I’m no expert on extortion, so I’d be interested in what other people think of the following proposed law:
Any person found guilty of paying ransom in order to protect corporate assets shall serve a sentence of not less than 20 years in a federal prison.
The proximate goal would be to stop US corporations from paying ransom. The ultimate goal would be to reduce attempts to extort ransom.
Would such a law make sense?
READER COMMENTS
max
May 14 2021 at 2:38pm
This reminds me of a proposed bribery law change being debated in India (sorry no link, it was awhile ago). The idea was to make it legal to pay a bribe, but not to ask for one. That way people who pay bribes can still report it to the authorities. This sounds like the opposite though.
robc
May 14 2021 at 3:23pm
Bad idea. Although I might be willing to make it illegal for a government organization to pay a ransom.
The bigger issue is that corporation and government organizations need to take security and backup policies seriously. If you can’t throw away your entire computer network and rebuild it from backups, you aren’t doing it right. And that means things like backing up data to backups differently than the way you would mirror an OS, so that any viruses/worms/etc aren’t backed up along with the data.
Scott Sumner
May 14 2021 at 5:11pm
You said:
“Bad idea.”
Yes, but why?
robc
May 14 2021 at 7:15pm
Because if some other private individual wants to pay a ransom, it is none of my damn business.
I dont think a deontological libertarian would even need to ask why.
Scott Sumner
May 16 2021 at 1:04pm
Paying ransom hurts innocent people; it funds criminal enterprises. A utilitarian libertarian would understand that. BTW, I think corporations would welcome a law that made it illegal for them to pay ransoms. They don’t like being victimized.
Frank
May 14 2021 at 3:30pm
“Would such a law make sense?”
I’m thinking out loud. Take the present pipeline case. Suppose no ransom is paid. The cost of not paying the ransom will be very large. If politicians can sit it out, explaining why there’s no gas, the law is a good idea.
In other words, the law is not enough. Intestinal fortitude is also required.
MarkW
May 14 2021 at 3:42pm
But the idea behind such a law would be to prevent the targeting of U.S. firms — why bother to hack them if they can’t legally pay ransom? It’s similar to the corrupt foreign practices act that outlaws U.S. firms from paying bribes in foreign countries. I’m not sure how it would play out, to be honest.
Frank
May 15 2021 at 12:16pm
The government might cave.
LucasM
May 14 2021 at 4:04pm
This law would leave a big loophole unless many western nations agree to enforce it at the same time. If a US company is affected by ransomware, they can simply hire an external (not in the US) “ransomware cleanup” company to help salvage what remaining data they might have. That company can independently decide that paying the ransom is the best way to recover the data. Because they belong to a different jurisdiction, and they’re not being directed to pay the ransom by the US company, only to help with cleanup, this would be a pretty straightforward loophole.
This situation isn’t hypothetical either: there are already cases where an security consulting company has come in and ended up paying the ransom in lieu of some other solution.
See: https://www.youtube.com/watch?v=j8PvOsHBvGw for some insight from an expert who knows more than I do.
David Seltzer
May 14 2021 at 5:42pm
Unless physical force is used against a person or their property, does extortion constitute an invasive threat? Even if no threat of physical aggression is perpetrated, extortion is a threat that relates to the one(s) who pay directly or indirectly in terms of negative externalities. As a consequential libertarian, I think the extortionist should be fined or, failing that, jailed because it threatens established order.
Andrew_FL
May 14 2021 at 5:42pm
This goes against a strong presumptive rule that you don’t punish victims for crimes. So strongly presumed that hardly anyone would think to articulate it because it wouldn’t normally be necessary to do so.
Scott Sumner
May 14 2021 at 7:07pm
I’m arguing that paying a ransom should be viewed as a crime, as it imposes huge external costs on other firms. I very much doubt anyone would actually punished; what corporate exec in his or her right mind would pay a ransom risking 20 years in jail?
A person can be both victim and villain.
Ryan M
May 17 2021 at 11:40am
I am not unsympathetic to this point. But I think of it as a solution that could make matters worse if not accompanied by other actions. This is similar to my view of “open borders.” Immigration is a much bigger problem when we have an out-of-control welfare state. It is one way that we create perverse incentives; the opposite of the incentives that should drive immigration. This is similar.
If you want to criminalize the paying of ransoms, I think that is perfectly legitimate, but only if what you’re actually criminalizing is the interference of a law-enforcement action. While it may serve as a disincentive for hackers (why bother ransoming if nobody will pay the ransom), that will only spawn innovation… But if you begin with a robust system of law enforcement, which is actually capable of going after hackers, then you can criminalize the paying of ransoms because of the fact that it will diminish these efforts. We already do not allow vigilante actions, and it would be pretty easy to structure laws against ransoms in the same manner. But that only works if we’re first going after the hackers.
Hana
May 14 2021 at 5:46pm
It sounds like another leverage point for ransomers.
“I have stolen $x dollars from you. If you tell authorities it was stolen by me, I will say it was ransom payment and you will go to jail.”
Or something like that.
Scott Sumner
May 14 2021 at 7:09pm
Good argument. I don’t know enough about the issue to know whether it would be possible to discriminate between theft and ransom payments, but my instincts tell me it would be possible. When you pay someone you must sign off in some sense, right?
Matthias
May 15 2021 at 8:00am
Not necessarily. One way to bribe someone would be to make something very easy so steal for them.
David Seltzer
May 14 2021 at 6:14pm
Mea culpa. I misread the proposed law. If someone’s child was kidnapped and ransom was demanded, it seems ludicrous that parents paying the ransom for the return of their child would be jailed for doing so. The same would apply to corporations paying extortionists. Of course one could argue that kidnapping threatens physical harm to the child but is not the case with corporations. In fact cyberattacks are an attack on property.
Scott Sumner
May 14 2021 at 7:11pm
You said:
“The same would apply to corporations paying extortionists.”
Sorry, I don’t see how it’s the same at all.
David Seltzer
May 14 2021 at 8:12pm
I should have said it’s similar for corporations. There is express threat of harm to the child if a ransom isn’t paid. I believe there is the threat of destroying corporate, shareholder’s, property if the ransom isn’t paid. In the case of kidnapping, a person’s well being is threatened. In the case of a corporation, property will be destroyed for non payment. The similarity is in the threat of force. As an example. If a person threatened to burn my house down, would I be jailed for paying them not to do so? I could make the case that a person is in danger of harm because emergency equipment couldn’t reach them for lack of fuel. A stretch, I know.
Scott Sumner
May 15 2021 at 1:03pm
Yes, but those similarities have no bearing on the optimality of each policy. It’s not wise to send people to jail for 20 years if they pay ransom to people who kidnap their child. But why wouldn’t it be wise to do so for a corporate official who paid ransom? No one is explaining to me what’s wrong with my proposal.
Mark Z
May 15 2021 at 5:49pm
“It’s not wise to send people to jail for 20 years if they pay ransom to people who kidnap their child.”
Are you sure of this? It’s obviously even more offensive to moral intuition than outlawing corporate ransom payments, but if child kidnapping is that much more severe than hacking, then the externality of incentivizing child kidnapping by paying ransom is also that much greater. When you’re paying ransom, you’re increasing the likelihood of the next child being kidnapped.
Ransom for corporate assets doesn’t seem like much of a special case. If a victim of a crime has choices that affect the incentives of criminals, outlawing certain choices may be optimal; I don’t see why this wouldn’t apply to kidnapping and extortion as well. If it’s less costly to punish victims of extortion or kidnapping for making these crimes profitable (and criminals are responsive to profitability) than to punish the criminals (who are probably harder to find), it may just as well be optimal to punish people who pay kidnapping ransom or protection money.
Scott Sumner
May 16 2021 at 1:06pm
Sure it’s possible you might want to imprison people who pay ransom to kidnappers (though I doubt it.) My point is that presumption that it is not wise doesn’t mean it’s not wise to ban corporations from paying ransom.
Nicholas Decker
May 15 2021 at 2:29pm
For what it’s worth, if someone in your family is kidnapped, never pay ransom. Since we live in a land of law and order, and kidnappers aren’t around enough to have a reputation of returning people safely, it is likely that they are already dead, or will be killed the moment the ransom is paid.
Second, if you do pay the ransom, you are going to lead to more people being murdered as part of kidnapping schemes. A jail sentence would *of course* be appropriate, just as it is for murder.
alvincente
May 15 2021 at 11:50pm
Nicholas, I’m sorry, but I respectfully disagree. A substantial number of kidnapping victims (not all by any means) are indeed returned if the ransom is paid. If my child is kidnapped, I’m going to pay the ransom even if there is only one chance in twenty that the child is returned alive; that’s better than zero. May none of us ever have to make such a choice.
Michael Sandifer
May 14 2021 at 9:58pm
Such a law might be worth experimenting with, as my impression is that a similar law that makes it illegal to pay ransom to kidnappers has seem to minimize the rate of kidnapping for ransom.
Luc Mennet
May 14 2021 at 11:12pm
I’m not sure how this would work from a prosecutorial standpoint. As in, who would be the person who goes to jail when the payment goes through? which ever person who explicitly OKed the payment? what about the people involved in the transfer of the payment, if there are any? could this lead to situations in which upper management people attempt to get their underlings to take the fall for them?
Perhaps a better method would be to introduce a “Ransom Tax” in the form of fines, equal to, say, 900% the paid ransom, effectively reducing the amount that ransomers can effectively haggle for before the ransom becomes more expensive than the ransomed object, hopefully leading to less opportunities for ransoming things passing risk+cost/benfit.
Additionally, both methods of punishment would lead to an incentive to keep payments on the down low, which is counterproductive in many ways, so maybe also find some way to reward people for snitching on their own corporations? This could also have a knock on effect of decreasing the scale of potential ransoms, as it’s a lot harder to keep secret locking down every computer in a hospital than it is to just lock down a single administrative computer, or something along those lines.
Scott Sumner
May 15 2021 at 1:05pm
Yes, a tax is also a good idea—it’s an externality issue.
robc
May 16 2021 at 8:06pm
So coasean bargaining would be the best solution. Let other companies pay them to not pay the ransom.
Lizard Man
May 15 2021 at 5:12am
It seems to me like making it a tort or regulation of some sort could be more effective. That way there is a monetary price involved, the lawyers and insurers will ask what steps are being taken to mitigate risk, etc. I guess that I am just skeptical that jail time will help anything. Accounting fraud is a crime, but still happens to such an extent that you wonder if corporate boards are really making good decisions on the ROI of preventing accounting fraud. That said, accounting fraud is also a tort, so who knows. It seems to me like an evidence based approach makes more sense than to try something which only has theoretical support. Was SOX successful? Was it worth it? I would look to regulations and laws like that to get some idea of what might change behavior and at what costs/benefit margin.
Scott Sumner
May 15 2021 at 1:07pm
I don’t think very many people spend 20 years in prison for accounting fraud, and I don’t agree with the assumption that laws against fraud do not sharply reduce the amount of fraud.
Lizard Man
May 16 2021 at 4:25am
So why put another law on the books that is rarely enforced? It doesn’t seem very libertarian.
Scott Sumner
May 16 2021 at 1:08pm
I don’t think it would be rarely enforced; I think it would be rarely in need of being enforced. That’s very different.
Dylan
May 15 2021 at 6:22am
I think this is likely a bad idea, because the punishment is not credible. I’m reminded of littering laws. The theory of deterrence suggests that their is a calculation made based on the chance of getting caught and the severity of the punishment. In littering cases, the chances of getting caught were very low, so the theory suggests to compensate you make the punishment very severe. However, turns out that doesn’t work well because most people are unwilling to fine someone $20,000 “just” for littering.
My suspicion is the same thing would happen here. Anyone who actually paid a ransom would be at little risk of getting convicted and serving a 20-year sentence, so the deterrence effect would not be as great as you’re imagining.
Thomas Lee Hutcheson
May 15 2021 at 7:03am
Probably unenforcable.
Matthias
May 15 2021 at 7:58am
I appreciate the sentiment. Switzerland has something similar.
But I am very suspicious of minimum sentencing requirements.
Stéphane Couvreur
May 15 2021 at 9:45am
I recall a very interesting Econtalk podcast on the kidnap-for-ransom business:
https://www.econtalk.org/anja-shortland-on-kidnap/
One key insight was that “successful” kidnappers rely on reputation for releasing their prisoners unharmed upon payment, and on the victim’s side there are some very specialized negociators.
I wouldn’t venture to make any recommendation on this topic without the advice of such a specialist.
David W
May 15 2021 at 12:31pm
Kidnapping wasn’t solved by making ransoms illegal. Kidnapping was solved by the police getting better at catching and prosecuting kidnappers. Bank robberies, similar story – they weren’t ended by the banks, they were ended by law enforcement. I don’t see why ransomware should be any different; the fundamental problem is that the police don’t try very hard to catch the criminals, not that ransoms exist.
Scott Sumner
May 15 2021 at 1:18pm
I’m kind of amazed that people compare this to kidnapping; the two issues are very different. Of course this law would be ineffective with kidnapping. Let me make it simple. Consider the two cases:
Someone kidnaps your son and demands $100,000.
You work for XYZ company and someone demands ransomware.
In which case does a threat of prison deter you from making a ransom payment? Why is this distinction so hard for people to see?
David W
May 15 2021 at 6:53pm
I was thinking the opposite: we were able to essentially stamp out kidnapping despite all the incentives for the victim to cooperate and pay up, by inflicting punishment to the criminals. Unlike kidnapping, ransomware can’t even credibly threaten reprisal if the cops are brought in after the fact, so it should be even easier – if the cops choose to develop this expertise.
Alan Goldhammer
May 15 2021 at 2:34pm
Given the posted language, it is probably would be tossed out by the courts on Constitutional grounds. Any consideration of its worthiness is a waste of time.
Mark Z
May 15 2021 at 5:38pm
For the ~99.9% of us with no access to political power, any consideration of any policy of any kind is, for practical purposes, a waste of time. People blog and think about things like this because they’re interesting.
Scott Sumner
May 16 2021 at 1:10pm
Which Constitutional provision does it violate?
David Henderson
May 16 2021 at 2:46pm
I wondered the same thing. It’s hard to see what part of the U.S. Constitution it violates.
robc
May 17 2021 at 8:56am
Freedom of Association.
Also the 9th amendment.
Ryan M
May 17 2021 at 11:21am
That’s a stretch. The Institute for Justice has spent decades attempting to show that government over-regulation of business violates the constitution, and it is pretty clear that our courts do not view economic rights as worthy of much consideration.
Also, freedom of association is a freedom of voluntary association. Nobody would ever defend a kidnapper’s right to the freedom of association. Some might say that the individual paying the ransom has a right to handle the situation in his own way (i.e. pay the ransom), but – as I mentioned in my comment, below – this is a criminal enterprise, much like kidnapping. Even payment of a ransom could be viewed in a manner similar to vigilante actions. If the government was committed to actually pursuing these hackers, and could effectively do so, then interference with law enforcement is most certainly not a protected right of association.
robc
May 17 2021 at 1:20pm
In general, I trust the IJ more than the courts. It may be the courts job to get it right, but it doesn’t mean they do.
As for the criminal enterprise bit, I think you may be right. That is the best argument I have heard for it, although not sure how paying the ransom interferes with law enforcement. If I was on a jury*, I don’t think I would be able to convict on that line of evidence.
*while much more minor, my one and only time on a jury, one of the charges was a felony tampering with the witness charge. We found guilty on the lesser misdemeanor charge of violating a no-contact order. In discussion with the judge after the case was over, one of the members of the jury asked the judge if she would have done anything different. She said she would have convicted on that charge, but it was close. I think she has spent too much time within the legal system, because there was nothing in the letter the accused sent to the witness than even remotely could be considered tampering. Not exactly the same thing, but there are parallels.
Monte
May 16 2021 at 12:03am
This law is essentially tetra-amelia. Corporations pay ransoms all the time in the form of donations to shakedown artists like the reverend Al Sharpton.
Ryan M
May 17 2021 at 11:16am
Very true.
Consider the way the “social media” mobs actually work. Consider BLM and other groups. When the outrage mob decides that it wants to change a business’s behavior, it goes after that business hard, and the business eventually capitulates. Isn’t that also a form of ransom?
Perhaps we need to be going after “woke” mobs as well?
Of course, this line of thinking could go on and on and on… I’m not sure we’d like where it takes us. Certainly, we’d agree that it cannot be extended to the point where all expression of consumer preference constitutes bribery… yet, the actions of race baiters like Al Sharpton absolutely do verge closer to the actions of literal hackers. So where do we draw the line?
Christophe Biocca
May 16 2021 at 6:41am
This is going to be de-facto unenforceable except against those who don’t even know the law exists.
There already have been tech companies whose entire business was to pretend they could fix the issue without paying the ransom, charging a higher price than the ransom, paying the ransom, then pocketing the difference. Of course those companies would then be the ones breaking the law, but structure it properly (with some offshore subsidiary being the one to make the payment) and everyone within the US is in the clear (or at least having plausible deniability).
Secondly, it’s already often illegal to pay the ransom. That doesn’t seem to have helped.
Finally, these attacks (in general, I’m not familiar with the pipeline situation specifically) are broad, not targeted. They know that a substantial fraction of victims won’t pay up, but the cost of attacking 100 people is approximately the same as attacking 1, so it hardly matters what fraction is willing to pay as long as it is more than 0.
Ryan M
May 17 2021 at 11:12am
I agree with above commenters who worry that this borders on punishing victims of crimes in order to remove the incentives for committing crimes. It also fails to consider that hackers will adapt – someone mentioned the hiring of external companies who will effectively end up paying the bribes on behalf of these companies (which I think would still fall under this law), but also consider that hackers themselves may simply change their methods; perhaps by targeting actual assets (stealing bank codes, etc…) rather than attempting bribery.
Where I think this could make a lot of sense would be if it was accompanied by a robust system of going after these hackers. That would require laws that severely punish the hacking itself (i.e. if you’re caught, you get life sentences and the like), but it would also require what would amount to another government bureaucracy – or at least another federal agency along the lines of the FBI or CIA, which would have to immediately come in and salvage these situations by tracking down the hackers and protecting business assets (and punishing criminals).
I think that carries with it a whole host of additional problems, but it may be inevitable if this relatively emergent field of criminality becomes widespread and dangerous.
But simply punishing companies for paying bribes would be insufficient. You need to be able to stop the hackers from committing these crimes in the first place.
robc
May 17 2021 at 1:22pm
Wasn’t there an episode on econtalk within the last 2 years or so about the business of paying off kidnappers?
It seems that might be appropriate.
robc
May 17 2021 at 1:23pm
And…yes. I should have googled before I asked the question, not after.
https://www.econtalk.org/anja-shortland-on-kidnap/
From the description:
Comments are closed.