As a matter of principle, many are sympathetic to the view “give in to the criminal and you breed more criminals”. It is a vexed question, and even the experts can’t agree if this is better or not – many fear that prohibiting ransomware payments will simply drive the payments underground and enable cyber criminals who do receive ransoms to extract additional ransoms for not reporting breaches of that prohibition. Banning ransomware payments can also lead to difficult moral problems for businesses – what if payment of a ransom is the only available pathway to unlocking a hospital system for critically ill patients?
We believe there is merit in requiring notification not just of ransomware incidents, but of ransomware payments. This is not new. Not only has this previously been proposed in Australia, but just last month, US legislators proposed a bill for a Ransom Disclosure Act that would mandate notification of ransomware payments by governments and businesses. In Australia, this is currently the case for reporting entities that may have to submit suspicious matter reports to AUSTRAC if they make a ransomware payment in the course of providing a designated service and suspect that the person or transaction is linked to a crime (which will usually be the case for a ransomware attack).
The requirement to report ransomware payments to government would do two things. It would give businesses considering whether to make a ransomware payment pause for thought, and any reports made would aid intelligence gathering. Speaking at King & Wood Mallesons’ digital future summit, the CEO of the Cybersecurity Co-operative Research Centre, Rachael Falk, said because cybercrime is significantly under-reported, not requiring payment notification was a “missed opportunity” for valuable pattern analysis and operational intelligence about the cyber criminals behind ransomware attacks. Such information could enable more effective implementation of the important disruption and deterrence initiatives outlined in the Ransomware Action Plan.
In any event, even if there is no legislative prohibition on making ransomware payments, there may well be a market-driven outcome – where ransomware payments decrease if insurers withdraw coverage or increase premiums significantly due to increasing ransomware activity.
There is no perfect solution to fixing the ransomware problem. The Ransomware Action Plan is a good first step, but more can be done.
– The authors are technology law partners at King & Wood Mallesons