So, if you had your data stored on a cloud storage platform that created and maintained ZFS snapshots, Mallory could gain all of the credentials and still not be able to touch your daily/weekly/monthly snapshots.

Now, if only there were a cloud backup platform that included zfs snapshots ...

Unless you've given them "destroy" that is.

> Now, if only there were a cloud backup platform that included zfs snapshots ...

I see what you did there...

I'm not sure if it's feasible to have ransomware lock backups as they're restored, however.

Trickbot for example will be on a machine for 2-5 months so that it's in your backups, and is commonly followed by Ryuk ransomware.

So if you get hit with Ryuk and just restore from backups without re-mediating anything you will likely be hit with Ryuk again.

They didn't say no. It's odd there is so little recourse against things like this.

After all paying a ransom is very literally funding terrorism, in the most direct possible way.

"Whosoever knowingly pays a ransom", etc.

Of course those seeking a ransom could make their language less and less clear, so it's no longer clearly a ransom. But isn't that still an improvement over the status quo?

Maybe I'm missing something, but I don't see why it should be legal to pay.

I agree that it's probably a bad idea to pay a ransom, since that just supports the success rate and makes ransomware more popular. But do you really think that you should throw a grandparent in jail because paying a ransom is the only way they can get their digital memories back? Are you going to throw all of City Hall in jail because they needed to pay to get their tax records back?

The best option is to have good backups and not give into the demands, and that should be encouraged. But criminalizing people because they didn't adhere to the best digital practices is a bad idea.

Was those bank accounts blocks where a successful move, or kidnappings stopped due to other measures government made?

So I'd say it's exactly the same.

If you want to stop city from paying the the law need to state that even if they get their data back they need to delete it.

This city had proper backups, and indeed was able to avoid paying ransom. Others weren’t so competent.

Unfortunately, these networks will continue to be insecure and that’s a real problem - right now everyone is pretending that it’s “lose your data or pay” for which backups are useful. However, if a hacker gains foothold into a network, and then, for 3 months, randomly changes record (say, randomly exchanging penalties owed among 1000 people every day through the day), then it’s unlikely backups will help - you’d have a mix of new and corrupt data in every backup set even if you have a daily one going back a whole year (and most places are lucky to have more than a week at daily)

Computer people don't want to raise the barrier to entry by requiring licensing and following regulations, and money people don't want to pay for licensed computer/software engineers. Not to mention just deciding what the standards should BE and how the standards body should be constituted and run is guaranteed to be a rats nest and a sequence of progress-thwarting horrors... but the cost of not tackling it and paying for it will cost lives. We can be guaranteed that.

(Or cannot detect infections before they become so widespread the whole thing falls down.)

Several parts of the world have kidnapping and piracy issues, and you can buy kidnapping/piracy insurance to pay ransoms in case you are the victim of such a crime. I think most people in the world acknowledge that sometimes bad things happen even when you take reasonable precautions, and you shouldn't be punished just because you were the unlucky one. Most security experts agree that no computer system is un-crackable, there are just varying levels of sophistication and access needed to do so. We've even seen that Stuxnet was capable of jumping air gaps. If a business had such good security that their database and backups were air-gapped but still was hit by ransomware do you think that they should still be fined?

Could they have done more with the resources they had? Would taxpayers/stockholders fund it? Would a small business have the cash flow to do better? If they were told it was secure from the tech folks, would the non-tech folks have any way to prove this wrong?

It is really easy to say after something happens that they weren't doing things right. It isn't always so easy before things happen to know if things are done correctly, though. And trying to figure out what isn't worth it to the criminals is rather difficult. Some folks do quite a bit for an otherwise small amount of money, especially if they feel the victim "deserves" it.

And who pays the ransomware when it happens, if not the taxpayers/stockholders? Or does money just get created out of nothing when needed?

> Would a small business have the cash flow to do better?

IME small businesses can do it if they want to. It takes care, meaning policies, it's not expensive. Also small businesses are less attractive to large criminals.

> If they were told it was secure from the tech folks, would the non-tech folks have any way to prove this wrong?

If they got publicly ransomed, it would become very obvious something needed looking at. The process of potentially hammering them legally would involve them being taken to court where their level of culpability would be decided (and it may be they did do enough so get let off, and everyone can see what happened, and other businesses can decide perhaps to up their security based on the results).

These are all strawmen. I'm not asking for uncrackability, merely due diligence. A little of that goes a long way. These arguments don't stand up. You seem to be arguing for... what?

considering the order of magnitude of place that do not receive a ransom compared to places that get ransomed, the cost is probably on the security side.

> These are all strawmen. I'm not asking for uncrackability, merely due diligence.

but you apparently define due diligence as "not getting cracked," which while different from uncrackability is still an unfeasible demand.

And if ransoming is profitable, what does that do to the market? Does it a) inhibit more ransoming or b) encourage more ransoming?

> but you apparently define due diligence as "not getting cracked,"

Don't misrepresent me - here's what I actually said: "The process of potentially hammering them legally would involve them being taken to court where their level of culpability would be decided (and it may be they did do enough so get let off..."

So they can be let off. It says clearly.

How is this different from making it illegal to give your wallet to a thief at gunpoint?

(obviously here there is the difference of personal harming which correctly resides at a different level; at the same time the stance of non-negotiation with terrorist organization was also justifiable in my opinion.

If what we can agree on is that you must way for the permission of law enforcement before you pay ransom so that they can reasonably confirm you are not inadvertently funding ISIS and also put in place all available precautions that is already a step forward.

Nobody think that paying ransom is a good thing that should be done as soon as possible. At the same time not everything is a nail.)

If we put that on the table, yes, that's a grand idea.

Think of it this way - let’s suppose you make it a crime to give your wallet to a mugger with a gun. Is that going to end up with less crime, or just more people shot, and some innocent victims going to jail just because they didn’t want to get shot?

This seems like an excellent way to siphon public funds. Get infected by "malware", pay "ransom". Voilà, public funds are now some cryptocurrency under your control.

It would surprise me if this has never happened.

My point is simply that Grandma shouldn’t go to jail or be punished because she got hacked and a hacker made her pay to get her grandkids photos back. If you’re saying we shouldn’t let state governments do the same I think that’s reasonable.

But to attack your admittedly cherry picked example, I guarantee that the US government wouldn't fault Bill Gates, they would help him out and track the money that he transferred and turn it against the terrorists.

By the way, another other dark side of making paying ransoms legal is that transferring money to a terrorist group (just because they support it) now has a plausible deniability: "Don't blame me! It was just a ransom!"

Most these "what ifs" get close to solutions in search of problems. Instead of ensnaring innocent people in the hopes of catching people who intentionally commit fraud and fund terrorism, let's use the laws we already have on the books to do so.

Edit to address the bitcoin issue: While a bitcoin transaction is hard to reverse, knowing the wallet addresses of terrorists and being able to track their bitcoin transactions would be a huge win for the good guys. And when that bitcoin inevitably gets turned into useful currency it will be another opportunity to track them. I don't think ISIS would move a billion dollars through bitcoin anyway, they'd probably pick a different method. That kind of transaction would be super hard to deal with and the network would get stressed to the point that trying to sell a billion dollars worth of bitcoin would ensure that it would be worth a lot less than a billion dollars.

Only if you assume that federal law enforcement agencies are a bunch of rule-following robots incapable of rational deduction.

It seems weird to talk about ‘making ransoms legal’ or ‘allowing ransoms to be legal by default’, as if someone has decided it. That’s not how laws work, at least in the US & EU. Laws can only limit rights, there aren’t any default restrictions.

Italy tried to make kidnap ransoms illegal, and it’s controversial, but there have been some high-profile cases of it backfiring. https://www.independent.co.uk/news/kidnap-makes-an-ass-of-it...

Yes, there are many reasons. You seem to adopt a highly deontological ethical stance. But in actual decision making, being pragmatic, showing some grace by being human and making hard compromises, and at the same time being utilitarian are often more rewarding. For example, governments all over the world have (often secretly) paid ransom money for kidnapped citizens. If they couldn't do that any longer, because it is illegal, then that would doom the fate of many kidnapped citizens.

Elected officials should make reasonable decisions that minimize harm and costs and should be willing to make compromises, not brag with their iron fist policies no matter what the consequences are. (That's just my personal opinion, of course.)

> After all paying a ransom is very literally funding terrorism

Do you have any proof for that claim? If not, then you are merely watering down the meaning of the word "terrorism". AFAIK, these ransomware attacks are conducted by ordinary criminals, not by terrorists.

When everything is terrorism, nothing is terrorism.

What? No, that's not the logical solution. Have you considered the consequences of paying that money beyond the immediate deaths? You've suddenly put a real price on terrorist attacks - as in, if I decide to go through with a terrorist attack after 9/11, I know that I can extort the country for anywhere up to $100m. Hell, everybody with a grudge against the US suddenly has massive financial incentive to carry out attacks against the US. How many more people will die because you've decided that it's okay to pay terrorists?

There are plenty of people with a grudge against the US, some of them quite rich. US foreign policy made sure of that. Extra 100 million would make no real difference. The thing stopping them is distance to US and threat of deadly force.

Technically no, but pigs will fly and the state police will stop abusing the overtime system first. Massachusetts is not known for passing laws that reduce the ability of government officials to do as they see fit and of the possible reasons to pass such a law "we gotta be responsible with taxpayer money" would have everyone crying with laughter on beacon hill. The idea of criminalizing paying a ransom for the common man is bad for reasons other commenters have stated. There is exactly zero chance of MA making it illegal for the government to do something peasants can do.

https://www.ibanet.org/Article/NewDetail.aspx?ArticleUid=780...

Get outta here

I guess the good news is that we can now sell backups as "anti-ransomware" cybersecurity.

"Backup is lets says weekly and someone high up the chain really wants the power point he put together on Tuesday." is probably what happened in my experience.

But if you know how to run a script (and hopefully anyone administering a 100 computer network does), at least on Linux / Mac, you could use bup or borg or a few others to have effective immutable hourly backups that take almost no space - we do that where I work. I’m sure there’s something similar for Windows.

TimeMachine in macs has a similar feature set notably lacking proportional space (insert 1 byte anywhere in a 5GB file and the snapshot takes an additional 5GB)

Because that's what they had an insurance policy for.

A second reason would be to give the attackers reason to pause, in case they somehow had a second bomb to throw, while IT hardened defenses:

>Since the attack, the city has installed additional security software and is developing new protocols.

Ancient wisdom: If you don't test your backups then you don't have any backups.

What exactly are the FBI doing about this. Perhaps if they got off their asses and quit investigating Presidential piss parties they could find this email recipient. How hard is it for the FBI/NSA to trace an email. They just want to cry about going dark instead. If foreign put a CIA hit on the computer terrorist.

Backup software has been touted as protection from malware and cyberattacks for a very long time.

I would put a delay in ransomware so it sneaks in weekly and monthly backups, and only then trigger it. If stuff gets restored, sneaked warez will activate again. I bet backups are overwritten after several months.

No user's apps? No Registry? Ok, sneak it in Word document then. This delay thing can be applied wholesale, not targeted.

Macro execution is supposed to be disabled on Word/Excel, though I trust that less (and there’s always the issue of some unpatched/zeroday); however, to go through here is more expensive for attackera because much more individual targeting and customization is required.

If you get hit with a cryptolocker and you have no backup you simply lose that data. Or you can pay the ransom, get your data back and go to jail.

While this might seem unfair, it might stop 1000 other attacks because there will be no money in it. It would be for the greater good.

People pay ransoms because they want back whatever is being ransomed. Making it illegal to pay the ransom isn't going to stop that. It will just push everything underground and make it harder to catch the ransomers.

Not saying I agree with it either way, just pointing out that y'all appear to be talking past each other.

If you get mugged you are coerced to give your wallet, on pain of _much_ greater punishment, usually the greatest there is - death.

If your company’s data is cryptolocked, you are coerced to give money on pain of getting that data lost.

The difference is that the punishment for non compliance is much different.

If you made paying a ransom in this case illegal you would actually promote better backup/restore/security practices, at the cost of sometimes loosing data.

If it was vital for that data not to be lost then not having adequate backups is a _much more_ serious problem as that data could be lost for different reasons. And you’re funding organized crime which has very bad downstream effects.

If you had to make a more adequate analogy, imagine someone stealing your personal documents then demanding money to get them returned - you should have a strategy to restore those in other events like fires and stuff, so you might pay money, or not. But if you do you encourage future theft like that for you and others, and that money might be used for some other, usually nefarious stuff.

If, say, the mafia threatens to assassinate someone if a document is leaked and a hacker obtains and leaks it the hacker still didn't kill anyone - the hitman sent by th mafia is the killer. And regardless that this kind of situation seems very far fetched.

Someone getting hacked is only acting under the threat of information or access to systems being released or eliminated. There is no immediate threat if force. Sure, if you want to get pedantic someone might hack a power plant and threaten to blow it up, but I've never heard of that happening and it's far, far different from the overwhelming majority of hacks.

This did not make it illegal to pay ransom and also gave the victim family a reasonable justification for not being able to pay.

Compared to just putting the victim between a rock and an hard place it looks like a nicer option.

This seems so absurd. Freezing banks accounts cause so much issue to everyone involved, you just made an incentive not to declare a kidnapping and trying to solve it without interference from the police.

For sure you'll see much less bar if you make drinking illegal, but believe me, they are still there ;).

the same as the other method proposed.

> you just made an incentive not to declare a kidnapping and trying to solve it without interference from the police.

agree, but this does not make it illegal to pay, it just forces the ransom to be delayed so that the police can investigate. If the family manages to get money in another way then they can choose to pay.

We could get into the monetary value of a life and whether a sufficient amount of virtual harm, especially when that virtual harm might reasonably translate into a life (emergency systems, insurance payouts, etc.), but I don't think we even need to.

Edit: On the other hand, if the counter-factual was a mugger at an ATM demanding you enter your PIN, that distinction doesn't exist. So maybe you're right.

Maybe the right answer is to outlaw paying the ransom except to save human life, but also create a federal fund to compensate victims of these attacks.

The town should have bylaws to force resignation and emergency elections in the event that this happens. Then the town should have legal precedent to bring the administration to civil court for damages. The town administration, personally, should be collectively on the hook to the town the cost of the ransom.

It really does amount to a dereliction of duty.

If you are attacked by an unarmed person and you shoot them while defending yourself it's fairly common for that case to go to trial to test whether the homicide was justified. Presumably people have gone to prison under just those circumstances.

You could quite easily frame a law around justified ransom-paying, how fair it would be is unknowable.

Also notice that this won't necessary ransom payments. It will raise the cost to: 1. The victim who pays with jail time. 2. Society who spends time investigating and jailing victims.

Notice that ransomware authors are not on that list.

I'm not so sure. We're nearing an interesting equilibrium where insurance companies pay ransoms, thereby taking an interest in the security of their pool, while attackers probe for vulnerabilities.

Put another way, we have a pen testing group being paid by a digital security group. If the net result is better security in exchange for the insurance "tax," that could be a modest improvement.

Scroll down about 2/3rd to the "Insurance" heading for his complete comments: https://www.bloomberg.com/opinion/articles/2019-08-27/the-li...

For a ransomware to propagate that way it would have to employ multiple exploits against unknown operating systems, and against computers managed by people who should have some idea about security rather than just the desktop of a random employee. In many cases you'll be backing up to storage provided by a 3rd party who simply don't even offer the capability to run code, or permanently delete data programatically.

I'm waiting until ransomware starts leveraging the encryption functionality in common backup systems. Not many sysadmins would notice if their backup encryption keys were changed-out for 6 months and deleted at the same time that the "encrypt all the data" event happened. (The only Customers I've ever worked with who were already doing air-gapped backup verification were regulated businesses in the financial sector.)

If you use thin clients or at least require all files to be stored on a centralized server, then no matter how many hundreds of PCs were affected, you'd only have to go through on set of images.

It would be pretty hard to get your ransomware to encrypt all those offsite backups sitting in a vault somewhere.

Of course, at the start a few hostages were sent back to families piece by piece. But word did get around after that.

So instead of straight out crime, contracts if implemented globally, nationally or even statewide, might be a solution. I'm probably overlooking something :)

> But the data just doesn't support it. Kidnapping is really a crime of opportunity. And there is no evidence or very little evidence to suggest that kidnappers are checking passports, and your nationality is going to determine whether you're kidnapped or not, regardless of the particular policy that your government has.

https://www.pbs.org/newshour/show/why-u-s-policy-toward-nego...

Why not enact into law a limited immunity for any such ransomware that (a) only charges a modest amount for decryption; (b) never exfiltrates private data to elsewhere; (c) after payment, reveals all security lapses that allowed penetration?

From a certain perspective, ransomware identifies & forces correction upon institutions that have been careless with their security or backups. Truly nasty attackers could do even worse: stealing & reselling data, or leaving silent long-term compromises in place to bleed targets more extensively.

So, carving out an safe harbor for "uncontracted vulnerability discovery & remediation" via the payment of modest ransoms could be a socially-efficient policy, aligning incentives of many participants: targets, the customers of targets, and grayware authors.

Perhaps, the whole process could be automated even without explicit support from lawmakers: leave an appropriate crypto balance, on the systems at risk, in a conventional place. It'd mean: "If you can see this, we know we've screwed up – but we're OK with you taking this amount, and no more, if you close the hole behind you & leave us a note of what we did wrong." Viewing the movement of that bounty on a blockchain would be a public disclosure of the compromise, and gray-hat actors that confined their activity to the collection of such bounties wouldn't need to fear criminal prosecution.

(Hmm, maybe we should just put private-keys controlling small bitcoin-balances into any free-form fiels of our records with typically-careless institutions – so we can independently sense when our private data has been accessed by dishonest actors – whether institution insiders or hackers.)

We can't even hold commercial software developers to enforce secure coding standards, yet we're expected to trust anonymous malware writers to write code that is proven to not exfiltrate data and trust that they are ethical enough to reveal all of the weaknesses they found?

But, those grayhats seeking to use this safe-harbor would be more open about their identities & methods. They can even deposit their earnings into KYC'd bank accounts!

So imagine some bad-faith actor pretends to be complying, but then turns out not to be & tries to double-dip – taking both the conditional bounty, and more. Such people will now be competing with other hackers who are playing by the rules – leaving the nastier actors fewer open systems. And anyone who seems to obfuscate their identity/methods will stick out as a likely bad-faith actor. Thus I'd expect they'd be a lot easier to catch, and have more to lose, than in the status quo.

To some extent, the current risk of criminal penalties will cause them to be more damaging. What they're doing is already illegal; why minimize collateral damage? Why not try to double-dip, both stealing data and encrypting it? Why not disappear if there's any risk of discovery, rather than follow-through with decryption keys and information about plugging holes?

Also, the current regime means only "criminal"-minded people are performing this activity. And yet, the activity still has some positive side-effects! It causes organizations to close security holes (which could put their customers' data at even greater risk) and improve backup procedures.

A limited carve-out for "responsible" vigilante penetration-and-remediation would allow other more-law-abiding operators to participate in this activity, with more responsible practices. (You could do this with your real name & put your wins against name-brand organizations on your resume!) This should lead to flaws being more rapidly discovered & closed, and perhaps at less cost and collateral damage than the current legal regime – which, after all, isn't doing a great job of catching perpetrators or assigning accountability to vendors and IT departments after incidents.

The selfish and optimal play in this scenario is to be among good-actors using ransomware and never both with the effort of allowing users to decrypt their data, but surprisingly few people are acting this way - enough that most companies have confidence gambling that the criminal that just compromised their system will act honestly. It's seriously astounding.

If the policy were responsive and funded to the point where individuals outperforming them by putting in some effort was a rare thing then it might be reasonable to impose a fine for giving in (as it encourages more crime). Right now ransomware is thriving on the fact that LEOs are too disorganized, underfunded and unmotivated (since this is way outside the domain knowledge of their personnel) but if some serious efforts were made to provide secure recovery snapshots as a public service then maybe we could look at taking this route.

As it is right now ransomware attacks are incredibly common and usually conceded to, you'd be fining pretty much everyone.

It wouldn't stop any attacks because the ransomers are already willing to break the law, the only thing that would change is that you'd end up punishing a few victims that get caught paying.

Probably after reporting the crime in the first place, which means victims will be less likely to report it. That hardly sounds like a sensible solution, or any solution at all because it wouldn't affect the actual criminals at all.

Now the attacker can extort twice.

They'd rather pay the ransom to a criminal than invest the time it takes to restore backups?

If ransomware was able to infect the machine, then I doubt the data was safe either

https://www.bloomberg.com/opinion/articles/2019-08-27/the-li...

And the linked article:

https://www.propublica.org/article/the-extortion-economy-how...

Tl;dr: perverse incentives, paying some ransoms is in the interest of cyber crime insurers, as it expands the cyber crime insurance market. Also there's more ransomware crime now that the word is out that insurers do pay out ransoms.

This should work to take any government and larger companies off the target of these groups as they are likely to obey these laws. Kinda like the we dont negotiate with terrorists approach.

Cloud Volumes ONTAP has the best snapshots out there, immutable and without any resource penalty. you can take any size snapshots (or restore) in seconds. you can also create clones out of these snapshots, so you can check if that data been affected or not, again in seconds. Adding to that Cloud Manager's Ransomeware protection that blocks known Ransomware files.

In short- this is the best solution out there for any hybrid/ cloud and it can actually be cheaper than free, if you have enough capacity, due to all of its storage efficiencies like dedup, compressions and compaction, with auto-tiering of unused blocks to the checper object storage,.

Let's say they instead of doing this week's work, they do last week's, next week they're still a week behind and you have to start paying 100+ government employees overtime in order to regain the catch up on the remaining week. This could take a while to catch up and be incredibly expensive.

The $400,000 wasn't taxpayer money it was their insurance companies offer to make this go away.

Based on having grown up in the region and having, um, "connections" to state and local government I think it is highly likely that their desire to not throw out work was based around reasoning around how their public image would be affected if a batch of fines/taxes/fees/bills had to be waived. Cutting people (collectively, waiving something on a case by case basis is fine) a break because the government screwed up is kind of a non-starter because of the possibility of setting a precedent.

It also assumes no one but the employees would have to put time into recreating the repeatable work.

For example, people turning in documents in order to get permits. Now they'd have to figure out which ones were lost and regenerate them. It adds up.

According to random Google result #1: https://www.2-spyware.com/remove-ryuk-ransomware.html#qm-h2-... the specific malware distribution is unclear but likely involves email attachments and/or vulnerable and exposed RDP.

While reporting on ransomware cases often sounds like targeted APTs, more often than not the details in these stories read like "we didn't bother to pay enough admins to actually patch and secure our systems" and "we didn't train our users not to click on every random attachment".

The counter offer of 400k was presumably the break even point for the cost of losing X days of work (depending on what was lost that could involve manually recovering things like tax payments, billing, tickets, etc)

It doesn't need to cost a lot. What does a city need? Email, calendar, office apps, VoIP, file sharing, static website (basically GSuite). All of these have open source Linux solutions that cost nothing.

RedHat, Palantir, or some other would be happy to take this contract. It's ok to use contractors to kill people but not run computers?

This assumes at least one higher government body has technical chops and could reasonably extend their codebase. The cost could be paid by the equivalent of what would go to the ransom

For a small city, then yeah outsourcing might make sense. For a large one? Probably not.

The maths for cost is very simple: every person the contractor brings in is being paid for by the government, but now in addition to paying those employees, you also have to pay for a separate set of managers, and executives, and finally the business markup for profit.

If your org is large enough there is no way outsourcing is cheaper - it may be “easier”, but it inherently must cost more.

I would agree with this if you were talking about a real business, but this is government. An island full of 14 year olds can't be trusted to operate a power plant, even if they outnumber the employees of Pacific Gas & Electric. It's not a choice between outsource vs insource security, it's a choice between security or none at all.

Obviously employing those exact people may not be possible, but theoretically a large enough city can draw others of similar skill.

What if the police chief had emails admitting to bribes or worse stuff on his pc? What if the hacker had an enemy he wanted framed and arrested?

Unless he's admitting to doing something that is directly counter to the platform of the ruling party (e.g. aiding ICE, rubber stamping CCW permits, racial profiling, etc) nobody would care. There would be some token outrage but it would mostly be business as usual. This is just how MA works. There's very much a "well that's government, nothing you can do, no sense getting bent out of shape over it" attitude by the majority of the population in MA.

For example, the state police overtime fraud is a recurring (every 1-3yr or so) "scandal". The latest instance is basically out of the news already.

My current company is much smaller in size and had 2 ransom attacks that I saw happening (in ~2 years). We use nimble as a backup and it is quite expensive (hundreds of thousands actually, depending on infrastructure) but worked flawlessly to restore all our systems in a short time. You will loose a few hours of work though. Attack vectors are the usual: mail with infected attachment and users with too many rights on documents. The attackers even know names of people working at the company and use correct mail signatures (not actual mail signatures, just the colorful stuff you put at the end of every business mail).

If production stopped for a week, the contractual penalties alone would probably eat up sums like that.

the first rule of laws and regulations should be, government must adhere to the letter if they are to be enforced upon others seeking penalties if compliance is not met.

it is really difficult to hold government agencies responsible, it doesn't even have to be computer security, just look at the number of cities in the US who violate lead levels in water. even better, in the US, a lot of what happens can be protected from suits by sovereign immunity.

So keep it simple, what is required of private organizations and people is the minimum standard that a government agency must meet

Do you ... backup?

I was asked once to do reference design of Windows on AWS. After I learned how many ports has to be open for every machine and all of them had to be in same network as Domain Controller, I quit my job.

> If you believe that ransomware doesn't exist for macOS

Example? I have not seen any.

Windows holds perceived monopoly on company-wide identity control. There are Mac solutions: https://www.jamf.com/products/jamf-pro/deployment/

https://en.wikipedia.org/wiki/Russell%27s_teapot