To ban or not to ban, that’s the tough question currently under debate by lawmakers around the world in response to the skyrocketing rate of ransomware attacks on businesses, government agencies, and other organizations.
Advocates for outlawing ransomware payouts believe it’s a simple matter of supply and demand: If hackers know organizations in a state or country are prohibited from making ransom payouts, they’ll focus their attacks elsewhere. The FBI frowns on the practice of ransomware payments, believing they incentivize the bad guys to keep plying their trade. Besides ongoing debates in Congress, at least three states—New York, Pennsylvania, and North Carolina—have considered ransom bans this year, and legislation has been put forth at the state and federal levels by both Republicans and Democrats.
Skeptics fear such legislation may do more harm than good, creating a host of additional problems for hacking victims, possibly making them even more vulnerable to further threats. If an organization chooses to skirt the law and pay a ransom, hackers will then be able to blackmail the target further to keep such information secret.
Megan Brown, a former counsel to the U.S. attorney general, falls in the skeptics camp. Now a cybersecurity lawyer in cybersecurity at Wiley Rein LLP, Brown sympathizes with business owners and organization leaders who find themselves increasingly under attack.
In a candid discussion with Endpoint, Brown offers her views on the laws now being considered by Congress, which would require victims to report ransomware attacks and ransom payments, and why she is not convinced they will help.
The conversation has been condensed and lightly edited for length.
How do you advise a company that has been hit by ransomware on whether to pay?
Companies tend to make the binary decision of whether or not to pay fairly quickly on their own. Then the role for lawyers is managing the risks of that decision.
What are the risks of making a ransomware payout under current law?
There’s the risk that you’re giving money to terrorists. And that’s illegal. Various federal regulatory regimes, whether it’s the Office of Foreign Assets Control [OFAC] or others, have a big, hard red stop sign before you give money to terrorists, or anyone on the designated entity list.
It’s a strict liability regime, which means even if you didn’t know you were giving money to a front for a terrorist group, were it to come out, you’re in trouble.
The people who are absolutists—“It’s immoral to pay the ransom”—should tell that to a medical practice that can’t schedule surgery.
So why do companies wind up paying cybercriminals?
There’s a huge risk I think people don’t appreciate. If you’re a senior executive, or you’re on the board of a company, you have a fiduciary duty to that company and its shareholders and owners and investors—everyone from hedge funds to the grandma and granddad who have their retirement in the stock.
So let’s say your company gets hit with a crippling ransomware attack. You can’t get your backups to work, and all your data is encrypted. If you don’t pay the ransom, are you fulfilling your fiduciary duty? If you can save the company for hundreds of thousands in bitcoin, then what’s the rational action for that fiduciary to take? In many instances, it’s to pay.
Many believe paying ransom is the wrong thing to do. Period. Shouldn’t companies take more responsibility for protecting themselves up-front?
The people who are absolutists—“It’s immoral to pay the ransom”—should tell that to a medical practice that can’t schedule surgery. Or a company that cannot access its critical files, can’t provide service, and the company’s going to die.
I reject the premise that these companies have brought this on themselves. And even if they did, as a society, is the right answer that a company goes out of business? That a school can’t function or that a bunch of sensitive data ends up on the dark web?
I just am not convinced that the answer is to punish the victims.
Still, isn’t there a public-policy case for putting a stop to making ransomware payments?
Oh, for sure. You are creating a market that includes incentives
for continued bad action, right? You’ve got bad guys out there offering ransomware as a service to other bad guys because there’s money to be made. I just am not convinced that the answer is to punish the victims.
What about clamping down on the use of cryptocurrency to facilitate the paying of ransom?
The blockchain people would say that the use of bitcoin and these digital currencies actually helps because there are ways to track payments. You saw that with DOJ [Department of Justice] clawing back some of the Colonial Pipeline ransom.
What do you make of the ransomware laws that the Biden administration is promoting and that Congress is currently considering?
There seems to be consensus building toward a broad incident-reporting mandate. Some bills would require victims to tell the government very quickly if they have been subjected to a ransomware attack or threat, if you have paid ransom, and to whom. The private sector needs to know that when you have a cyberattack, somebody is going to expect you to report it.
Are we likely to see legislation that would outlaw paying the ransom outright?
It wouldn’t shock me to find that’s in one of the less viable bills.
That’s not where the momentum is?
The language I’ve seen requires checking against the bad-guy lists and then looking at alternatives to payment, such as asking: Can you get back in business with your backups? Can you do something else before payment?
The idea is to make sure you have done your due diligence before payment. Candidly, I think a lot of that due diligence already occurs. No company wants to run afoul of the OFAC regime.
If you’re going to legislate, you should try and encourage voluntary activity with a carrot, not so much the stick.
Are the proposed additional reporting requirements reasonable?
My concern is that mandatory reporting is likely to chill voluntary cooperation. A lot of companies already call DHS [Department of Homeland Security]. They call the FBI.
When you have a law that says you must report within 72 hours, and if you make a mistake the government is going to nail you, that changes the calculus. Today, you might be freer to say, “This is what we saw, but we don’t know exactly what we’re looking at.”
You might be sharing a little more freely than if it has to be a written report and it has to have the following 25 things—and if you get something wrong, the agency can come back and fine you.
If you were in charge of drafting the laws, what would they be?
I don’t know if we need another law. Or, if you’re going to legislate, you should try and encourage voluntary activity with a carrot, not so much the stick.
If you want someone to do something, make it cheap and risk-free for them to do it, right? Give them liability protections, make it easy. There is already CISA, the Cybersecurity Information Sharing Act of 2015, which is permissive. It encourages voluntary sharing and gives a whole bunch of nice protections for that activity. I don’t know why they’re not looking at strengthening that, but here we are.