In some recent posts, I threw out the idea of banning corporations from paying ransomware. I expected the idea to be shot down in the comment section, but I didn’t see any persuasive arguments against the proposal. In fairness to my commenters, however, most of their arguments were far superior to those offered in a recent Bloomberg article:
Consider a simple example. Suppose a state legislature, sick and tired of the number of people being robbed on the street, decides to make it a crime to give money to a mugger. The legislation might well reduce the supply of muggings, but only by imposing the cost of this public good — fewer robberies — on the victims. Yet handing my wallet to the mugger who is pointing a gun at my head is completely rational. Punishing me to lower the crime rate is a peculiar way for a free nation to behave.
Freedom? By that argument the Foreign Corrupt Practices Act interferes with the “freedom” of corporations to pay bribes to foreign officials.
The Bloomberg article does provide some useful information, however:
[A]fter Colonial Pipeline forked over $4.4 million in Bitcoins to the hackers at DarkSide, the decryption tool the company received in return proved so ineffective that the company wound up rebuilding its network from scratch.
So not only did Colonial Pipeline damage the US economy by encouraging other criminals to extort money from other American corporations, they didn’t even achieve their objective after they paid the ransom. We would have done Colonial Pipeline a favor by banning the payment of ransom. Nor is this an isolated case:
Even for those who pay, the chances of full data recovery are slim. An April 2021 report from Sophos places the likelihood of getting all the data back at 8%.
As for the claim that my idea is obviously infeasible, tell that to the Biden administration:
In response to the growing threat, more and more observers have become attracted to the theory that the best way to stop ransomware attacks is to make paying the ransom illegal. Biden administration officials have suggested that the notion has merit.
We can end the problem of US corporations paying ransom. So why not do it?
READER COMMENTS
Brett
Jun 10 2021 at 1:07pm
If you coupled it with a whistleblower protection for those reporting that their company secretly paid a ransom (plus a ban on ransom insurance for cyber-crimes), I think you could definitely bar companies from paying them. They’re not small payments, most of the time.
Scott Sumner
Jun 10 2021 at 1:23pm
I agree.
BW
Jun 10 2021 at 2:56pm
Why a ban on ransom insurance for cyber crimes? I don’t quite follow the logic there.
Scott Sumner
Jun 10 2021 at 6:55pm
Ransom payments have huge negative externalities.
BW
Jun 13 2021 at 6:36pm
Which would justify making ransom payments illegal. But why make ransom insurance illegal?
Daniel Kling
Jun 11 2021 at 9:23pm
If you have ransom insurance then usually if you get hit then the ransom gets paid by the insurance company but technically you’re not the one paying it. So if you ban ransom payments but not ransom insurance then everyone thinks they need to get the insurance (because they can’t pay if they need to), and that makes ransom attacks even more attractive (because all the targets are insured).
Scott Sumner
Jun 12 2021 at 12:07pm
Why would ransom attacks be more lucrative if payouts were illegal? That makes no sense to me.
BW
Jun 13 2021 at 7:07pm
This hypothetical, where ransom insurance is still legal, presumes arguendo that ransom payments have been rendered illegal. Thus, insurance companies would be prohibited from making ransom payments. Under such a regime, I think the following would hold:
Insurance companies would face concentrated costs from ransom attacks, but this concentration of cost would also internalize the externality of ransom attacks. Insurance companies would thereby have incentive to:
Motivate companies to defend against ransom attacks; perhaps, by refusing payouts if sufficient precautions aren’t undertaken.
Adopt a policy of never paying ransoms, lest they encourage more ransoming.
It would be easier to detect and punish ransom payments because:
Insurance companies are less numerous than companies of all other types combined; so less monitoring would be necessary.
All other companies would have no incentive to pay out ransoms, because insurance is already covering your losses, you’ll go to jail if caught and lose the insurance money to boot.
Again, I see the logic in making ransom payments illegal. I don’t see the logic in making ransom insurance illegal.
Ethan
Jun 10 2021 at 2:25pm
I was listening to Russ Roberts podcasts long ago and he was discussing transactions costs with Robert Frank. He tells the story of his childhood in Massachusetts where people used to walk around with their car stereos to avoid theft. It was such a common occurrence and there was virtually no recourse since the chance of getting caught was so low. Russ makes the point that there was a consumer demand for a car stereo that was safe from theft. The technology was developed to make the theft of stereos less lucrative. The market found a solution for this problem. If the government imposed a death penalty policy for car stereo theft, and put cops on every corner and near every parked car, we never would have gotten the improved technology, and we would have spent public resources on a problem that was easily solvable through innovation. In other words, the better outcome was a result of the de-facto legality of car radio theft.
This is analogous to today. Up until now it seems the market for private solution has been relatively small due to hackers limited ability to collect a high prices without getting caught. Crypto has lowered this transaction cost. However, if we let the market play itself out, I think there is an unforeseen solution to protect companies from these de-facto legal transaction cost imposed on them. We need only be patient and avoid the government imposing a solution that will not prove useful in the long run.
Henri Hein
Jun 10 2021 at 6:10pm
I think your point is a good one. In terms of the general cyber-security market, it’s huge, but maybe you meant security specifically against data hijacking. To me, they flow together a little, because to secure against hijacking, you rely on traditional security measures: backups and protecting against unauthorized access. Security products for these areas exist. A big part of the problem is that it is a matter of process as well as configuration, and a product can only compensate for process to a certain extent. Imagine a home with a reinforced front door and a nice, strong lock on it, but where the home-owner leaves the back-door unlocked at all times. It may sound silly, but many corporate networks are subject to an analogous configuration.
As data hijacking becomes more prevalent, businesses will have an incentive to shore up both their configurations and their processes.
Ethan
Jun 10 2021 at 9:21pm
I am 100% on board with your point that the problem is ultimately user error in so many cases. My contention is that there is an unforeseen solution that will solve the problem in a way that mitigates this. I could be wrong, but entrepreneurs tend to surprise us.
To the quote, I think I was making the point that obviously there is a price at which the hackee will not buy the information. I think the reason this is in the public discourse now is that this price has risen as of late. Maybe it is the use of crypto that is increasing price. I could be wrong about the price, but I think I was trying to illustrate that the incentive for innovation is on the rise. But this is not necessary to my overall argument that the actual cheapest solution is the unforeseen solution, and not Scott’s preferred method.
Henri Hein
Jun 11 2021 at 12:14pm
I don’t think you are wrong. Entrepreneurs do indeed come up with ingenious solutions.
David Lundeen
Jun 10 2021 at 2:27pm
It won’t solve the problem. Corporations will continue running to the nanny state they have long cultivated.
Mark Z
Jun 10 2021 at 5:41pm
I can see a condition in which outlawing ransom payments increases economic inefficiency. If 1) the information stolen from the victim is valuable to other parties (e.g., competitors), but more valuable to the victim itself (I’m assuming the victim is a corporation), and 2) theft is fairly inelastic with respect to payout (e.g., if hackers can only sell stolen information to victims’ competitors for 50% as much as they’d get in ransom, it won’t reduce hacking by 50%, but maybe only by 10%, because even at 50% less compensation, most hackers are still doing a lot better than if they worked an honest job), then banning ransom payments may only slightly reduce hacking, and mostly lead to information being reallocated toward competitors to whom it is worth less than what it is worth to victims. Allowing ransom payments may therefore reduce suboptimal allocation, because the party that values the stolen data most gets it.
As an aside, I’m surprised to see no mention of Coase theorem anywhere. Since in theory it doesn’t matter who you assign liability to, this really all comes down to who it’s cheapest to punish or police, victims or perpetrators, and which responds most to incentives. If it’s trivially easy to avoid getting mugged, and easy for police to identify mugging victims, but expensive and difficult to catch muggers, it may be more efficient to punish the former than the latter (all of this is ignoring morality of course).
Scott Sumner
Jun 10 2021 at 6:59pm
I am using the Coase theorem here. I’m saying a ban on corporate ransom payments is by far the cheapest way of stopping the problem. The Coase Theorem is 100% of my argument. If there’s a cheaper method, then by all means use it.
Andrew Hyer
Jun 10 2021 at 6:01pm
Is there any reason (beyond I suppose PR) to look at corporate ransom payments exclusively? It seems very strange to say ‘when I pay a ransom to preserve my cat videos this is fine, but when a corporation pays a ransom to preserve its payroll data this is evil’.
When costs are incurred by third parties due to not paying ransoms, who do you intend to blame them on? If a hospital has its patient files stolen by ransomware, and you refuse to let them pay the ransom, and a patient dies because his medical records were lost and the hospital did not know he would have an allergic reaction to a certain medication, do you intend to then turn around and blame the hospital for the patient’s death?
Alan Goldhammer
Jun 10 2021 at 6:15pm
The problem is a result of poor cybersecurity throughout the system. Personal computers get infected with malware all the time. Antivirus systems are reactive rather than proactive relying on identification virus signatures and rapid incorporation of those signatures into the database. It’s totally unsurprising that systems in the corporate and government worlds get hacked, infected, or held for ransom. Don’t you think the NSA is doing the same thing? How about the Stuxnet virus that infected Iranian control computers in their nuclear programs? That was also deliberate hacking.
Stuff happens and will continue to.
Scott Sumner
Jun 10 2021 at 7:02pm
“Stuff happens and will continue to.”
That’s a weird argument against banning an activity. Kidnapping happens—should we not ban kidnapping? Speeding happens—should we not ban speeding? Littering happens—should we not ban littering? I don’t follow you.
Or are you merely saying it won’t do much good?
Alan Goldhammer
Jun 11 2021 at 7:42am
Scot your above points are irrelevant to my post. Of course kidnapping should be banned as it is a felonious crime. Speeding is regulated but imperfectly. Jurisdiction over both of these crimes takes place within the US. Cyber attacks for the most part are extraterritorial. The US can put in place a legal framework governing such attacks but enforcement becomes difficult. How do we police attacks by hackers in Russia, North Korea, China, Iran, Ukraine, or any other country? This is my point; it is extraordinarily difficult. If we put in place such a law does this make what our NSA (a cyber black box) does illegal or immoral as an action against a foreign power would be in violation of our domestic law? Is individual cyber attacking held to a different standard than state-sponsored cyber attacking?
Scott Sumner
Jun 11 2021 at 11:32am
You missed the whole point of the post. The proposed law refers to the behavior of US corporations, not foreign criminals. Believe me, US corporate executives do not relish the thought of spending 20 years in prison for an activity that mostly benefits shareholders.
Alan Goldhammer
Jun 12 2021 at 7:32am
I did not miss the point off the post. I pointed out that it is a solution to a problem that is brought about by corporate (or non-profit) cyber-IT malfeasance. Your proposal is also likely to be illegal unless you can somehow thread the needle and call this type of payment a ‘bribe’. It becomes a slippery slope considering laws that regulate how corporations can spend money. Any libertarian would have real concerns about this type of proposal.
Scott Sumner
Jun 12 2021 at 12:10pm
“I did not miss the point off the post.”
Then your reply makes no sense at all.
Alan Goldhammer
Jun 12 2021 at 1:53pm
Scott writes without answering my questions
How can it not make any sense? I responded to your post which posits a proposal that is likely an illegal ban on the use of organizational funds. How do you get around this? Where is the line drawn regarding what the government can and cannot do to control how an organization spends its money. Your proposal is really anti-libertarian which is the point I make.
An organization may look at paying ransom for a cyber attack in the same way they look at paying legal fees (not something that I would agree with).
Brian
Jun 10 2021 at 11:06pm
Off topic: The bitcoin ledger is public. Make it illegal to buy bitcoin from the account that received a bitcoin ransom from Colonial Pipeline. So if the account originally held zero bitcoins and received a 75 bitcoin ransom, all 75 bitcoins are tainted. If the account originally held 0.05 bitcoins and now 75.05, well all are tainted. Too bad. How much due diligence is required? The FBI can have an API to name the bad accounts. The FBI can post a hash for every version of software they have verified as hitting their API. If you use software that does not hit the FBI API you are behaving recklessly and the legal system will take that into account.
Pierre Lemieux
Jun 11 2021 at 9:21am
Scott: Wouldn’t your argument justify imposing a punishment to the mother of any bubble gum thief? The government could argue that this is the cheapest way to stop bubble gum thefts (most of whom love their mothers). This looks to me like a special case of (coercively) imposing costs on some people in order to provide benefits to others. As Anthony de Jasay noted:
Scott Sumner
Jun 11 2021 at 11:35am
I’d favor the policy if it increased utility. But I doubt that it increases utility, and thus I probably would not favor the policy.
I’d add that here I’m not advocating the punishment of people related to others that do harm; I’m advocating the punishment of people who themselves do harm (by paying ransom and thus funding organized crime.)
Alan Goldhammer
Jun 12 2021 at 7:36am
Is the payment of ransom to a kidnapper the same thing? What about an art museum that is seeking to recover stolen objects; is their payment of ‘ransom’ illegal under your scenario? Where do you draw the line? Don’t corporations/organizations (or people) have the right to spend money as they see fit? Isn’t this the libertarian approach?
Scott Sumner
Jun 12 2021 at 12:13pm
You asked:
“Don’t corporations/organizations (or people) have the right to spend money as they see fit? Isn’t this the libertarian approach?”
Do I believe that corporations have a right to bribe government officials? No.
And I discussed kidnapping in my previous posts. The cases are very different.
Alan Goldhammer
Jun 12 2021 at 1:59pm
On this we can agree. However, the majority of ransomware attacks do not come from nation states and this is where your analogy breaks down. There are lots of hackers here in the US who act independently and are unaffiliated with the US government. Paying off these people is not bribing the US government.
The same holds true with a lot of the bad actors in eastern Europe and you cannot equate paying off those who hacked the Colonial Pipeline as ‘bribery’ in the legal sense. Now you may wish it were so but as I’ve noted, this is on legally shaky grounds. The proposal remains anti-libertarian.
Scott Sumner
Jun 13 2021 at 12:09pm
It is also illegal to bribe foreign officials.
Philo
Jun 11 2021 at 1:15pm
“As for the claim that my idea is obviously infeasible, tell that to the Biden administration . . . .” If this is–as it appears to be–an argument that your idea is feasible, I must say it is a worse argument than the one you criticize from the Bloomberg article.
Alex S.
Jun 12 2021 at 6:32pm
Fun but bleak fact: Italy has banned (at least in the past) payment of ransom to kidnappers:
But under Italian law, families are barred from paying ransom or negotiating with kidnappers, except with the permission of a prosecutor and the cooperation of the police. In fact, the 1991 law, unique to Italy, goes one step further and imposes an automatic and obligatory freeze on assets belonging to the kidnapped victim’s family.
https://www.nytimes.com/1998/02/01/world/italian-ban-on-paying-kidnappers-stirs-anger.html
Scott Sumner
Jun 13 2021 at 12:10pm
I don’t have an opinion either way on that law.
Alex S.
Jun 12 2021 at 6:39pm
One more update to this story from WSJ about how the FBI was able to recover some of the ransom:
“Crypto wallets provide owners a measure of personal privacy and freedom from regulatory and tax oversight in some countries. But blockchains are visible to the public, enabling law-enforcement investigators and outside specialists to watch the funds move between addresses and through exchanges, online services where users can buy or sell holdings or cash out.”
https://www.wsj.com/articles/how-the-fbi-got-colonial-pipelines-ransom-money-back-11623403981
Comments are closed.