RE: Paying Ransomware Should be Illegal
You are viewing a single comment's thread:
Instituting regulations that benefit everyone is not a punishment. Do you consider the privacy laws, that protect everyone's data, punishment? It was also claimed that those privacy laws would 'punish' businesses by causing them to go out of business (they did not). It was fear mongering because people didn't want to change.
Right now, companies are not investing in sufficient prevention or recovery. They are instead relying on cyber-insurance to pay the ransom. That helps nobody but the attackers. Change must occur. What you are proposing is to remain with the status-quo. That only benefits the cybercriminals, cybersecurity firms, and insurance companies. It harms businesses and citizens.
For every way you can think how a company can get around such a law, I can find a very plausible way they get caught and someone goes to jail. Executives generally won't risk that. Again, look at previous regulation that companies then adopt as the 'norm' of doing business. This too would happen with an anti-ransomware payment law. They would simply adjust their policies and processes. It becomes the norm.
No, I support privacy laws. But this is a different issue with different circumstances. Adhering to privacy laws IS a burden on business. However, protecting themselves from cyber attacks is in their own best interest. Why would businesses continue to do something (or not do something) that causes them harm? That's why I believe it will happen without a law punishing victims. I don't necessarily support the "status quo", I just don't support your solution. I'll never support a solution that basically says that if I am held at gunpoint and give a thief my wallet that I am going to go to jail.
Until businesses have actual technical solutions to these problems in place, adjusting their current policies and processes will only help them to go out of business if they are the victim of such an attack. We don't need a law protecting businesses that are unwilling to protect themselves. If they are unable to protect themselves then a law won't help them if they are attacked and will be of questionable effectiveness in preventing such an attack. As long as attacks are essentially as easy as a phishing email, lessening the chances of the attackers getting paid isn't really much of a deterrent. They'll just make it up on volume. Somebody will still pay, regardless of law.
How is applying good security controls not in their best interest? Right now, companies are transferring the risk to insurance, instead of investing in good security.
Regardless, the problem gets worse over time as payments are made, making the RISKS greater for everyone! Paying ransoms is a short term fix that creates a long term cancer. Without change, more and more companies will go out of business because of ransomware (current stats show between 60%-90% of SMB are out of business within 2 years of a cybersecurity incident).
There are no silver-bullet technical solutions! There won't ever be anything that can block all the potential attack vectors. The way to stop these attacks is to target the motivation of the attackers themselves.
It is in their best interest. That's my point. As time goes by, companies will put more effort into security and other mitigation procedure. They are already starting to. I know the company I work for is. Without having a law that outlaws paying ransom I might add.
Isn't it the responsibility of those companies to do what is necessary to mitigate those risks? If 60-90% of companies go out of business now because of ransomware (it would seem to me that "cybersecurity incident" might encompass a lot more than ransomware though?), what will that percentage be if paying ransoms are outlawed? Fewer attacks? Maybe... A higher percentage of those attacked going out of business? Almost certainly.
There are no silver bullet laws either. And while there are no silver-bullet technical solutions that will block all ransomware, having good backup plans and procedures in place IN COMBINATION WITH whatever technical prevention solutions are available can make successful attacks less likely and recovery cheaper than ransom thereby solving the problem, at least better than any law. Why is it you think having proper backup procedures in place won't accomplish this? Why would you need to pay a ransom if you can restore the vast majority of your data from your own backups? I wonder how many companies have paid a ransom a second time because of another attack?
It is great that your company is investing more in security, but that it is not the overall industry trend of investment necessary to mitigate ransomware. We are seeing a repeat of what companies did during the early years of data breaches. Ignore the risks, transfer the risk to insurance, but not actually improve the security. It was not until regulations required them to notify customers of a data breach (then they had to pay for credit monitoring, etc.) did things change. They went kicking and screaming, saying such a privacy regulation would bankrupt them. It did not. It was just them fighting against spending to keep their customers data secure. Same is true now. Most companies want to secure a ransomware insurance policy versus spend on security and IT backups.
The financial incentives, which should align to the benefit of the consumer, were upside down. It took regulation to change things. Same is true now. I see it every day.