Vaccine for the Hacker Attack Epidemic
Stop paying ransom!
Hackers are in it for the money. Most of the serious cyberattacks on school, hospitals, and individuals include demands that a ransom be paid by the victim to regain access to hacker-locked data. Payments are usually made in untraceable Bitcoin. Each ransom that is paid encourages further hacking.
The federal and state governments can act immediately (assuming the federal government can do anything immediately) to pass laws forbidding the payment of ransom by any government-supported institution. The in-it-for-the-money hackers will have no incentive to spend effort where no ransom is possible. This is, of course, the same logic that the US and Israel use in not paying ransom for victims of kidnappings by terrorist groups. Each ransom finances terror and incents more kidnapping.
Hackers will test this resolve and attempt to punish those who don’t pay ransom. Individual institutions have not been able to resist this pressure; legislation will give them the gift of no alternative. We may want to have some funds allocated to help the first stand-fast institutions so long as not a penny goes to the hackers. “Millions for defense but not a penny for tribute”, Thomas Jefferson may or may not have said to demands for payments by the Barberry Pirates.
Government institutions will still have to keep their defenses up so that attacks are expensive to pull off as well as unlikely to have any return. Moreover, these institutions have a responsibility to protect the data in their possession from being stolen and used for identity theft or other nefarious purposes (although there is very little data which is really secret).
When public institutions are no longer a lucrative target, hackers will redouble their effort to collect ransom from the private sector and from individuals. Individuals can very easily put themselves beyond extortion with cloud-based backup and recovery services as described here. The best defense for an enterprise from being tempted to give into a ransom demand is assuring that even hacker-locked data can quickly be restored to uninfected machines.
Although I don’t think government should pass laws against private individuals and institutions paying ransom, government can still help by assuring that institutions cannot be sued purely because they refused to pay a ransom; refusal to pay is not negligence. Governments could also discourage private ransom by making it a non-deductible business expense. Private enterprise does need to spend money hacker-proofing itself.
Piracy is a parasitic affliction which will probably always be with us in some form. We must do all we can to prevent it from being either easy or lucrative.
See also: Protecting an Enterprise from Cyber Catastrophe
Protecting Yourself from Cyber Disaster
At 11AM ET this morning (Wednesday, December 9) I will be on Common Sense Radio hosted by Bill Sayre discussing cyber security. The broadcast is on WDEV - 96. 1 FM, 550 AM, 96.5 FM, and 101.9 FM and streaming is live at https://wdevradio.com/stream/
Comments