August 13th, 2020


Should paying even a paltry ransom to hackers be a federal crime?

Megan McArdle

By Megan McArdle Bloomberg View

Published April 2,2018

Should paying even a paltry ransom to hackers be a federal crime?
Atlanta is under attack. Hackers have seized control of many of the city's computers and are demanding a ransom of $51,000 in bitcoin to release them. Police officers are filing reports on paper, residents can't pay bills and the courts are frozen.

The irony is that the $51,000 might represent the most cost-effective use of government IT dollars in history. Does it mean that Atlanta should pay it?

It's an interesting game-theory question. The city of Atlanta has a nearly $650 million annual budget. It is undoubtedly spending more every day trying to fix the problem than it would cost to simply pay the hackers to go away.

Indeed, that is the sinister genius of ransomware attacks: Ransom amounts are generally calibrated so that it makes more sense for the victim to pay than to say, "To hell with you, I'm restoring from backup, no matter how far back I have to go." There's just one small problem: In the immortal words of Rudyard Kipling, "If once you have paid him the Dane-geld/ you never get rid of the Dane."

That is not literally true in every case - hackers aren't the same as Kipling's Vikings. Perhaps if Atlanta paid, they would go away and never bother the city again. But it has been true in enough cases that it's bad public policy to comply with ransom demands. Which is why the U.S. government has a policy that it will not pay ransoms or make other concessions to hostage-takers, even if it means frustrated kidnappers sometimes kill their hostages.

We get this instinctively. We have a revulsion to paying someone money not to harm us. Paying ransoms may seem like the rational thing to do in a given instance, but there's a meta-rationality to our social norms against doing so: If extortionists know people will indignantly refuse to pay a ransom - even at some cost to themselves - these sorts of attacks then rapidly become a bad investment of time and effort.

But what is the alternative? Twenty years ago, when I was a network administrator, a security expert I worked with solemnly explained why his job was so nerve-racking: "The hackers only need to find one way in. I need to find all of them, and close them before the bad guys get there." Of course, better IT security can raise the cost of these kinds of attacks, so that they won't be worth undertaking for such a paltry ransom. But good security is quite expensive. It is especially difficult for governments to manage, in part because ponderous, fussy government-procurement rules make it hard to keep up with the technology cycle, in part because civil-service wages are rarely high enough to attract top-level technologists.

The federal policy about hostage-takers may point us in the right direction. Essentially we're dealing with a collective-action problem: Society would be better off if we could all agree that no one would pay ransoms to hackers, but individual victims are probably better off paying. How can we get everyone to make a credible commitment in advance that they won't pay?

Luckily, collective-action problems are what governments are for. The federal government could make it a federal crime to pay in ransomware attacks, punishable by a stiff fine (say, double the demanded ransom). This would align the self-interests of the victim with the social interest in thwarting people who demand ransoms.

The details would have to be carefully worked out, of course. For one thing, how do we know someone has paid a hacking ransom? In truth, we can't, and some will do it anyway. But making it a federal crime changes the calculus. In general, Americans are reluctant to break the law; some people will refuse to pay simply because it is forbidden. Others will worry they'll be caught if, say, a disgruntled employee calls a federal tip line. We don't need to ensure that no victim pays; we just need to make the payoff sufficiently uncertain that it will no longer be worthwhile for attackers to invest their efforts.

Of course, generating the necessary political support for such a law will be tricky if it is seen as punishing victims. We would also need to pair this with some kind of insurance strategy, so that those who are attacked don't suffer too excessively for taking a righteous stand against criminals. We will also need to figure out some way to incentivize state governments to comply, since constitutionally, they are protected from federal interference. But there are ways around this problem, for example, by taking away federal matching dollars instead of assessing a direct penalty.

Given the frequency of these attacks, this is something the federal government should be seriously considering. And given the obvious benefits to everyone, and the lack of a clear partisan angle, perhaps our deeply divided legislators could actually agree to do it.

Megan McArdle is a Washington Post columnist who writes on economics, business and public policy. She is the author of "The Up Side of Down." McArdle previously wrote for Newsweek-the Daily Beast, Bloomberg View,the Atlantic and the Economist.