Breaking the Ransomware Cycle: U.S. National Policy OptionsJuly 2021
Topics: Policy, Critical Infrastructure Protection, Cybersecurity, Risk Management
Holding objects of value hostage until a ransom is paid for their release is an ancient vice, but it has acquired special salience in the digital age, as cyber criminals in this era of internet-facilitated computer network dependencies have learned to take data itself hostage in return for ransom payments.
The explosive growth of “ransomware” attacks in recent years is the result of dynamics in which the cost and risk to attackers have all but disappeared, victims’ incentives to pay promptly have increased, and the profitability of ransomware crime has duly exploded. Predictably, this has attracted steadily more predators to the “game” of digital ransom, and has produced a “feeding frenzy” of ransomware attacks, which U.S. officials have labeled a national crisis.
We will be unable to rein in the ransomware problem unless we directly address the game-theoretical incentive structures that have produced this crisis. By taking effective steps to realign these incentives—such as by incentivizing ransomware- resistant “best practices,” ending victims’ ability to pass cyber ransom costs along to insurance providers, imposing traditional “know your customer” and other associated banking regulatory practices upon cryptocurrency transactions, and taking steps to reduce cyber criminals’ ability to rely upon safe haven in jurisdictions such as Russia—we may be able to break the vicious circle in which we presently find ourselves.