Why don't we make getting mugged illegal while we are prosecuting victims. If you give your wallet to a mugger, you go to jail. Then no one mugs anyone anymore, right? /s
People pay ransoms because they want back whatever is being ransomed. Making it illegal to pay the ransom isn't going to stop that. It will just push everything underground and make it harder to catch the ransomers.
Because getting mugged isn't a choice that somebody makes. A closer analogue is criminalizing paying kidnapping ransoms. Which is a crime in several developed countries, so as to disincentivize kidnappers.
Technically it is illegal in the US, at least if the kidnapping organization is labelled as a terrorist group. However, as far as I can tell, no one has ever been prosecuted under this law.
I don't think my point way conveyed correctly to you. Getting hacked is not a choice and should not be criminalized. Paying ransomes to hackers is a choice and there are good reasons to prohibit that to disincentivize hacking.
If you get mugged you are coerced to give your wallet, on pain of _much_ greater punishment, usually the greatest there is - death.
If your company’s data is cryptolocked, you are coerced to give money on pain of getting that data lost.
The difference is that the punishment for non compliance is much different.
If you made paying a ransom in this case illegal you would actually promote better backup/restore/security practices, at the cost of sometimes loosing data.
If it was vital for that data not to be lost then not having adequate backups is a _much more_ serious problem as that data could be lost for different reasons. And you’re funding organized crime which has very bad downstream effects.
If you had to make a more adequate analogy, imagine someone stealing your personal documents then demanding money to get them returned - you should have a strategy to restore those in other events like fires and stuff, so you might pay money, or not. But if you do you encourage future theft like that for you and others, and that money might be used for some other, usually nefarious stuff.
That personal document could be life and death for some people. How do you determine what is the value of data being hacked. E.g. For a hospital if patient data is hacked it could mean life and death situation.
Nobody's life is ended by the leak or destruction of any document. How does a hospital patient record getting leaked or destroyed kill anyone? A leak means private data is being divulged and that's not good but it's nowhere remotely close to murder. Deleting medical data means that the doctors need to get that data from the patient redundantly, which causes a drain on hospital resources but again it's not remotely close to murder.
If, say, the mafia threatens to assassinate someone if a document is leaked and a hacker obtains and leaks it the hacker still didn't kill anyone - the hitman sent by th mafia is the killer. And regardless that this kind of situation seems very far fetched.
No, because getting hacked does not threaten your life. Getting mugged does, th victim is acting under threat of injury or death.
Someone getting hacked is only acting under the threat of information or access to systems being released or eliminated. There is no immediate threat if force. Sure, if you want to get pedantic someone might hack a power plant and threaten to blow it up, but I've never heard of that happening and it's far, far different from the overwhelming majority of hacks.
As an example of nuances in Italy once there was strict law regarding ransom for kidnap cases that would immediately freeze all bank accounts of your close relatives.
This did not make it illegal to pay ransom and also gave the victim family a reasonable justification for not being able to pay.
Compared to just putting the victim between a rock and an hard place it looks like a nicer option.
> As an example of nuances in Italy once there was strict law regarding ransom for kidnap cases that would immediately freeze all bank accounts of your close relatives.
This seems so absurd. Freezing banks accounts cause so much issue to everyone involved, you just made an incentive not to declare a kidnapping and trying to solve it without interference from the police.
For sure you'll see much less bar if you make drinking illegal, but believe me, they are still there ;).
> you just made an incentive not to declare a kidnapping and trying to solve it without interference from the police.
the same as the other method proposed.
> you just made an incentive not to declare a kidnapping and trying to solve it without interference from the police.
agree, but this does not make it illegal to pay, it just forces the ransom to be delayed so that the police can investigate. If the family manages to get money in another way then they can choose to pay.
Mugging involves threat of physical harm. Getting ransomeware'd doesn't, and if cities stopped paying then this kind of attack would stop. It's more like outlawing giving muggers your wallet when you're dressed like Iron Man.
I'm not sure why the distinction between physical and virtual harm is relevant. Physical harm is valuable for a person to stop because their life has value to them, and virtual harm is valuable for an organization or person to stop because the virtual assets being harmed have value to the organization or person.
We could get into the monetary value of a life and whether a sufficient amount of virtual harm, especially when that virtual harm might reasonably translate into a life (emergency systems, insurance payouts, etc.), but I don't think we even need to.
The difference is the mugger gets your wallet one way or the other. The only difference is if you survive to tell the story. The ransomware attacker is only rewarded if the victim capitulates.
Edit: On the other hand, if the counter-factual was a mugger at an ATM demanding you enter your PIN, that distinction doesn't exist. So maybe you're right.
Maybe the right answer is to outlaw paying the ransom except to save human life, but also create a federal fund to compensate victims of these attacks.
That's assuming attacks that are specifically targeted instead of a scatter approach. If the latter, then it will only stop when the perceived potential for payout worldwide drops low enough.
What happens if the ransomwares don't stop? Do you spend a bunch of money on investigations to see if some thousands of small towns or little agency somewhere kept if quiet because the cost otherwise is huge? Up the fines the tax payers will pay when they get caught?
You might be right for private individuals, but it's much harder for a business, let alone a municipal government, to pay a ransom under the table and get away with it.
I think a viable alternative would be to flow the cost down to the elected or appointed officials in charge who created such an environment.
The town should have bylaws to force resignation and emergency elections in the event that this happens. Then the town should have legal precedent to bring the administration to civil court for damages. The town administration, personally, should be collectively on the hook to the town the cost of the ransom.
It's not being the victim of a crime that would be illegal, it's the response to it.
If you are attacked by an unarmed person and you shoot them while defending yourself it's fairly common for that case to go to trial to test whether the homicide was justified. Presumably people have gone to prison under just those circumstances.
You could quite easily frame a law around justified ransom-paying, how fair it would be is unknowable.
People pay ransoms because they want back whatever is being ransomed. Making it illegal to pay the ransom isn't going to stop that. It will just push everything underground and make it harder to catch the ransomers.