In an attempt to bring down ransomware, Australia is contemplating becoming the first country to ban ransom payments by making them illegal. This might sound like a great initiative but it is not necessarily a silver bullet. We are at risk of criminalizing the victims of crime. Ransomware is increasing in frequency and impact, a major risk to businesses and a nation-state threat. Governments must acknowledge that new policies created in a silo will be ineffective in an evolving and complex landscape. A ban is a simple policy, but unfortunately, this is not a simple problem.
Ransom payments can provide business leaders – usually as a last resort – a way to alleviate pressure on their organizations when all other controls have failed. While controversial, making payments illegal means that victim organizations might be left with nowhere to go when the worst happens. We must distinguish between companies that have invested and acted responsibly in building cybersecurity protections but still become a victim and those that have not prioritized cyber resilience.
When building cyber resilience strategies, decision-makers must implement both reactive measures and risk management protocols to minimize the impact of a cyber incident. Proper cyber resilience planning includes having responses to all eventualities, and ransomware payments play an undesirable but utterly crucial role here; they can prevent further harm being done to an organization, its supply chain or its employees and customers when all other options have been exhausted.
The picture is complicated further for policymakers by the rising ransomware without encryption trend, which has lowered the technical barrier to entry for would-be hackers and broadened the pool of active cyber-criminals. We already see potentially highly damaging releases of private data being used as leverage against victims. Given the clear opportunities for hackers to shut down systems or disrupt operations in other ways, we can only imagine what might happen when victims protest their purse strings have been tied by a national ransomware ban.
Plans to ban ransomware payments at a national or multi-national level also contain one fatal flaw; there will always be markets that choose to avoid playing by the rules or want to shape them to their own ends. This, unfortunately, is the nature of international diplomacy and negotiations. You only need to look at the current United Nations discussion around a global cybersecurity treaty to see how complex these talks can become.
In practice, this would likely mean that an organization impacted by a ransomware attack in a jurisdiction where payments are banned will find other channels to make it, such as via a third party in a jurisdiction without such a ban. This would be a major issue; organizations would be disincentivized from reporting the payments as they would be illegal, and there would be no oversight of the amounts changing hands or the parties involved.
The other issue with pushing payments into the shadows would be insurance. As a highly regulated industry, insurers have to uphold the highest standards. Breaking the law is not part of that standard. We need a bigger cyber insurance market, not a smaller one. Is it realistic to expect that insurers would want to take on the risk of making payments via less regulated third parties?
Should these payments be discovered, would they not be concerned about the sanctions they may face in their primary markets? If we are to conclude that there would be unease about this, we can also likely assume that insurers simply would not offer organizations the coverage they need. Without that cover, victims will not have immediate access to the money required to pay a ransom, likely leading to greater and more prolonged harm to themselves and those who rely on them.
Unfortunately, there is still a large percentage of organizations ill-prepared to manage and contain ransomware attacks. They fail to prioritize building cyber resilience and end up paying much more to avert a full-blown crisis once compromised as a result. To avoid succumbing to cyber-criminals, business leaders must tackle the technology challenge and put proper governance and risk mitigations in place. It is critical to identify roles and responsibilities within an organization in the event of an attack, to understand which are the most valuable systems and ensure they are properly protected, and to have adequately war-gamed the response to a cyber-attack so valuable time is not lost debating the best course of action when it happens.
As a community, we must focus on targeting the criminals, not criminalizing the victims. Banning ransomware payments will not stop organizations from being targeted. On the contrary, it will make matters worse for those who fall victim to criminal and state-backed groups, causing greater harm to the people and other businesses that rely on those victims. Introducing punitive measures may appeal to governments because taking a tough stance writes good headlines, but society will find more value in a positive and proactive approach.
This means investing in measures to help companies improve their cyber resilience, setting stronger guidelines for others to follow and mandating that CEOs and senior executives hold greater liability for implementing cyber resilience. And it leaves law enforcement concentrating on apprehending the perpetrators behind the keyboards. These measures may be harder to bring about and enforce, but if we want to tackle this issue properly, taking the easy option will not get us anywhere.