RANSOMWARETo Pay or Not to Pay? Ransomware Attacks Are the New Kidnapping
Over the past several years, ransomware attacks have become a persistent national security threat. The inability to respond effectively to this challenge has normalized what should be intolerable: organized cybercriminals harbored by hostile states regularly disrupting and extorting businesses and essential services, causing misery in the process.
From our vantage point in the UK, it’s hard not to be envious of the rigorous public debate taking place in Australia on the future legality of ransomware payments.
Over the past several years, ransomware attacks have become a persistent national security threat. The inability to respond effectively to this challenge has normalized what should be intolerable: organized cybercriminals harbored by hostile states regularly disrupting and extorting businesses and essential services, causing misery in the process.
Following last year’s cyberattacks against Optus and Medibank, the Australian government has signaled to address one of the thorniest and most contentious questions in cyber policy: whether to ban ransomware payments.
The debate over banning ransom payments has a long history. When it comes to terrorist-related kidnapping for ransom, the legislation—led by the United Nations Security Council—is clear. Payments are illegal.
The argument is that kidnapping works because it because it’s profitable, and so payments fuel the business and perpetuate attacks. The same logic is applied to ransomware. It is also a low-risk, high-reward criminal enterprise, with some experts suggesting that it’s more profitable than cocaine trafficking. As Coveware, a specialist ransomware negotiation firm, notes: ‘The profits ransomware actors generate are too high, and the risks are too low.’ There are almost no barriers to entry and the profit margin can be as high as 98%.
A ban on payments therefore makes logical sense. Stop the payments and the primary motivation for ransomware attacks will evaporate. Those seeking to get rich quick will look elsewhere.
Yet that logic has been applied before, in the kidnapping-for-ransom world, and despite some unilateral national bans against criminal payments and international prohibitions on payments to designated terrorist groups, hostage-taking continues. As Australia considers the possibility of banning ransomware payments, policymakers should consider the historical precedents.
As the so-called Islamic State expanded its self-declared caliphate, it sought to raise significant funds through the ‘sale’ of human life. As well as trading Yazidi slaves, the group kidnapped journalists and civil-society workers, offering their lives in return for tens of millions of dollars. For the hostages, their fate was decided by the nationality of their passports. Whereas the US and UK held fast and remained committed to the international prohibition on making payments to designated terrorist groups, watched their citizens murdered on the internet, and threatened the families with prosecution should they pay, other nations brought their nationals home safely to a presidential welcome in return for eye-watering sums.
