The debate over whether organizations should give in to ransom demands to regain access to encrypted data is heating up as more states move to ban the practice. North Carolina, Pennsylvania, Texas, Arizona, and New York have either banned or are seeking to ban ransom payments.
Most of these regulations only apply to state agencies, but the New York proposal would also apply a ban to businesses operating within the state. There are also bills floating around the U.S. Congress that would similarly ban ransomware payments in all 50 states.
The rationale for this legislation is that if everyone agrees to not make ransom payments, there will be no money to be made, which would then lead to a significant drop in the number of attacks being launched. The trouble with that line of reasoning according to the Federal Bureau of Investigations (FBI) in the U.S. is that ransomware gangs would just view those laws as an opportunity to extort more money from any organization that decided to ransom their data regardless of what any law mandates.
The factors that might drive an organization to deliberately not comply with that law are varied. In many cases, the cost to the business is going to be a lot higher than the penalty that might be levied should anyone discover a ransom was paid. In other cases, the data may be critically important for delivering life-saving healthcare.
Of course, levying a fine essentially amounts to punishing the victims of ransomware attacks. In addition to incurring whatever impact stolen data has on the business, victims will be hit with additional penalties for illicitly attempting to recover their data. The one thing that is certain is that faced with those penalties very few organizations will be willing to admit they have been victimized. In effect, no one would ever know the true extent of criminal ransomware activity.
The primary issue with that approach is that it relies too much on sticks rather than carrots to combat ransomware. The reason ransomware is so prevalent is that most businesses don’t do a good job when it comes to protecting their data. Incentives that encouraged businesses to make sure they can access a pristine copy of their data are likely to have a much more positive effect. A national awareness campaign that encourages businesses to ensure they can achieve that goal would substantially reduce the total pool of potential ransomware victims. As it then becomes steadily less profitable to launch ransomware attacks there should over time be a corresponding decline in volume.
Carrots, naturally, don’t obviate the need for sticks. However, a national campaign to combat ransomware also serves the dual purpose of making the public more aware of the need for them. The fact of the matter is ransomware hurts the economy. Businesses that are victimized have closed. Money that went to cybercriminals has not been available to invest in the businesses that create jobs. In effect, everyone whether they realize or not is a victim of ransomware. The problem is they just don’t really realize yet the extent.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.