The views expressed by contributors are their own and not the view of The Hill

Should it be illegal to pay ransom?

by Tara D. Sonenshine, Opinion Contributor - 07/07/21 4:30 PM ET

As cyber hackers strike at yet another major American company – this one a software firm – the U.S. government is trying to figure out how to prevent cyberattacks and how to stop businesses from paying ransom. The weekend attack was yet another example of how corporate America is being held hostage and the perennial question of what to do about it.

Cybercrime is predicted to inflict global damages totaling $6 trillion in 2021. For the U.S., the damages represent a major economic challenge.

In the latest case, the attackers demanded $70 million, to be paid in bitcoin in exchange for a decryption tool. (In an ironic twist, the firm that was attacked over the holiday weekend, Kaseya, sells technology that enables companies to manage their own information technology; yet it was unable to thwart this attack.)

The ransom payment demanded by the hackers would enable the 1,500 companies affiliated with Kaseya to unlock their systems and return to normal operations.

The alleged cyber hackers are based in Eastern Europe and likely backed by Russian operatives. REvil, the same Russian-language group that was behind the attack on a major meat processor JBS, posted its demands on a dark-Web site associated with the group.

Russian hackers are also accused of breaching a contractor for the Republican National Committee and continuing to hack at record-breaking levels.

The foreign policy implications are clear — Russia will have to be punished. Sanctions against Moscow have run their course. That means that harsher measures will be needed. The State Department is in discussions with multiple foreign governments to develop options and consequences that might include diplomatic expulsions and more aggressive counterstrikes, including in the cyber arena. What is tricky about responding with cyberattacks on Russia is avoiding a public tit-for-tat in a highly sensitive cyber battlefield.

So, what can be done, beyond diplomacy and retaliation?

As with kidnappers or terrorists, the key to stopping hackers is to stop paying them. That is easier said than done, especially when companies are eager to get back to business. But without ransom payments, there is little incentive for nations to employ hackers. If businesses stand firm in not responding with money — either virtual currencies or hard currencies — the number of cyberattacks could be reduced. Right now, hackers see value in hacking. In the case of the Colonial Pipeline, the company was willing to pay off the cyber criminals that hacked its servers in return for the key to ending the hacks. That is extortion, plain and simple.

Later, the Justice Department was able to recover millions of dollars — demonstrating that it is better to let government follow the money and better to let them intervene early.

Waiting for the government to respond is hard. Think about it from the perspective of a hostage taking. Rather than simply emptying your bank account to pay the terrorists, would you be willing to be patient and let an investigation unfold?

In cases where a city or municipality is hacked, it is easier to avoid paying ransom because shareholders are not pressuring corporate boards for returns on investment.

It is understandable that companies are loathe to allow a protracted investigation to interfere with profit. But if they don’t willingly agree to stop paying ransom, the cycle will continue.

One answer to that problem is to make it illegal for a company to pay ransoms. Insurance firms could also step in and support the anti-ransom movement by making it clear that they will not insure companies that pay out digital ransom.

As citizens, we have to start paying attention to corporate cyber hacking because it is one step on the road to attacking our own physical and digital wellbeing. If a major company is under threat, think about the implications for ordinary people, from health care systems to electricity grids. As consumers, we have a right to demand that companies both report hacking to the U.S. government and get out of the business of paying off the hackers. In the end, we all lose if cyber hackers are allowed to profit from their crimes.