In the case of state or public institutions like this, would it be advisable for legislatures to make it illegal for state entities to pay ransoms, and then very publicly announce these laws? I.e. can/should we make credible, public commitments in advance to not pay ransom, or to remove that choice from the organization-level administrators? Would this make these organizations less appealing targets?
"Sorry, we are not authorized to pay you any ransom due to SB-XYZ. If you can get several hundred thousand signatures from CA residents to petition for a referendum to overturn this law, we may be able to pay you a ransom after ... well not the upcoming election but maybe the one after that."
In early years, this generally led to better outcomes for European citizens, but as time wore on, it's come to a point where the terrorists actively avoid kidnapping Americans and prefer Europeans. Assuming the these types of hacks are explicitly targeted, I imagine we'd see a similar dynamic play out.
Source: https://www.nytimes.com/2014/07/30/world/africa/ransoming-ci...
- https://en.wikipedia.org/wiki/Operation_Barkhane
- https://en.wikipedia.org/wiki/Operation_Serval
- https://en.wikipedia.org/wiki/Op%C3%A9ration_Licorne
- https://en.wikipedia.org/wiki/Operation_Sangaris
- https://en.wikipedia.org/wiki/Operation_%C3%89pervier
And these are just _some_ of the terrestrial missions, to say nothing of air operations.
France's Army is small, but it does most of Europe's fighting, and is generally regarded as accomplishing a lot with very little.
----
Edit: You might appreciate this mini-documentary about operation Serval. It's in English.
You can have all the laws you want in words on paper, but if they're not enforced, for all practical purposes, they don't exist.
The people who enforce the FCPA must be understaffed or undermotivated or underfunded because I've worked for several companies that regularly paid bribes as part of doing business.
One example: I worked for a large media company that would send TV crews to cover stories in Mexico on a fairly regular basis. Almost every time the crews tried to return to the United States, the Mexican border personnel would seize their very expensive gear. The only way to get it back was to pay a bribe.
This was so common that everyone was told to just mark it down on their expense reports as "Airport tax." I only found out about it when I started asking why I kept seeing "Airport tax" on expense reports for trips I knew were done in cars.
The law is about bribes for "obtaining or retaining business". It's one thing if you were paying a bribe to say, a local minister to get exclusive access to some sort of scene...
But low-level crooks pretty much sticking you up and you try to buy your stuff back from them under the guise of "government business" is not the kind of thing FCPA is about. It's for concerted attempts to pay off foreign officials to strengthen your business.
Which surely still happen, but not in the manner you're describing. FCPA violations wouldn't be the sort of thing that "everyone" is told about.
“We didn’t hand duffel bags of money to the perpetrator group’s courier, we hired a professional external individual security consultant to handle the situation”
https://www.theverge.com/2020/8/4/21353842/garmin-ransomware...
By very loose analogy, either when playing chicken, or when you and a person walking towards you both repeatedly veer in the same direction to avoid collision, one tactic is to very conspicuously cover your eyes. The other person can then see that you will not re-correct based on their behavior. Though I know this option exists, I have never successfully used it. It's always difficult to truly intentionally commit to limit your options to respond to future circumstance.
Same concept applies, and in my experience it seems to work. Though this was before the era of phones (and people not looking where they're going regardless)
If it is a legal requirement of my job to do the right thing, I'm gonna do the right thing.
If you want to stop the hackers, make it a Federal crime to pay anyone. In that environment, there would be no circumventing the restriction at all.
That means that money laundering laws are up against a dedicated adversary with resources, while laws preventing ransoms... not so much.
Of course, with cyber insurance, incentives for the insurer may lean towards dedicated circumvention.
If ransoms weren't being paid, criminals would find other ways to monetize the data. "Honest" ransomware is actually good for the public in the sense that should the ransom be paid, the data is indeed destroyed by the gang. Make ransoms impossible and they will start selling the data or monetizing it in other ways (identity theft, card fraud, etc), at the expense of the public.
Given that we can't eradicate this kind of crime entirely by improving security, I think ransomware is the least bad option in the sense that it punishes the offending company while minimizing the risk of the data being leaked which would hurt the data subjects themselves (the public).
There is nothing to guarantee that attackers will destroy the data and not further exploit it even if you pay them. Improved security isn't going to fix the problem, but we can make it less profitable and make that profit more difficult. If our policy is to pay we're just making it highly profitable with very little effort on the part of the attackers. If we refuse to pay, they will have to pour over our data looking for what may or may not be valuable to anyone, spend time searching for those people who might pay them for it, and then spend time convincing them to pay enough to justify their time/efforts.
We should be refusing to pay and making sure we've got backups of our own stuff so that we'll never have to.
Their business model relies on them being honest. If they don't follow through on their promise of destroying the data they'll kill the ransomware market entirely. So far, I haven't heard of major instances where ransomware gangs didn't fulfil their part of the bargain.
Truthful at least, "honest" isn't a word I'd use for these types.
> So far, I haven't heard of major instances where ransomware gangs didn't fulfil their part of the bargain.
The point is that you wouldn't. They can't publish the data or publicize its sale, but (if they were willing to invest the time) they could still sell it privately, or use it themselves to further attack/exploit you without you ever being able to trace anything back to them directly. They could wait months or years if they wanted and still find value in it (bait for use in spear-phishing for example).
see... the issue i see with making it illegal for state entities to pay ransoms is that you tie the hands of the victim without any guarantees that law enforcement will help and help in a timely manner. i see this as a lose, lose situation.
Hackers can target state entities for other reasons, but no rational hacker would do it for the ransom, since there won't be any ransom paid.
The FBI can simply say "We'll never catch the hackers, but if you pay them you'll go to jail". It accomplishes the same goal of reducing the reward for hacking to zero.
just cause they can't get a ransom, doesn't mean the data it's valuable as they can still sell it on the black market to carders and other gangs.
it's very ignorant to think that just because you cut off one area of revenue for these gangs that the problems will stop.
Shotgun attacks aren't discouraged if some X% of their targets can't/won't pay the ransom.
Smart attackers do extensive research on their targets before performing the attack.
Similarly, I can appreciate the logic in making American companies less likely to be targeted by ransom hackers, even if it means some companies are hit harder in the short term.
That's how governments operate. Every time a government "sneezes" is harms some companies and benefits others.
Making it illegal for them to pay just means that they can't look after that interest. Why would that be a good thing to do?
I don't think it will have any effect on privacy. The hackers say they will delete the data, but how can you trust them?
Then again you have people who do it just for the lulz (err...meows?) -> https://news.ycombinator.com/item?id=23957510
We've banned voluntary actions with externalities in the past.
>Making it illegal for them to pay just means that they can't look after that interest. Why would that be a good thing to do?
You only have the criminal's word to stand on when they claim to delete data. It's far too easy to simply hang on the to troves of collected data and wait for a rainy day.
I believe this is discussed in Schelling's book "Strategy of Conflict", which I've never read but has been much discussed online[1]. Indeed the article I've linked specifically mentions this case.
[1] https://www.lesswrong.com/posts/tJQsxD34maYw2g5E4/thomas-c-s...
Whether or not trusting the judgement of administrators over the judgement of law enforcement is the best way to handle these situations is an open question.
I'm not sure I trust public university administrators to do much beyond stimulate the local construction economy and wider investment banking industry.
Would it be moral/societally good to write and distribute this software? If it became prevalent enough, it would damage the ransomware model as people would be much less likely to pay if they thought there was a significant chance of payment not fixing their issue.
Another option is: forbid bitcoin and other cryptocurrencies.
Greyhat is even a bit of a stretch. It's like Dr. Doom. He has good motives but he's still the bad guy.
Who do you prosecute?
Would you close the University to huge harm to the students and researchers?
Never understood the power of anonymity...
You would charge the people who recorded the outcome of the vote and did the killing with murder, and you would charge everyone who participated in the vote while knowing one of the outcomes was illegal with conspiracy and failure to report.