina and Florida have paved the way for states by outrightly outlawing the payment of ransoms by government entities. But will a total ban on ransomware payment be a solution? This article explores the merits of government bans on ransomware payments and examines alternative approaches that can complement existing frameworks.
The case for government bans on ransomware payments
Government bans have their benefits and drawbacks when addressing ransomware payments. Banning ransomware payments frustrates cyber attackers and diminishes the financial incentives and motives for cyber-attacks. If criminal actors do not receive financial gain for the attacks, ransomware attacks could significantly decrease and possibly cease. Brett Callow, a threat analyst with Emsisoft, argues that “for as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them. The only solution is to financially incentivize attacks by completely prohibiting the payment of demands.” However, cybersecurity experts like Steven Ramirez, CISO at Reno, and Aaron Weismann, CISO at Radnor, argue that banning ransom payments will only make the cyber-attackers change their methods.
Prohibiting ransomware payments can have significant economic implications and deter people seeking to engage in ransomware and cyber-attacks. When prospective ransomware perpetrators know they will not receive any payment, it will strongly dissuade people from engaging in ransomware activities. Legislators, like Sen. Kristin Phillips-Hill, argue that if cyber attackers know that their state has outlawed the payment of ransom, it will make the criminals less likely to target the state entities with cyber-attacks and, in turn, serve the state from economic losses from ransomware attacks. However, the imposition of a ban on ransom payments may be seen as punishing the victim of a crime who is already suffering from the effects of the cybercriminal and now faces further sanctions for trying to resolve the situation expeditiously.
Proponents of the regulation of ransomware payments argue that a ban on ransom payment to criminal actors will incentivize companies to make greater investments in robust cybersecurity measures, such as establishing internal best practices, regular cybersecurity development programs for personnel to prevent and mitigate cybersecurity threats and national security risks.
By expressly banning companies from paying ransom, regulators prevent the financing of terrorism and other illegal acts often associated with these criminal activities. Payments received from ransomware are used to increase the criminal enterprise and encourage the criminals to perpetrate larger cyber-attacks and even attack the victims again. Therefore, prohibiting ransom payments for cyber-attacks hampers the increase of the ransomware business and other criminal activities.
The case against the government ban on ransomware payments
Critics of the ban argue that outlawing ransomware payments may inadvertently criminalize business owners because when faced with the threat of losing their livelihoods, many may choose to pay the ransom, thereby effectively turning business owners fighting for their livelihoods into criminals. While companies are often perceived as potential wrongdoers in consumer-related issues, ransomware attacks cast them in a different light – as victims of sophisticated cybercrime struggling to protect their operations and customers from potentially devastating consequences. Banning ransom payments further complicates companies’ position, forcing them to choose between breaking the law and risking their entire business. Amy Hogan-Burney, associate general counsel for cybersecurity policy and protection at Microsoft, believes that banning ransomware payments might unfairly penalize cyber-attack victims and force critical infrastructure like hospitals to pay ransom to maintain their operations.
Likewise, critics argue that the prohibition of ransomware payment may make it difficult for businesses and companies providing critical infrastructure to resume operations quickly. An example is the Colonial Pipeline case, where they could resume operations quickly because they made the ransom payments. Therefore, business recovery may take longer when the government prohibits ransom payments. For businesses and companies offering essential services, like hospitals and schools, this may threaten the economy and the nation.
The prohibition on ransom payments makes it challenging to track cyber-criminals because ransom payments sometimes help track perpetrators. Ransomware threat actors often use Bitcoin, mistakenly believing that it is untraceable. For instance, in the Colonial Pipeline case, the FBI tracked the ransom payment through a Bitcoin wallet, and ultimately, 64 out of the 74 Bitcoins paid were recovered. Their operations were also shut down, albeit temporarily. Therefore, ransom payment may allow law enforcement to track the perpetrators by following the payment trail.
Prohibiting ransomware payments and imposing penalties or fines may increase demand for cyber-insurance and premiums, especially for companies operating in higher-risk areas. Government prohibition on ransomware payment may be perceived as a higher risk of financial losses resulting from ransomware attacks and accruing penalties; hence, companies may seek to expand coverage, and insurance companies will respond with increased coverage and premiums.
Prohibiting ransom payments may be construed as undue government interference in business autonomy. However, the Government has a legitimate and compelling interest in protecting critical infrastructure involving public safety, national security, and economic security. Small businesses may also be disproportionately affected as they may not be able to adopt adequate cybersecurity measures. Government regulation on the prohibition of ransomware payment may also present difficulties with enforcement because companies may refuse to disclose cyber-attacks, knowing they may not be able to pay the ransom.
The debate over the ban on ransomware payments is complex and requires a balance of interests and tradeoffs. Relying solely on regulations such as a ban may not be the most effective approach to curtail the hydra-headed problem of ransomware. It is, therefore, crucial to examine multifaceted strategies that may be adopted to serve both as a deterrent to cyber-attacks and help achieve better outcomes in the fight against the burgeoning ransomware industry.
Alternative approaches to government ban on ransomware payments
Anthony Hogg, Senior Cyber Threat Intelligence Analyst at SecAlliance, proposes that law enforcement maintain aggressive measures against systems that perpetrate cyber-attacks and pursue illegal funding, thereby limiting their operational abilities. Governments can encourage industry-wide collaborations and sector-specific cybersecurity alliances to facilitate sharing best practices, threat intelligence, and incident response strategies. Collective government and private sector efforts can help organizations and companies develop effective countermeasures against ransomware attacks.
Instead of government prohibition on ransomware payment, alternative strategies, such as increased cybersecurity awareness and adoption of effective cybersecurity practices, can complement existing frameworks and provide a more comprehensive approach to combat ransomware payments. The government will be better suited to be proactive by addressing cybersecurity challenges, such as encouraging companies to improve cybersecurity hygiene, enhancing widespread education on cybersecurity best practices to prevent attacks, and offering incentives for cyber-attack victims who may be willing to disclose information. Investments in comprehensive cybersecurity education and awareness programs to empower organizations to prevent and mitigate ransomware attacks effectively. Efforts like the U.S. Government’s #StopRansomware Guide can be highly publicized for organizations to enhance awareness of best cybersecurity practices.
Promoting international cooperation through diplomatic efforts and bilateral agreements can also help combat ransomware attacks. International pressure should be intensified on countries that harbor ransomware groups. Collaborative initiatives that would enhance information gathering, sharing, and coordination of law enforcement actions and global norms will help deter cyber criminals from ransomware attacks. In line with this, governments can introduce incentives for victims of ransomware attacks to disclose information, aiding in identifying and tracking perpetrators. This can be achieved by anonymous reporting channels and offering immunity against legal repercussions for victims cooperating with authorities. The enactment of The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is one of such steps in combating ransomware attacks as it mandates reporting of cyber incidents and ransomware payments, enhancing Cybersecurity and Infrastructure Security Agency’s (CISA) ability to respond and mitigate cyber-attacks.
Governments can consider implementing a strategy that offers tax credits and deductions as incentives for organizations that invest in robust cybersecurity measures. This would encourage widespread adoption of best practices and foster a more secure digital ecosystem. The adoption of cyber insurance policies can provide a financial safety net for organizations affected by ransomware attacks, thereby offering an effective approach to mitigating the ransomware debacle and reducing the incentive to pay ransoms. A common theme among these recommendations is shifting the government’s focus towards proactive and collaborative efforts rather than punitive measures.
Conclusion
While any Government prohibition on ransomware payment has merits, addressing corporate ransomware payments requires a multifaceted approach beyond traditional regulatory frameworks. By combining legal measures with alternative approaches such as enhanced education, industry collaborations, cyber insurance frameworks, international cooperation, and incentives for disclosure, companies can better protect themselves against ransomware attacks. Thus, national security will be enhanced, and critical infrastructure will be better protected. As the ransomware threat landscape continues to evolve, staying proactive and adaptable in addressing ransomware is crucial to safeguarding the digital space of organizations, especially for critical infrastructure.
