CrimProf Blog

Editor: Kevin Cole
Univ. of San Diego School of Law

Tuesday, September 7, 2021

Westbrook on Ransomware Payments

Amy Westbrook (Washburn University School of Law) has posted A Safe Harbor for Ransomware Payments: Protecting Stakeholders, Hardening Targets, and Defending National Security (New York University Journal of Law and Business, Forthcoming) on SSRN. Here is the abstract:
The United States is under ransomware siege. Victims range from small municipalities to non-profits to multi-national corporations and governments. The law is struggling to respond.

Few entities, crippled by a ransomware attack, can refuse to pay. Not paying the ransom may result in significant harm, including financial ruin or even loss of life. Paying a ransom, however, is likely to generate attacks on other targets. Paying may not even lead to recovery of the data as promised.

By definition, paying ransoms transfers value to criminals, and that is against many laws. But more than simple illegality is at issue. While ransomware hackers may be lone criminals or infamous cyber-gangs, they may also be hostile foreign countries, or non-state actors such as terrorist groups. Ransomware and other digital threats have the potential to compromise U.S. critical infrastructure.

Strategically significant economic transactions have long been prohibited or highly regulated. In the wake of the September 11th attacks, the discovery and prevention of terrorist financing became a key pillar of U.S. security architecture. Under this regime, paying a ransom, thereby aiding the “enemy,” may trigger liability. Regulators have threatened enforcement of sanctions and anti-money laundering laws not only against ransomware victims who pay, but also against third-party service providers who facilitate payment. Both the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) have issued advisories emphasizing their strict policies against paying prohibited persons or transmitting funds without required procedures.

How to steer between the Scylla of legal liability and the Charybdis of a cyberattack? Sometimes ransoms should be paid as the lesser evil. Confronted with the potential damages of a ransomware attack, people may rightly choose to pay. On the other hand, society cannot allow itself to be held hostage. Those who endanger individual lives, enterprises, and core social functions must be resisted. That is, the status quo, in which many enterprises simply pay off cybercriminals, thereby incentivizing more cyberattacks, is unsustainable.

This article argues that the threat of legal liability for ransomware payments, with no positive incentive for potential victims, is unlikely to spur adoption of sound security measures or even to stop payments, and may be counterproductive if it leads victims to conceal attacks. Instead, this article suggests the creation of a safe harbor for ransomware payment that (i) enables the victim and those who assist the victim to pay when necessary (protecting stakeholders), but that also (ii) deters attacks (hardening targets) and (iii) facilitates interdiction of attacks that do occur (defending national security).

| Permalink


Post a comment