Is a ban on corporate ransom payments feasible?
By Scott Sumner
In some recent posts, I threw out the idea of banning corporations from paying ransomware. I expected the idea to be shot down in the comment section, but I didn’t see any persuasive arguments against the proposal. In fairness to my commenters, however, most of their arguments were far superior to those offered in a recent Bloomberg article:
Consider a simple example. Suppose a state legislature, sick and tired of the number of people being robbed on the street, decides to make it a crime to give money to a mugger. The legislation might well reduce the supply of muggings, but only by imposing the cost of this public good — fewer robberies — on the victims. Yet handing my wallet to the mugger who is pointing a gun at my head is completely rational. Punishing me to lower the crime rate is a peculiar way for a free nation to behave.
Freedom? By that argument the Foreign Corrupt Practices Act interferes with the “freedom” of corporations to pay bribes to foreign officials.
The Bloomberg article does provide some useful information, however:
[A]fter Colonial Pipeline forked over $4.4 million in Bitcoins to the hackers at DarkSide, the decryption tool the company received in return proved so ineffective that the company wound up rebuilding its network from scratch.
So not only did Colonial Pipeline damage the US economy by encouraging other criminals to extort money from other American corporations, they didn’t even achieve their objective after they paid the ransom. We would have done Colonial Pipeline a favor by banning the payment of ransom. Nor is this an isolated case:
Even for those who pay, the chances of full data recovery are slim. An April 2021 report from Sophos places the likelihood of getting all the data back at 8%.
As for the claim that my idea is obviously infeasible, tell that to the Biden administration:
In response to the growing threat, more and more observers have become attracted to the theory that the best way to stop ransomware attacks is to make paying the ransom illegal. Biden administration officials have suggested that the notion has merit.
We can end the problem of US corporations paying ransom. So why not do it?