Paying the ransom in cybercrimes crates a vicious cycle in which we embolden attackers. The best option for society is to remove this option for society.
While many of my readers know me as a career skills expert, I’m also a cybersecurity CTO. Recently, Caesars and MGM casinos had data stolen by bad actors. This continues a pattern of hackers either locking users out of data, or kidnapping data. Caesars Entertainment paid the ransom but shouldn’t have. In fact, the best option is to make paying illegal.
Ransomware is malicious software which runs on the victims’ computers, encrypting the data using the attacker's key. Since the victims don’t have the key, the victims can’t access their own data. This may include customer information, orders, financial reports, or medical records (if the hospital is the target). At hotels at other facilities, encrypting the data can prevent access to hotel rooms. Facilities like hotels and hospitals have a clock. Losing financial reports is bad. But not being able to get into your hotel room is a terrible experience for guests; not having access to patient records before a surgery could be life threatening. In theory, companies with good backups can mitigate most of these issues (not always in cases of hospitals). In reality, companies don’t have good backup processes.
Datanapping (I term I just coined) is where the hackers take a copy of your data and threaten to expose it if you don’t pay. It’s like kidnapping but with data. Examples include corporate secrets, or emails or other documents that if made public would make the victim look bad. In other cases, it may be user data, including social security numbers. That data can be sold on the dark web, but the attacker may just want to avoid selling and “settle” for a ransom from the victim in exchange for destroying the data. Note that the victim still has access to all the data the whole time, the risk is that the data becomes public or shared with third parties.
How can you know that the datanapper will really destroy all copies of the data if you pay the datanapping ransom? Answer: you can’t.
You may be thinking that data can always be easily copied. How can you know that the datanapper will really destroy all copies of the data if you pay the datanapping ransom? Answer: you can’t. Hence this anything-but-reassuring statement by Caesars Entertainment, “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.” (Maybe they can make up the lost ransom money when that Nigerian prince shares his lottery winnings after they send some money his way.)
What Caesars just said is: you can hack us; we will pay and simply trust you. It’s now open season on every casino in the country. Likewise, hospitals and individuals have paid off ransomware which only serves to encourage more attacks. Israel has a policy that they will not negotiate with terrorists. While terrorists may still kill Israelis, they no longer kidnap or threaten death and destruction, hoping to get Israel to give them some concessions. Israel has removed that option. This is a technique employed by Sun Tzu and many other commanders, “When your army has crossed the border, you should burn your boats and bridges, in order to make it clear to everybody that you have no hankering after home.” The soldiers would never consider retreat because once the boats were burned, the option became no longer available. Likewise, Israelis cannot consider negotiating because they have “burned” that option.
The US needs to create a similar policy. Because most attackers are overseas (in countries that won’t cooperate with the US) they face little, if any, risk of being caught, making the risk-reward tradeoff very appealing. They might be stopped or shut down, but they will not be captured by police. Some countries even tactically encourage such attacks against US and western targets.
"When your army has crossed the border, you should burn your boats and bridges, in order to make it clear to everybody that you have no hankering after home.” - Sun Tzu
Instead, we need to take the option off the table. The US needs to pass a law making it illegal to pay ransomware or pay for the destruction of illegally obtained data. Attacks will continue shortly after but once the attackers, mostly driven by financial motives, find they can no longer profit they will stop these attacks. State actors may continue to do so with the intent of hobbling, undermining, or for other non-financial reasons, but these will be few and far between, and generally not against civilians but rather government, military, and key infrastructure targets (the latter does some corporations).
This is not meant to be an alternative to better cybersecurity and better backups. All individuals and companies need to be better prepared. The US benefited from being oceans away from the old world, saving it from the many physical attacks that devastated Europe throughout the prior few centuries. Online everyone is equally accessible and so the geographic moat that protected the US no longer holds. We are all on the front lines of cyber risk. Still, such a policy will decrease the incentive of the attackers. They will no doubt continue the cat and mouse game and find new methods; and we will work to shut those down when they come.
Since this article comes a day after the release of US prisoners in Iran, I’ll briefly comment about that. There’s an argument to be made for never negotiating prisoner swaps with other countries because that will encourage them to jail our citizens. However, other countries don’t typically jail citizens for monetary reasons. Even if those countries never expect to get what they want, jailing Americans creates political pressure and a black eye for a sitting president. I can’t say that we should always or never consider a deal; rather I’m saying prisoner release by nation states have a different motivation than the cybercrimes discussed here.
Online every person or entity is at risk from every other person online. We cannot physically (meaning through law enforcement) stop such crimes. Since we also cannot defend against 100% of them in even the best case, we need to look for alternative deterrence. Passing a law making paying such ransoms illegal will be a step in the right direction.
It’s critical to learn about corporate culture before you accept a job offer but it can be awkward to raise such questions. Learn what to ask and how to ask it to avoid landing yourself in a bad situation.
Investing just a few hours per year will help you focus and advance in your career.
Groups with a high barrier to entry and high trust are often the most valuable groups to join.