The Moral Hazard of Paying a Ransom!

Is there really a #moral #hazard around paying a #ransom or are we just being typically and unduly #judgmental without proper #introspection on how we would do anything to save ourselves, our friends and our families. It is easy to make a moral declaration and take a stand when you are not the one facing the difficult decision. Let me start by saying, I do not ever encourage ransom payments, until there is no other option, then I say, “It is between you and your #legalcounsel…whether you are coming back or not.”??

It is easy to talk big from a distance when you are not losing everything you have spent decades building. Ever since the 1970s, there has been a #government mantra that we do not negotiate with #terrorists (unless of course it is #Iran, the number one #sponsor of #international #terror) and the public coldly repeats this pap like they would not pay. In truth, I would not even blink at the choice to negotiate and pay a ransom if my family member or friend were kidnapped. My internal guilt would be zero for making that higher moral decision and if there were short- or long-term, criminal, civil ramifications (whatever they were) so be it. I would live peacefully knowing I did what I must to rescue a family member or friend that was taken by criminal human debris.??

Now let’s talk about ransomware, the act of making data unreadable or inaccessible and demanding a ransom from the data owners. There is so much pandering on this issue that it borders on the ridiculous. I understand law enforcement saying don’t pay. I say the same, with the caveat, unless you must. I see tech and non-tech executives, security consultants (many who have never been near a major ransom case) government officials and others talking smack about how they would never pay and that people who do… are somehow lesser for it. It is hard to listen to because these pontificators almost invariably have no idea what it is like to be the victim. I have heard, “I will not pay,” from several actual victims, until they realize all other options have been exhausted. They talk such talk (and righteously mean what they say) until they finally recognize the truth.?

Paying is a deeply painful choice for many and one I hope to never be forced to make. In so many cases, the security they paid for, the backups they were assured would work, and the professional services firms they trusted… all failed them. They eventually come to see that without paying, everything they have worked for, their income and retirement, the jobs of their employees (and incomes of their respective families), the businesses of vendors that rely on them, their reputations in the community, even their homes and other personal assets (due to debts, lawsuits, etc.) are all toast…gone for good. Once they are clear on this, they inevitably make the gut-wrenching decision to pay...if they can.?I am willing to bet that cashing in a retirement fund (yep seen that), borrowing money or even selling off assets (seen that too) are not the first choices of those who have been victimized. But far too many do make these choices to just stay in business.

There have been a few very public grandstanders like doctors who retired early rather than pay and the city of Baltimore that in the end refused to pay, not because they are moral high grounders, but because they could. Without exception, in the public cases I have seen, the refusers either had a way to recover and/or were government entities or well-to-do enough that they could just walk away. Those who shut down, or simply refuse to pay, often do so with no regard for the employees, patients, partners, etc., they leave behind. They disregard the massive losses in taxpayer funds (and related lost services ((hospitals, police, etc.)) that may be canceled or deferred). Which is the real moral failure, spending $18 million in taxpayers’ funds that could save a life, educate children, house homeless families or paying $80k to a threat actor who you truly hate to see get the money? In the case of the doctors, based on what I have read, the moral choice they made was to leave patients without their medical records, for refusing a $6500 ransom demand. No recovery of the patient records, etc. Many grandstanders declare their resistance from their high horse, even though it is more likely than not, their own neglect that allowed the event to occur in the first place.??

It is true that many cases of ransomware were preventable. It is also true that in many cases, organizations have invested, taken the advice (albeit bad) of professionals claiming to make them secure only to be let down. Insiders can also be the culprits. Vendor and professional exaggerations, and overblown claims are everywhere. The claim that all a company needs to do is write vendor B a check has become a daily occurrence. Many cannot afford the high price of heavy layers, even if they actually worked. Many do not have the talent to support it and do the best they can with what they have. So please, do not judge and do not interfere unless you have been there.?

I am hearing rumblings about Congress doing what Congress does, legislating on things it knows little to nothing about. They are talking about making it illegal to pay a ransom. I am a multi-award-winning public policy advocate, who spent decades advocating for families and small businesses, on the hill, in many states and my own here in California. Based on that record, I am not optimistic and hope they will not screw it up. Congress interviews representatives from massive companies and organizations that then make statements that are only true for themselves. They hear from big company lobbyists aka. snake oil salesman that have no bearing on the small and medium businesses and individuals most impacted. Associations often go to the hill and make statements that the membership supports what they are saying when in reality, only a few large sponsors even know of the subject or the visit. I saw and heard this firsthand many a time as a citizen and tech association national board member and government affairs chair. They will say the membership agrees with things that were in fact not beneficial to most members in order to help the big companies that made huge contributions. Congress needs to stop listening to big tech, big pharma and big oil, etc., and start asking the SMB sub 2000, sub 500 and sub 100 employees what they think. Please Congress, make sure you get a real view of the impacts before you step into this subject. You will devastate many you claim to represent, if you do not.?

Yeah, yeah, I know. If people pay the criminals will just keep coming. Well, if they don't pay, critical companies, brands you all recognize, schools, etc., will literally be destroyed. There are enough attacks at this point that if some don't pay, the criminals won't skip a beat and will move to the next.

We need to get real about security minimums, disaster recovery, incident response and other defensive measures. and....When will we realize that issues like the privacy of crypto currency are real drivers of the massive growth in attacks. If victims had to write a check, transfer traceable cash, etc., none of this would exist on any measurable level.

Stop the victim shaming and stop the arrogant commentary about how those who pay, should not. The moral hazard from my perspective is often the alternative.

What say you?