> "The cheaper we make it to pay that ransom, then the more incentives we’re creating for companies to pay, and the more incentives we’re creating for companies to pay, the more incentive we’re creating for criminals to continue," said Josephine Wolff
In an ECON 101 sense, ransomware attackers want to set the price as high as they can such that the victim will pay. A rational victim will consider their tax bill in the cost/benefit calculation. So although giving a tax deduction for ransomware seems like it reduces the burden on the victim, in the long run it just increases the reward for the hacker at the expense of the treasury.
To be fair, AFAIK it's just a consequence of how our tax code is structured. Business expenses are tax deductible, and ransomware payments just happen to meet the definition of business expense. It's not like congress got together and thought "yep, we should definitely make ransomware payments tax deductible!".
Taxpayers are "on the hook" for this in the same way that taxpayers are "on the hook" if I decide to take an early retirement and support myself by gardening rather than earning $300k a year in a Silicon Valley tech job, and paying income taxes on that, and the same way that society is on the hook because I have stopped producing any meaningful contributions to its well-being.
That is to say, it's a sliiiightly entitled way to look at the matter.
There are rules about what is taxed. If a rule says that something is not taxed is that the same thing as "taxpayers are footing the bill for that thing"?
Let’s say Bob and Sue make up their own society. Both make 100k each and agree to a tax rate of 50% to build roads they will both benefit from.
However Bob gets a 30k tax exemption because his name begins with “B”. Therefore the tax burden on Sue is greater and she’s subsidizing Bob’s road usage (and potentially having crappier roads).
There are legitimate reasons for tax exemptions, but as tax payers we should always be critical of them.
So does a business dropping the ball on security mean everyone else who pays taxes should subsidize their screw up? Maybe… but it seems like a stretch to me and worthy of criticism.
If knowing the business will not incur a cost due to writing off ransom payments as tax deductions, would that become a new strategy for corrupt CEOs to funnel money to themselves? Double dipping at the tax payer's expense?
> And now taxpayers are on the hook for shitty security. Hell why not?
They already are for more conventional crimes. If a business burns to the ground, its loss of assets is a business loss for tax purposes. Even if it doesn't, insurance premiums are a deductible expense, so the government sees its deduction for the amortized fire damage regardless (since insurers recover expenses plus profit via premiums).
The full article covers this. It's not like there's a specific "pay criminals, get a refund" item in the tax code, it's that damages and losses from crimes are treated like any other business expense.
I’d be OK with that if it was unpreventable. I think there needs to be a burden on the business to show they had some level (TBD) of security practices and policies.
I’d prefer if they had to have insurance so the market can determine how much crappy security would cost them.
Trying to enact policy via the second order effects of the tax code is a terrible idea.
If companies should meet a minimum standard of security practices and policies, then this should be legislated. Same as fire codes and OH&S standards.
If companies should have ransomware insurance, then mandate that companies should have ransomware insurance. Same as how certain organisations require public liability insurance.
"If companies should have ransomware insurance, then mandate that companies should have ransomware insurance. Same as how certain organisations require public liability insurance."
This is what I'm saying. It's a far better solution than subsidizing bad security practices w/ tax. Require insurance and the insurance companies will ensure you have decent security practices (or pay a lot more). If you can't afford it for your business, well then your business can't compete in the market.
Obviously the details matter though. It would be rough at first, but eventually insurance companies would have a vested interest in quality security audits.
So I can pretend paying ransom in btc, pocket money from my own company anonymously for a self controled malware, and save on taxes ? Damn this loophole is getting better and better.
Old and busted: Sorry Tolkien estate, the LoTR movies didn’t turn a profit so we have no backend for you (because we spent a billion dollars on marketing though one of our shell companies).
New hotness: Sorry IRS, our entire business didn’t turn a profit so we don’t owe taxes (because we sent $5 billion in ransoms to one of our shell companies).
Similar thing happened in Canada. A uranium miner set up a shell company in Switzerland and sold its future production to them at a market low. If the price went up, all of the profits shifted. If it went down, the subsidiary would go bankrupt and void the contract.
The shell can shift its profits tax-free back to the Canadian parent.
Why go through the trouble of ransomware, which might get the FBI involved and put you in a bad light? You can very well just pay a "consulting fee" to some offshore shell company. Any business expense is tax deductible, not just ransomware payments.
Is a ransomware payment a bribe? The linked page doesn't really say what constitutes a "bribe". The next paragraph says that it only covers illegal activities, which AFAIK isn't the case for ransomware groups unless they're a designated terrorist organization or something.
As far as I'm aware, ransomware payments wouldn't be considered a bribe. They're more similar to an expense incurred due to `kidnapping for ransom`, which is deductible.
I remember seeing that there is an actual section dedicated to income from illicit income in the tax forms. Which is honestly amazing to see, and confusing too.
I don't see much that is controversial here. Losses due to crime such as assets being stolen are business losses. Certainly there is a modicum of willing victim participating here, but I don't see it as any different than other practices whereby a company is allowed to make security cuts and then deduct the inevitable crime-related losses.
If the government really wants to reduce this then perhaps they should actually help companies. Setup teams to address these situations in real time. Put that extensive NSA internet spying network to good use and track these situations. When a company calls the FBI to report an ongoing ransomware attack, they shouldn't have to leave a message in hopes that maybe someone might call them back in a couple weeks, nor should they be told to report the situation to their local cops.
In Germany Theo Albrecht (one of the Aldi founders, Forbes richest #31) tried to deduct his kidnapping ransom payment ($2mil USD in 1971) as tax deductable business expense. It went to court and was denied.
Misleading: pretty much all expenses incurred by a US business are "tax deductible" in the sense that you subtract expenses from income to arrive at profit and it is profit that is taxed. So an expense needs to be explicitly prohibited by the IRS as legitimate in order to make the equivalent amount of profit subject to tax. They didn't prohibit ransom payments.
About as easy as committing tax fraud by claiming losses from any other form of criminal activity, such as farmers burning down their barn and claiming the loss, or construction contractors claiming losses on "stolen" tools.
Also a nice way to keep profits in the hands of hard working management if those pesky shareholders fail to grant them sufficient bonuses /s
But I doubt that it could happen like that, the skillset requirements just don't have the overlap it would take.
But taking some liberties extrapolating a dark future, imagine what would happen if key persons who failed particularly hard at avoiding payment suddenly found themselves with unsolicited keys for wallets containing some amount of finder's fee. Deniable, yes, but how much would that deniability be worth in the end? If that could be the future of business computing, should we buy stocks of fax machine companies?
Could you really pull it off without some data actually missing? Perhaps, but with a big risk of discovery.
On the other hand, perhaps you are right: if you have a well established, highly authorized and maybe a bit isolated crisis intervention plan/team they should be able to initiate preventative lockdown protocols perfectly indistinguishable from the real thing, with only a very small conspiracy knowing that it was started for no good reason.
Sure. But now transfer the money from the “criminals” back to you in some untraceable way. Oh, and that’s money laundering, so additional charges on top of tax fraud.
As the FBI stated, each incident should be reported. If 80% of them go under the radar it would only make it harder to stop ransomware groups. Also, I think unreported breach of data should be punished, as along business data there is probably customers data involved. I don't know about the US but I think that in Europe this would be the case.
Expenses and losses related to 'kidnapping for ransom' are tax deductible [1], so it stands to reason that ransomware payments are also tax deductible.
Does anyone know what's going on with text in this article? Almost a collection of clipped statements
"Deductibility is a piece of a bigger quandary stemming from the rise in ransomware attacks, in which cybercriminals scramble computer data and demand payment for unlocking the files. The government
A ransomware attack on Colonial Pipeline last month led to gas shortages in parts of the United States. The company, which transports about 45% of fuel consumed on the East Coast,"
What are the effects of mortgage interest payments being tax deductable, and given these, what do you think the effect of ransoms being deductable will be?
If this policy weren't just dumb, it would be like these government people actually just want to create more chaos so they can direct it at target groups then only selectively respond to it as a way to paralyze opposition. Not to be political, but any sufficiently idiotic policy is indistinguishable from partisanism, imo.
I kind of find it funny how there are several threads were people discuss this as a tax loop hole, but assume that you'd actually have to stage a ransomware attack in order to use the loop hole.
That would entail actual work, reduce company productivity and induce steps that could go wrong along the way. I'd call that Rube-Goldberg style tax evasion.
You could just stage a ransomware before a prolonged downtime (eg. phishing happy new year emails from an account with a leaked credentials in the source code that's accessible via website.com/.git) and hope that one of your employees will click on the attachment.
Ok, let me just put the moral compass aside for a moment and put on my John Grisham fanfic hat so I can answer to this:
You simply buy $CRYPTO_CURRENCY, siphon the money off into a shell company in your favorite tax heaven, write it up as ransom payment, done. You might not even need the first step by having the shell company pretend to be a crypto currency exchange.
If you are a big enough company to bother with shell company tax evasion shenanigans, you probably have enough departments that some of them barely know each other or communicate. Spreading a rumor of a single department being hit by ransomware should be enough in case someone from the IRS actually bothers to come by and ask around.
If you really must, maybe pay someone in IT some hush money and ask them to turn a few servers off for a day or so to put up a convincing show. I'd advise against that though, since in my experience, technical people are notoriously bad at lying about technical things.
But actually phishing your own employees and staging a real ransomware attack is an unnecessary risk with too many variables where things might actually go wrong. Besides, the people pulling the strings here may have a law and/or accounting background, but probably not IT.
Somehow they need to be taken into account, if you pay US $ 100,000 to a consultant to harden your infrastructure or if you pay US $ 100,000 as a ransom, you have in both cases US $ 100,000 less, the difference is that in the first case you have an invoice, whilst in the second the IRS has to trust you.
Point might be how to "certify" whether the ransomware attack is "real" or if it could be simulated to only get away with hiding/divert the money (and pay no taxes on those).
The Key difference is that when I pay consultants they in turn pay the taxes (or in turn they have some expenses to towards somebody else who eventually pays the taxes), so overall they are not lost.
Paying a ransom by definition puts the whole sum in a black hole, tax-wise.
>The Key difference is that when I pay consultants they in turn pay the taxes (or in turn they have some expenses to towards somebody else who eventually pays the taxes), so overall they are not lost.
Not really-really.
The consultants pay taxes on the money they get from you only because (if) they respect the Law, it is none of your business (it is the IRS's one) if the consultants later comply.
If you prefer, whether the consultants pay taxes or not doesn't change anything in your company's accounts, you have an expense and proper documentation for it, what happens after and outside the transaction is irrelevant.
The issue (from your or your company's point of view) is how to properly document the expense (and it is IMHO a tough one to document a ransom).
You may not care whether the consultant pays the taxes. The lawmakers that define the tax laws (implemented by agencies like the IRS in the specific case of the USA) do take into consideration where the money goes.
If the IRS currently doesn't care or doesn't check, that's a specific implementation issue of your country. Laws can be changed
The insurance company reimburses you the US $ 100,000.
It is clear that financially that is 0.
But from a tax view point, if you cannot count the US $ 100,000 of the ransom as expenses you will be paying some form of taxation on the US $ 100,000 you received from the insurance.
> Point might be how to "certify" whether the ransomware attack is "real" or if it could be simulated to only get away with hiding/divert the money (and pay no taxes on those).
Well, exactly this. Clarifying that ransom payments are tax-deductible creates a moral hazard whereby companies set up off-shore entities to conduct ransomware attacks. The parent company gets attacked, establishes a paper trail of "damages" (whether these damages are material is irrelevant, particularly as the stock market has shown that it won't punish companies for being the victim of cyberattacks), quickly pays the ransom, which moves the money off-shore into crypto accounts which can then be tumblered and funneled into shell companies. The off-shore cash can then be used off-the-books for a variety of purposes that indirectly benefit the parent company.
Good luck to the forensic auditors who try to follow the trail to show that the money never really left the parent company's control.
The choice is between paying $X (say, $10 million) to the government in taxes, where it is never seen again and only indirectly benefits the company (the roads and railroads argument), or "paying" that same money into dirty accounts that, yes, are limited in what they can achieve (i.e. you can't pay dividends from it or engage in capital construction in the name of the company) but can still achieve direct benefits for the company (e.g. paying for negative coverage of competitors' products, lining the pockets of influential people)
We should be doing the opposite. We should investigate how the ransomware occurred and then fine the business depending on how preventable the attack vector was and how much it effected public interest.
In 2014, american corporations paid apx $600B in income taxes and $600B in wage taxes (the company's portion of social security). In addition, they pay another $100B in excise taxes and $400B in sales tax to state governments.
Can you explain this a bit more? I'm not sure how it contributes to the motivation for the attackers, as the motivation is already pretty high due to the ease of execution.
From my point of view, whether or not there is a legitimate process built around the ransomware attacks, the attackers will simply continue business as usual; there's no fear or penalty for them, the workflow of their process is not disrupted in the slightest (the bitcoin payments can still go through), and I don't really get the impression that the legal background of the victim's country is taken into consideration by the attackers.
(All of the above is why I'm pretty sure that the idea of "make paying the ransom illegal" will have no impact on the number of attacks, as such a policy does nothing to actually impede the workflow of ransomware; all it does is create another decision point for an already damaged group of persons as to whether they commit an illegal act or not to try to save their business)
I was thinking this plus the insurance will make it such that most companies will just pay the ransoms instead of working to secure their systems and train employees. No defense is perfect but also these criminals shouldn’t get paid.
> "The cheaper we make it to pay that ransom, then the more incentives we’re creating for companies to pay, and the more incentives we’re creating for companies to pay, the more incentive we’re creating for criminals to continue," said Josephine Wolff
In an ECON 101 sense, ransomware attackers want to set the price as high as they can such that the victim will pay. A rational victim will consider their tax bill in the cost/benefit calculation. So although giving a tax deduction for ransomware seems like it reduces the burden on the victim, in the long run it just increases the reward for the hacker at the expense of the treasury.