I assume this proposal is at least somewhat tongue in cheek based on the title, but if the US really wanted to nip this in the bud could they not instead make it a crime punishable by jail to pay the ransom?
This is by far the most effective solution to the problem. The foreign corrupt practices act [1] was highly effective at stopping US businesses from paying bribes in foreign countries, with many other developed nations following suit with similar laws. Such a law for ransomware would no doubt also be effective. Companies pay lawyers specifically to audit their processes around FCPA compliance because the penalties are so severe. No executive wants to go to prison because a salesperson hires some “consultant” in Thailand to win a deal…
How do you know it was highly effective? Do the audits enhance compliance or just ensure non-compliance is well concealed? The SEC's enforcement actions page shows a continuous stream of actions against large corporations ("Goldman Sachs Group, Inc. - The firm agreed to pay more than more than $1 billion to settle SEC charges that it violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA in connection with the 1Malaysia Development Berhad (1MDB) bribe scheme. See related action against Tim Leissner (10/22/20).") since they ramped up enforcement in 2007. How do you know that's not just the tip of the iceberg?
The main perverse incentive I see here is that it encourages companies to hide the fact that they've had a breach so they could pay the ransom w/o consequence.
I do think regulation making ransoms hard/impossible to collect is the way to stopping the immediate problems posed by ransomware.
More disturbingly, however, is that such hacks just underpin how vital infrastructure is exposed to nation states. When the motivation isn't collecting a ransom but rather to disable a country's vital infrastructure, such regulation would do little.
The theory behind banning ransom payments is an attacker won't go to the risk and expense of kidnapping someone if they know there's only a 1% chance they'll get paid.
But if the attack is an automated bulk exploitation of thousands of computers all around the world - why should an attacker stop targeting US computers just because US companies are banned from paying?
There already are "security consultants" who will do the dirty work of paying the ransom and handing the victim the decryption key. Pretty hard to stop that sort of thing, no?
Make it strict liability? ie. if you paid for a "consultant" and it just so happens that he paid off the ransomware operators without your knowledge, you'll still be liable
That's going to be nearly impossible to enforce, because the first thing that will probably happen is that companies will stop reporting ransomware attacks. And these "consultants" could be based anywhere, as well as further outsource their work to independent contractors, shell companies, etc. So getting hard evidence that's there's been a ransom payment will likely be a wild goose chase.
More likely the "consultants" will handle the decryption process, and the company's own engineers, who are probably already shell-shocked and under huge pressure, will be told to just be thankful that the experts have secret, proprietary technology to deal with the ransomware. Even if the engineers want to be whistleblowers (at the risk of sacrificing their own jobs/careers), it'll be pretty hard to get enough conclusive evidence that a ransom was paid.
For one thing the bud has already bloomed into a vast field. For another, criminalizing the behaviour of the victims is rarely all that effective, especially when difficult to track and enforce.
That may or may not help. If a company has a choice between going out of business or some probability of the CIO going to jail you know what they're going to choose.
But the choice is really between a personal risk of going to jail or a personal risk of finding a new job. As long as the individual risk outweighs the collective reward the incentive to lie should be small.
Besides, unless 2 or 3 execs can also implement the recovery procedure without any of their engineers catching wind I don't think it's likely that the secret would remain well kept.
The CIO can resign instead of going to jail. It all depends on how strictly the law gets e forced. If only a few get caught, then it becomes a dishonor to not have "the balls" of just risking it, and you'd not get a new job as CIO if you didn't want to play it out. But if it's guaranteed to get caught, nobody would do it.
> The CIO can resign instead of going to jail. It all depends on how strictly the law gets e forced. If only a few get caught, then it becomes a dishonor to not have "the balls" of just risking it, and you'd not get a new job as CIO if you didn't want to play it out. But if it's guaranteed to get caught, nobody would do it.
Right. Humans don't strictly adjust their behavior according to the game theoretic adjusted risk (penalty × probability). Raising the odds of getting caught tends to work much better than increasing the penalty.
That said, one of the outgrowths from this observation has been Broken Window Theory (that credits a drop in larger crimes to increasing enforcement and speedy mitigation of other - highly visible - minor infractions), which turns out to be more of a just-so story. You mostly have to increase the odds of getting caught for the crimes you are most interested in deterring rather than something else.
[1] https://en.wikipedia.org/wiki/Foreign_Corrupt_Practices_Act