This prior post explored ransom payments in connection with recent cyberattacks.
Regarding this emerging issue, this Wall Street Journal article contained a debate regarding “Should Ransomware Payments Be Illegal?”
On one side:
“As ransomware attacks have ballooned, many governments are debating whether to make ransom payments illegal. From a moral and political standpoint, the answer is clearly yes. We should not treat ransoms as a cost of doing business in cyberspace. Accepting such a situation would be analogous to treating pirate tributes or bribes as a cost of international trade. We should institute a broad, multifaceted counter-ransomware strategy- that culminates in ransom bans.”
“The case for prohibiting ransom payments is straightforward. Ransomware attacks are primarily motivated by profit. Those profits are used to further develop criminal capabilities. Finally, payments result in more attacks.”
“If payments are prohibited, fewer companies will pay ransoms, shrinking the flow of money to the criminals. Reducing the tactic’s profitability will drive attackers away from it. Although often cast as turning businesses into criminals, prohibitions would support a decision that organizations already want to make. No organization wants to pay a ransom.”
“By not prohibiting payments, as a society we are declaring such payments acceptable.”
On the other side:
“Making ransomware payments illegal would eliminate one of the few options that victims have to recover their data and get back to work quickly.”
“Time is money. Sometimes paying a ransom is less expensive than withholding one – and forced to laboriously rebuild an IT system and restore data from backups. And companies often face a choice that could drastically affect their business: Companies have seen criminals threaten to leak or sell stolen data if extortion payments aren’t made.”
“The potential looses aren’t just financial. In critical infrastructure sectors, lives and national stability are at stake if company operations are shut down.”
“Eliminating victims’ ability to pay ransom altogether is too blunt a tool, and enforcing a ban is unworkable. Under a ban, victims would likely still pay, but they would hesitate to report the crime or cooperate with law enforcement for fear of prosecutions. Not sharing information would hurt security across the internet.”
“There is a path forward that both preserves victims’ rights to pay and limits malicious actors’ ability to profit. First, establish a threshold for acceptable ransom payments. Today, ransom payments of any amount can be claimed as a deductible expenses for tax purposes. The Treasury Department could limit this amount to, say, as little as $100,000 – which would serve to bring down ransom demands.”
Although the issue of ransomware payments is not a perfect parallel to conduct in violation of the Foreign Corrupt Practices Act, the above debate presents the same general dynamics as what Congress encountered in the mid-1970’s as to the so-called “foreign corporate payments” problem.
To learn more about these dynamics – and how Congress debated a criminalization approach as well as a disclosure approach – see “The Story of the Foreign Corrupt Practices Act.”
