A Safe Harbor for Ransomware Payments: Protecting Stakeholders, Hardening Targets, and Defending National Security
SSRN, ISSN: 1556-5068
2021
- 2Citations
- 1,999Usage
- 12Captures
Metric Options: Counts1 Year3 YearSelecting the 1-year or 3-year option will change the metrics count to percentiles, illustrating how an article or review compares to other articles or reviews within the selected time period in the same journal. Selecting the 1-year option compares the metrics against other articles/reviews that were also published in the same calendar year. Selecting the 3-year option compares the metrics against other articles/reviews that were also published in the same calendar year plus the two years prior.
Example: if you select the 1-year option for an article published in 2019 and a metric category shows 90%, that means that the article or review is performing better than 90% of the other articles/reviews published in that journal in 2019. If you select the 3-year option for the same article published in 2019 and the metric category shows 90%, that means that the article or review is performing better than 90% of the other articles/reviews published in that journal in 2019, 2018 and 2017.
Citation Benchmarking is provided by Scopus and SciVal and is different from the metrics context provided by PlumX Metrics.
Example: if you select the 1-year option for an article published in 2019 and a metric category shows 90%, that means that the article or review is performing better than 90% of the other articles/reviews published in that journal in 2019. If you select the 3-year option for the same article published in 2019 and the metric category shows 90%, that means that the article or review is performing better than 90% of the other articles/reviews published in that journal in 2019, 2018 and 2017.
Citation Benchmarking is provided by Scopus and SciVal and is different from the metrics context provided by PlumX Metrics.
Article Description
The United States is under ransomware siege. Victims range from small municipalities to non-profits to multi-national corporations and governments. The law is struggling to respond. Few entities, crippled by a ransomware attack, can refuse to pay. Not paying the ransom may result in significant harm, including financial ruin or even loss of life. Paying a ransom, however, is likely to generate attacks on other targets. Paying may not even lead to recovery of the data as promised. By definition, paying ransoms transfers value to criminals, and that is against many laws. But more than simple illegality is at issue. While ransomware hackers may be lone criminals or infamous cyber-gangs, they may also be hostile foreign countries, or non-state actors such as terrorist groups. Ransomware and other digital threats have the potential to compromise U.S. critical infrastructure. Strategically significant economic transactions have long been prohibited or highly regulated. In the wake of the September 11th attacks, the discovery and prevention of terrorist financing became a key pillar of U.S. security architecture. Under this regime, paying a ransom, thereby aiding the “enemy,” may trigger liability. Regulators have threatened enforcement of sanctions and anti-money laundering laws not only against ransomware victims who pay, but also against third-party service providers who facilitate payment. Both the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) have issued advisories emphasizing their strict policies against paying prohibited persons or transmitting funds without required procedures. How to steer between the Scylla of legal liability and the Charybdis of a cyberattack? Sometimes ransoms should be paid as the lesser evil. Confronted with the potential damages of a ransomware attack, people may rightly choose to pay. On the other hand, society cannot allow itself to be held hostage. Those who endanger individual lives, enterprises, and core social functions must be resisted. That is, the status quo, in which many enterprises simply pay off cybercriminals, thereby incentivizing more cyberattacks, is unsustainable. This article argues that the threat of legal liability for ransomware payments, with no positive incentive for potential victims, is unlikely to spur adoption of sound security measures or even to stop payments, and may be counterproductive if it leads victims to conceal attacks. Instead, this article suggests the creation of a safe harbor for ransomware payment that (i) enables the victim and those who assist the victim to pay when necessary (protecting stakeholders), but that also (ii) deters attacks (hardening targets) and (iii) facilitates interdiction of attacks that do occur (defending national security).
Bibliographic Details
http://www.scopus.com/inward/record.url?partnerID=HzOxMe3b&scp=85179503551&origin=inward; http://dx.doi.org/10.2139/ssrn.3899370; https://www.ssrn.com/abstract=3899370; https://dx.doi.org/10.2139/ssrn.3899370; https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3899370; https://ssrn.com/abstract=3899370
Elsevier BV
Provide Feedback
Have ideas for a new metric? Would you like to see something else here?Let us know