Many organizations pay ransomware criminals, while anecdotal evidence suggests an increasing number don’t. But until recently, the consensus was that the decision to pay or not pay should be left to the victim.
Now it looks as if this choice might soon be taken away with the news that the Biden administration is considering banning U.S. organizations from making ransomware payments.
Evidence for this emerged in comments made by Anne Neuberger, deputy national security advisor for cyber and emerging technologies in a speech given on May 5 at an Institute for Security and Technology’s Ransomware Task Force event.
“Do we ban ransomware, with a waiver? Fundamentally, money drives ransomware. For an individual entity, it may be that they make a decision to pay. But for the larger problem of ransomware, that is the wrong decision,” she said.
In other words, the latest version of the “tragedy of the commons,” the idea that what’s in the rational self-interest of each individual organization can end up being collectively disastrous.
There was, however, a need to look at exceptions for critical infrastructure where getting services back up and running was necessary. Consequently:
“If we were to think about banning ransomware payments, we would do so with a waiver. But we have to ask ourselves, would it be helpful more broadly if companies and others didn’t make ransom payments?”
Clearly, Neuberger’s comments are not the same as a formal policy announcement. No timescale or format for a ban on ransomware payments was suggested. And, as she indicated, some organizations would be exempt under some circumstances.
But even the fact that a ban is on the table is a change of heart for an administration that only a few months ago seemed to rule out any move on the issue.
Good, Bad, or Ugly?
The case against a ban is that it could unintentionally make things worse. Organizations might pay surreptitiously, opening themselves to future blackmail by the same attackers. Others might not report attacks at all to keep that option on the table.
It might also reduce the positive influence of the cyber-insurance industry which agrees to pay toward attacks as long as organizations have improved their security.
Officially, the U.S. government discourages payment but leaves it up to organizations to make the final decision. So far, the only action to ban payments has come from a handful of states which have made it illegal for government departments.
So, what changed the administration’s mind? The answer is probably the number of disruptive attacks, a trend with no end in sight.
As Neuberger pointed out in her speech, between 2020 and 2022 438 hospitals and 240 schools were attacked in the United States alone. Banning payments would be an experiment, but one that might need to be considered as an alternative to the status quo.
If a ban were to come into force, it’s likely that other nations which collaborate with the United States in the International Counter Ransomware Initiative would implement similar policies. Without that, there would be a risk that the tough payment policy might simply displace attacks to other countries without rules.
It’s not clear that banning payments would deter criminals. They know some organizations become desperate and will pay and even risk breaking the law in some cases to make that pain go way. Ransomware has flourished on the back of a deeper dysfunction in international geo-politics and the unregulated way the Internet has developed over two decades. Any ban would need to convince organizations that not paying wouldn’t simply end up making their lives even harder than they already are.