Hackers last week hit a major gasoline pipeline with ransomware. For several days, gasoline supplies were cut off in most of the Eastern United States. Stations began to run out, and a lot of people panicked. The episode was soon resolved, but it reminds us of how fragile our infrastructure is, not least because all of it is intertwined with vulnerable computer systems.
Ransomware is a common occurrence in hospitals and other settings that use a lot of data. Maliciously encrypted data delays surgeries and other life-saving procedures because of the need for digitized health records. Often, the only economical solution is to pay the ransom.
As with real kidnappers, there is no guarantee the hackers won’t take the ransom money and run, leaving the victim in an even worse position: without the money and still with no access to data.
This is one reason why cybersecurity is a large and growing field. Security is no longer simply a question of dodging annoyances or protecting data from competitors. A lucrative racket, ransomware poses a life or death threat to businesses.
A Weak President Responds
In dealing with the pipeline shutdown, Joe Biden appeared listless. He displayed no anger, no energy, and no sense of command. As with the current flareup of violence in the Middle East and skyrocketing inflation, these things happen, he observed with a few desultory comments off the teleprompter.
There are unconfirmed reports Biden advised Colonial Pipeline to pay the ransom. Missing from his public remarks was any clear message that America wouldn’t tolerate this kind of economic attack, most of which originate overseas.
Serious question: Why aren’t we droning these people? The harm they cause is massive. Whether a hospital or a pipeline, these are real attacks with real consequences.
By contrast, kidnappers seeking ransom are rare in the United States. Kidnapping is treated very seriously by American law enforcement and is rarely successful.
Removing the Honeypot
Asked why he robbed banks, Willie Sutton famously replied, “Because that’s where the money is.”
Similarly, ransomware attacks happen because there is money to be made. Computer systems are critical to almost every line of business. VPN or Tor communications permit ransom demands to be made fairly anonymously, and cryptocurrency permits anonymous payment. For those with computer savvy, ransomware is an alluring means to make a big score.
While punishing and even attacking ransomware hackers may be part of the solution, there are also options on the incentive side. Like ransomware, bribes are an important, illegal revenue maker in much of the world. Western businesses that want to do business in the Third World have long been shaken down for bribes by officials at every level of government. The goal is not to run off Western investors completely, but to take a piece of the action.
In trying to curtail foreign corruption, there is a strong precedent to strike at those most inclined to play by the rules: the payers.
In 1977, Congress passed the Foreign Corrupt Practices Act (FCPA). The FCPA makes it illegal for any U.S. company or its employees and agents to pay bribes overseas, even when shaken down. The government can impose large fines for those that do so.
While the FCPA has not eliminated foreign corruption, the point is to reduce it by reducing the payoff to those who seek bribes. The FCPA also gives the target a face-saving way to reject the shakedowns. It also prevents American companies from securing an unfair advantage by paying bribes. A law similar to the FCPA preventing ransomware payments would do a lot to curtail ransomware attacks.
One of the arguments against the FCPA is that it puts American companies at a disadvantage overseas. This may be true, although the United States broadly interprets the law to include a lot of international players, including German giant Siemens, which was hit with a whopping $800 million in fines.
More important, from an America First perspective, wouldn’t we want to encourage more domestic investment in capital, whether for manufacturers or anyone else? Courts do not enforce illegal contracts. Why not mildly discourage American capital flight by requiring American companies to continue to abide by American laws while doing business overseas?
If America strictly enforced a statute forbidding ransomware payment, there would be little point for foreign criminals to seek ransom. After all, these attacks are not mere vandalism, but a money-motivated criminal enterprise. If the victims had no choice but to invest in greater protection or restore their systems from backups, the incentive for foreign hackers to seek ransom would go down considerably.
America used to make it known that it would not “negotiate with terrorists.” Hijackings, common in the 1970s and 1980s, went down considerably under the dual pressures of American intransigence and occasional punitive attacks. But they persisted for a time in Europe, which frequently gave into terrorists’ demands and engaged in prisoner swaps.
The law of the United States carries great weight. Simply making something illegal often does the trick, as American companies spend a lot of money and energy on compliance. While it may not be completely fair to impose these burdens on American victims of ransomware, there is, as of yet, no realistic way to impose much of a cost on the hackers themselves.
Such a law would also express the most basic political principle: the public interest comes before the immediate, short-term interest of any particular company dealing with a ransomware shakedown. But long-term thinking is in short supply these days.