You're right, they didn't outright give a hard "no," but the story gets more interesting after New Bedford's counter offer. By attempting to negotiate, the city bought valuable time that they used to harden and restore their systems.
Any reason laws can't be introduced making it highly illegal to pay a ransom, with serious criminal repercussions (same for government officials doing so)?
After all paying a ransom is very literally funding terrorism, in the most direct possible way.
"Whosoever knowingly pays a ransom", etc.
Of course those seeking a ransom could make their language less and less clear, so it's no longer clearly a ransom. But isn't that still an improvement over the status quo?
Maybe I'm missing something, but I don't see why it should be legal to pay.
I agree that it's probably a bad idea to pay a ransom, since that just supports the success rate and makes ransomware more popular. But do you really think that you should throw a grandparent in jail because paying a ransom is the only way they can get their digital memories back? Are you going to throw all of City Hall in jail because they needed to pay to get their tax records back?
The best option is to have good backups and not give into the demands, and that should be encouraged. But criminalizing people because they didn't adhere to the best digital practices is a bad idea.
In the 80s there was a wave of kidnappings in Italy.
A new law made it so that relatives bank accounts were frozen immediately and they where forbidden to pay.
I don't remember the details but it was a wildly successful move.
Why relatives of a victim didn't stopped informing police about the kidnaping? If government didn't know, then bank accounts wouldn't be blocked. Now a victim has a reason to not inform government, and now it is possible to kidnappings to continue without any government record, and we may come to a situation when it is all nice on the paper, while it becomes even worse than was before law-maker's intervention.
Was those bank accounts blocks where a successful move, or kidnappings stopped due to other measures government made?
I can only assume that hiding the kidnapping of a prominent person for months is really hard.
Also in a time of high distress most people probably preferred to seek help from the state rather than making the situation even more complex and stressful.
Right, in the same way that making it illegal for cities to pay would. Probably wouldn't stop normal people paying but they don't have $400k of data to steal.
It is not the same as the city essentially is put in the situation were they need to choose between losing data and paying both a ransom and a fine (unless you want a federal agency to freeze ALL city controlled funds).
If you want to stop city from paying the the law need to state that even if they get their data back they need to delete it.
You shouldn’t criminalize victimhood, but for a municipality to have no backups should be considered criminal negligence - and if you do have proper backups, the cost of restoring them should be a small fraction of the ransom — so in such a setting, paying ransom should involve a criminal indictment even though it shouldn’t be about the payment.
This city had proper backups, and indeed was able to avoid paying ransom. Others weren’t so competent.
Unfortunately, these networks will continue to be insecure and that’s a real problem - right now everyone is pretending that it’s “lose your data or pay” for which backups are useful. However, if a hacker gains foothold into a network, and then, for 3 months, randomly changes record (say, randomly exchanging penalties owed among 1000 people every day through the day), then it’s unlikely backups will help - you’d have a mix of new and corrupt data in every backup set even if you have a daily one going back a whole year (and most places are lucky to have more than a week at daily)
Criminal negligence requires violation of established standards. Not just 'common industry practice' or even 'basically sensible', but legally established standards bodies who have laid out what practices and requirements must be fulfilled. Computer and software systems lack these standards completely. There is nothing. As such, if a computer is involved, it is impossible to prosecute criminal negligence. This is a big issue that will only become more pressing, but there are strong arguments on both sides of the argument over whether such standards should be established or not.
Computer people don't want to raise the barrier to entry by requiring licensing and following regulations, and money people don't want to pay for licensed computer/software engineers. Not to mention just deciding what the standards should BE and how the standards body should be constituted and run is guaranteed to be a rats nest and a sequence of progress-thwarting horrors... but the cost of not tackling it and paying for it will cost lives. We can be guaranteed that.
For private individuals perhaps it shouldn't be criminal. But for businesses responsible for other people's private information? Yes, I think there is professional negligence if they cannot even restore backups in a timely manner.
(Or cannot detect infections before they become so widespread the whole thing falls down.)
The action that a business should be punished for is not keeping their customer's information secure. Paying a ransom to recover after they are the victim of a crime should not be what they are punished for. If they were doing everything right but still got hit by ransomware I don't think they should be punished. If you can prove that they wrote their login info on a sticky note and left it in the main lobby then you should punish the bad security practice if it exposes other people's information.
Several parts of the world have kidnapping and piracy issues, and you can buy kidnapping/piracy insurance to pay ransoms in case you are the victim of such a crime. I think most people in the world acknowledge that sometimes bad things happen even when you take reasonable precautions, and you shouldn't be punished just because you were the unlucky one. Most security experts agree that no computer system is un-crackable, there are just varying levels of sophistication and access needed to do so. We've even seen that Stuxnet was capable of jumping air gaps. If a business had such good security that their database and backups were air-gapped but still was hit by ransomware do you think that they should still be fined?
Could they have done more with the resources they had? Would taxpayers/stockholders fund it? Would a small business have the cash flow to do better? If they were told it was secure from the tech folks, would the non-tech folks have any way to prove this wrong?
It is really easy to say after something happens that they weren't doing things right. It isn't always so easy before things happen to know if things are done correctly, though. And trying to figure out what isn't worth it to the criminals is rather difficult. Some folks do quite a bit for an otherwise small amount of money, especially if they feel the victim "deserves" it.
And who pays the ransomware when it happens, if not the taxpayers/stockholders? Or does money just get created out of nothing when needed?
> Would a small business have the cash flow to do better?
IME small businesses can do it if they want to. It takes care, meaning policies, it's not expensive. Also small businesses are less attractive to large criminals.
> If they were told it was secure from the tech folks, would the non-tech folks have any way to prove this wrong?
If they got publicly ransomed, it would become very obvious something needed looking at. The process of potentially hammering them legally would involve them being taken to court where their level of culpability would be decided (and it may be they did do enough so get let off, and everyone can see what happened, and other businesses can decide perhaps to up their security based on the results).
These are all strawmen. I'm not asking for uncrackability, merely due diligence. A little of that goes a long way. These arguments don't stand up. You seem to be arguing for... what?
> And who pays the ransomware when it happens, if not the taxpayers/stockholders?
considering the order of magnitude of place that do not receive a ransom compared to places that get ransomed, the cost is probably on the security side.
> These are all strawmen. I'm not asking for uncrackability, merely due diligence.
but you apparently define due diligence as "not getting cracked," which while different from uncrackability is still an unfeasible demand.
> considering the order of magnitude of place that do not receive a ransom compared to places that get ransomed, the cost is probably on the security side.
And if ransoming is profitable, what does that do to the market? Does it a) inhibit more ransoming or b) encourage more ransoming?
> but you apparently define due diligence as "not getting cracked,"
Don't misrepresent me - here's what I actually said: "The process of potentially hammering them legally would involve them being taken to court where their level of culpability would be decided (and it may be they did do enough so get let off..."
An alternative is that by working together with law enforcement you can use the interactions with the criminals (together with tracking the money) to better understand the criminal organizations.
How is this different from making it illegal to give your wallet to a thief at gunpoint?
(obviously here there is the difference of personal harming which correctly resides at a different level; at the same time the stance of non-negotiation with terrorist organization was also justifiable in my opinion.
If what we can agree on is that you must way for the permission of law enforcement before you pay ransom so that they can reasonably confirm you are not inadvertently funding ISIS and also put in place all available precautions that is already a step forward.
Nobody think that paying ransom is a good thing that should be done as soon as possible. At the same time not everything is a nail.)
I used to work for a city and had the demand been something reasonable to the size of the city (tens of thousands of dollars) they may have just paid it. The city I worked for had pretty good backups in place but still might have even done it to not lose a few days worth of work. FWIW the city I worked for was a suburban city with a population of about 80k
The city was ready to pay $400k. Or their insurance was, at least. Insurance was looking at it from the coldest perspective possible-- how much would it cost us to fix this otherwise?
Yup that's what I came here to say. It might have been easier to take a higher insurance premium and let it pay the ransom than to do a restore exercise. Either way, bravo.
There is of course the terrible secondary effect of encouraging more ransomware but the insurance companies can simply sidestep this by saying "we don't cover that."
The wording “free to” implies that the victim feels like they’re doing something voluntary rather than coerced.
Think of it this way - let’s suppose you make it a crime to give your wallet to a mugger with a gun. Is that going to end up with less crime, or just more people shot, and some innocent victims going to jail just because they didn’t want to get shot?
You seem to presume all of these cases are involuntary.
This seems like an excellent way to siphon public funds. Get infected by "malware", pay "ransom". Voilà, public funds are now some cryptocurrency under your control.
Replacing regular corruption, which is often "unethical but legal" or "barely punished", with a federal crime that is known to be harshly prosecuted doesn't seem like a great idea to me.
You have a good point that the standards could be different for individuals vs organizations.
My point is simply that Grandma shouldn’t go to jail or be punished because she got hacked and a hacker made her pay to get her grandkids photos back. If you’re saying we shouldn’t let state governments do the same I think that’s reasonable.
I can cherry-pick counter-examples too, imagine Bill Gates or other billionaire paying a a billion dollar ramsom to Isis, but letting them walk away for free because he is "just a victim". A law against paying ramsoms should exist, maybe it should have exceptions for small amounts or something, but letting them legal by default it's way more problematic.
My examples weren't cherry picked, they were the most common type of occurrence and also the one directly related to the post.
But to attack your admittedly cherry picked example, I guarantee that the US government wouldn't fault Bill Gates, they would help him out and track the money that he transferred and turn it against the terrorists.
Sure, I would like to see the government tracking back the bitcoins and transferring them back.
By the way, another other dark side of making paying ransoms legal is that transferring money to a terrorist group (just because they support it) now has a plausible deniability: "Don't blame me! It was just a ransom!"
Let's clear one thing up: Fraud is still illegal, and I have never suggested that we legalize fraud. If you're using "ransomware" as a pretext to fund terrorism then you should go to jail- but a prosecutor should be able to prove your guilt. If, however, you pay a ransom because you are a legitimate victim then that should not be a crime.
Most these "what ifs" get close to solutions in search of problems. Instead of ensnaring innocent people in the hopes of catching people who intentionally commit fraud and fund terrorism, let's use the laws we already have on the books to do so.
Edit to address the bitcoin issue: While a bitcoin transaction is hard to reverse, knowing the wallet addresses of terrorists and being able to track their bitcoin transactions would be a huge win for the good guys. And when that bitcoin inevitably gets turned into useful currency it will be another opportunity to track them. I don't think ISIS would move a billion dollars through bitcoin anyway, they'd probably pick a different method. That kind of transaction would be super hard to deal with and the network would get stressed to the point that trying to sell a billion dollars worth of bitcoin would ensure that it would be worth a lot less than a billion dollars.
> By the way, another other dark side of making paying ransoms legal is that transferring money to a terrorist group (just because they support it) now has a plausible deniability: "Don't blame me! It was just a ransom!"
Only if you assume that federal law enforcement agencies are a bunch of rule-following robots incapable of rational deduction.
No, that's not what I said. I'm saying that the feds are not going to go "Shit, this guy with ties to violent Islamic groups just sent $50,000 to Al Qaida, but he said it was to ransom the files on his PC! Our hands are tied!" That's not how the law works.
Is that dark side something that has actually happened?
It seems weird to talk about ‘making ransoms legal’ or ‘allowing ransoms to be legal by default’, as if someone has decided it. That’s not how laws work, at least in the US & EU. Laws can only limit rights, there aren’t any default restrictions.
Just the first year at most, then word spreads around that paying a ransom is as bad as asking for ransom and as people stop paying them ransomers stop doing them due lack of money on that criminal enterprise.
So many innocent people pay ransoms. Any politician who pushed though that law would get destroyed by the press the first time the government imprisons some sympathetic person who panicked and paid a ransom to keep their nudes from being sent to their family.
Before Sarkozy, that was France policy for hostage takers: the only thing you will receive is the GIGN. Caused a few loss but was generally considered an overall good strategy. Then Sarkozy started paying ransoms and abducting French in war zones started being profitable instead of calling for trouble.
> Any reason laws can't be introduced making it highly illegal to pay a ransom
Yes, there are many reasons. You seem to adopt a highly deontological ethical stance. But in actual decision making, being pragmatic, showing some grace by being human and making hard compromises, and at the same time being utilitarian are often more rewarding. For example, governments all over the world have (often secretly) paid ransom money for kidnapped citizens. If they couldn't do that any longer, because it is illegal, then that would doom the fate of many kidnapped citizens.
Elected officials should make reasonable decisions that minimize harm and costs and should be willing to make compromises, not brag with their iron fist policies no matter what the consequences are. (That's just my personal opinion, of course.)
> After all paying a ransom is very literally funding terrorism
Do you have any proof for that claim? If not, then you are merely watering down the meaning of the word "terrorism". AFAIK, these ransomware attacks are conducted by ordinary criminals, not by terrorists.
San Francisco just declared the NRA to be a terrorist organisation, thereby instantly creating millions of terrorists - many of whom joined the organization not for poltical reasons but because you have to in order to shoot at certain ranges or to participate in safety classes or shooting sports.
Sure, but he's also saying that paying any ransom should always be illegal. To completely overexaggorate - if after hitting the first tower of World Trade Centre the terrorists said "pay us $100M or we'll hit the other building" then the logical solution is to make sure they get that $100M immediately. They have already demonstrated the ability to hit one building and kill hundreds of people by doing so - whatever price they name for preventing the second attack should be paid. Of course, we need to apply good sense to this - whole paying ransom to save human lives is a good idea, we can have a discussion about paying ransom to save computer systems. I can see an argument being made that if it isn't paid, the city's welfare system stops working and the people in most need do not get the support they require - so resolving the situation quicker by paying the ransom can be the moral thing to do.
> then the logical solution is to make sure they get that $100M immediately.
What? No, that's not the logical solution. Have you considered the consequences of paying that money beyond the immediate deaths? You've suddenly put a real price on terrorist attacks - as in, if I decide to go through with a terrorist attack after 9/11, I know that I can extort the country for anywhere up to $100m. Hell, everybody with a grudge against the US suddenly has massive financial incentive to carry out attacks against the US. How many more people will die because you've decided that it's okay to pay terrorists?
They don't just disappear- the money is probably going to be marked, the people will be eventually traced and dealt with. Money is very traceable.
There are plenty of people with a grudge against the US, some of them quite rich. US foreign policy made sure of that. Extra 100 million would make no real difference. The thing stopping them is distance to US and threat of deadly force.
>Any reason laws can't be introduced making it highly illegal to pay a ransom, with serious criminal repercussions (same for government officials doing so)?
Technically no, but pigs will fly and the state police will stop abusing the overtime system first. Massachusetts is not known for passing laws that reduce the ability of government officials to do as they see fit and of the possible reasons to pass such a law "we gotta be responsible with taxpayer money" would have everyone crying with laughter on beacon hill. The idea of criminalizing paying a ransom for the common man is bad for reasons other commenters have stated. There is exactly zero chance of MA making it illegal for the government to do something peasants can do.
That sounds like whitewashing to me, to be honest: The city were willing to pay a ransom, and are now trying to make it sound like a shrewd move instead of negotiating with criminals.
