Hacker News new | ask | show | jobs
by paulgb 1830 days ago
I think this is the key quote:

> "The cheaper we make it to pay that ransom, then the more incentives we’re creating for companies to pay, and the more incentives we’re creating for companies to pay, the more incentive we’re creating for criminals to continue," said Josephine Wolff

In an ECON 101 sense, ransomware attackers want to set the price as high as they can such that the victim will pay. A rational victim will consider their tax bill in the cost/benefit calculation. So although giving a tax deduction for ransomware seems like it reduces the burden on the victim, in the long run it just increases the reward for the hacker at the expense of the treasury.
3 comments
gruez 1830 days ago
To be fair, AFAIK it's just a consequence of how our tax code is structured. Business expenses are tax deductible, and ransomware payments just happen to meet the definition of business expense. It's not like congress got together and thought "yep, we should definitely make ransomware payments tax deductible!".
link
oliwarner 1830 days ago
I'm not sure funding criminal enterprise should be legal, let alone a permissable business expense.
link
antifa 1830 days ago
Obviously we should make the cost of recovering from an attack deductible instead.
link
rapind 1830 days ago
And now taxpayers are on the hook for shitty security. Hell why not?
link
fennecfoxen 1830 days ago
Taxpayers are "on the hook" for this in the same way that taxpayers are "on the hook" if I decide to take an early retirement and support myself by gardening rather than earning $300k a year in a Silicon Valley tech job, and paying income taxes on that, and the same way that society is on the hook because I have stopped producing any meaningful contributions to its well-being.

That is to say, it's a sliiiightly entitled way to look at the matter.

link
rapind 1830 days ago
What? Help me connect the dots here.
link
dboreham 1830 days ago
There are rules about what is taxed. If a rule says that something is not taxed is that the same thing as "taxpayers are footing the bill for that thing"?
link
rapind 1830 days ago
Yes obviously.

Let’s say Bob and Sue make up their own society. Both make 100k each and agree to a tax rate of 50% to build roads they will both benefit from.

However Bob gets a 30k tax exemption because his name begins with “B”. Therefore the tax burden on Sue is greater and she’s subsidizing Bob’s road usage (and potentially having crappier roads).

There are legitimate reasons for tax exemptions, but as tax payers we should always be critical of them.

So does a business dropping the ball on security mean everyone else who pays taxes should subsidize their screw up? Maybe… but it seems like a stretch to me and worthy of criticism.

link
f-securus 1830 days ago
If knowing the business will not incur a cost due to writing off ransom payments as tax deductions, would that become a new strategy for corrupt CEOs to funnel money to themselves? Double dipping at the tax payer's expense?
link
Majromax 1830 days ago
> And now taxpayers are on the hook for shitty security. Hell why not?

They already are for more conventional crimes. If a business burns to the ground, its loss of assets is a business loss for tax purposes. Even if it doesn't, insurance premiums are a deductible expense, so the government sees its deduction for the amortized fire damage regardless (since insurers recover expenses plus profit via premiums).

The full article covers this. It's not like there's a specific "pay criminals, get a refund" item in the tax code, it's that damages and losses from crimes are treated like any other business expense.

link
rapind 1830 days ago
I’d be OK with that if it was unpreventable. I think there needs to be a burden on the business to show they had some level (TBD) of security practices and policies.

I’d prefer if they had to have insurance so the market can determine how much crappy security would cost them.

We should want to minimize these instances.

link
toomanybeersies 1829 days ago
Trying to enact policy via the second order effects of the tax code is a terrible idea.

If companies should meet a minimum standard of security practices and policies, then this should be legislated. Same as fire codes and OH&S standards.

If companies should have ransomware insurance, then mandate that companies should have ransomware insurance. Same as how certain organisations require public liability insurance.

link
rapind 1829 days ago
"If companies should have ransomware insurance, then mandate that companies should have ransomware insurance. Same as how certain organisations require public liability insurance."

This is what I'm saying. It's a far better solution than subsidizing bad security practices w/ tax. Require insurance and the insurance companies will ensure you have decent security practices (or pay a lot more). If you can't afford it for your business, well then your business can't compete in the market.

Obviously the details matter though. It would be rough at first, but eventually insurance companies would have a vested interest in quality security audits.

link
gogopuppygogo 1830 days ago
Brrrrrr goes the federal reserve printing press.

When you still have reserve currency status for the world you can do dumb things.

Unfortunately those dumb things are catching up to us…

link
fredgrott 1830 days ago
with the Federal Government treating as a crime of terrorism does that mean the Airlines now have claim given 9-11 attacks?

Seems that everyone is choosing an easy way out instead of the hard choice that needs to be made.

I would rather see the hard choices made instead.

IE, Maybe Russia cannot be directly attacked but certainly Russia forces in Ukraine can be attacked in a cyber manner,

link