Paying Up to Ransomware Crooks Should Be Illegal

This article first appeared on the Council on Foreign Relations site.

Two weeks ago, a California hospital paid $17,000 to cybercriminals who had broken into its computer network and taken its data hostage.

The attackers used ransomware, a type of malicious software, to encrypt the files at Hollywood Presbyterian Medical Center, and would only provide the decryption key upon payment in bitcoin of the ransom.

Payments like these, while the most expedient (and possibly the only) way to regain access to the targeted data, have fostered what many experts believe is a billion-dollar criminal market that continues to grow.

The criminals behind ransomware are savvy business people. They set the ransom price for corporate targets well below what it would cost to prevent the attacks through investments in cybersecurity. For individuals, they target an affordable amount for the average American that has no backup of baby photos and home videos.

For the victims of this crime, it usually makes sense to pay the ransom, get their data back and then start to think about what it would take to prevent a second incident. With little ability to arrest the overseas criminals behind these attacks and no ability to break the strong encryption used by the malware, that is often what law enforcement suggests.

"To be honest, we often advise people just to pay the ransom," said Joseph Bonavolonta, assistant special agent in charge of the cyber and counterintelligence program in the FBI's Boston office. Yet, following the lead of the Presbyterian Medical Center will only lead to many more hospitals and many more individuals being the victims of this same crime.

I won't argue that paying these ransoms is feeding terrorism or crimes other than further ransomware attacks. The payments are likely just funding lots of Kim Dotcom–style shenanigans in Eastern Europe. But left unchecked, ransomware could become a crippling problem for many more companies. The best way to prevent that from happening is to criminalize the payment of ransoms to cybercriminals.

Opponents of this proposal will no doubt deride it as a "blame the victim" approach. Indeed. While a moral argument could be made that the victims are not innocent—that they have shown negligence in failing to protect their data and the data of their customers and patients—I won't make that case.

One could make an argument that by paying ransoms they are perpetuating a criminal conspiracy that will go on to take on other victims. I will leave that to others to argue.

What I will argue is that when looking at a public policy problem, the best place to create liability is where it will have the desired impact. If the goal is to stop ransomware attacks, raising the costs of paying ransoms beyond what the criminals are demanding is the best way to do that. Those costs could come in the form of civil fines or misdemeanor charges.

For most American companies and most individuals, simply knowing that paying a ransom would violate the law might be enough to dissuade them. If enough victims are persuaded to forgo payment and accept the consequences, there will be fewer future victims.

And while there are legal arguments that paying ransoms may already be considered a crime, let's avoid the current debacle introduced by applying centuries old laws to modern day technology problems and introduce some clean legislation that will make the law clear for once.

Robert Knake is Whitney Shepardson Senior Fellow at the Council on Foreign Relations.