IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Are Ransom Bans the Answer to Cutting Down on Cyber Attacks?

What if paying a ransom was illegal? While opinions vary widely, some policymakers believe preventing ransomware victims from making payments would remove the incentive for the crime in the first place.

Press conference following the Colonial Pipeline ransomware attack
A June 2021 Press conference following the Colonial Pipeline ransomware attack.
Adobe Stock
There are nearly as many opinions on how to play defense against the ransomware threat as there are cybersecurity professionals. The prevailing thought early on seemed to be to never, ever pay a ransom. (“We don’t negotiate with terrorists” comes to mind.) But that’s easy for a remote expert to say, one who’s not facing catastrophic disruption to their organization, not to mention the collateral damage to public confidence and reputation.

And while the actual impact of ransomware is difficult to quantify, one expert told Stateline that last year more than 110 state and local governments were hit. That number jumped to almost 1,700 for schools, colleges and universities.

As the threat evolved, there were rumblings, albeit quiet ones, that victims of ransomware should just pay the ransom. Maybe it’s the most expedient way of putting the incident behind them? While some security experts were aghast at the suggestion, some agencies, particularly smaller, under-resourced ones, do make that decision when their backs are against the wall, vowing to beef up their defenses to keep from being hit again. The approach got validation, of sorts, from reports that oftentimes organizations spend way more money recovering from an attack than they would have paying the original demand from the hackers who infiltrated their systems.

One element of cybersecurity strategy that has gained ground alongside ransomware is cybersecurity insurance. While it does not replace the need for good cyber hygiene practices (keep those patches up to date, back up your data, etc.), many public agencies now purchase an insurance policy to help mitigate losses and add a layer of protection. Government Technology’s sister organization, the Center for Digital Government, reports that it’s now more likely than not that cities, counties and states have cyber insurance policies. Our feature Is Cybersecurity Insurance Out of Reach for Government? looks at how the cybersecurity insurance market is changing to keep up with the growing threat.

But policymakers are also contemplating what should be done about ransomware. Legislators in multiple states have taken up proposals in the name of protecting citizen data that would ban victims from paying ransoms. The argument is that bans disincentivize the crime, sending would-be ransomware attackers to go pick on someone else.

It’s encouraging that many of these proposals include funding to boost the cybersecurity posture of under-resourced governments to guard against attacks in the first place. And there are exceptions that are being incorporated into the discussion on bans, like utility companies and hospital systems, for example, where legislated bans could put lives and critical infrastructure at risk.

U.S. Energy Secretary Jennifer Granholm voiced support for ransom bans on Meet the Press recently, though she acknowledged uncertainty about whether the Biden administration was prepared to take a policy step in that direction.

“I think we need to send this strong message that paying a ransom only exacerbates and accelerates the problem. You are encouraging the bad actors,” she said.

But the idea does not have universal support, based largely on the continued vulnerability of most public and private organizations to cyber threats like ransomware.

John Davis, retired U.S. Army major general and vice president of Palo Alto Networks, served as the co-chair of the Ransomware Task Force for the Institute for Security and Technology, which presented its ransomware framework earlier this year. Davis recently described the discussion among task force members (a broad coalition of international representatives from government, the private sector and academia) about ransomware payment bans as “the most contentious thing the task force debated.”

Until the task force’s key recommendations are implemented broadly, Davis explained that banning ransom payments is “impractical and potentially counterproductive.”

“We’re not there yet. We need to raise the maturity of the ecosystem that surrounds the problem itself,” he concluded. But unlike bans on ransom payments, what’s not contentious is pointing resources toward making the public sector a less vulnerable target.
Noelle Knell is the executive editor for e.Republic, responsible for setting the overall direction for e.Republic’s editorial platforms, including Government Technology, Governing, Industry Insider, Emergency Management and the Center for Digital Education. She has been with e.Republic since 2011, and has decades of writing, editing and leadership experience. A California native, Noelle has worked in both state and local government, and is a graduate of the University of California, Davis, with majors in political science and American history.