Our view: Paying digital pirates only encourages more attacks
One Monday morning last month, employees of Lake City, Florida, came to work to find information technology workers and police officers unplugging network cables and shutting off computers in the office. Residents trying to call City Council members or pay water bills were met with inactive phone lines, websites and email servers. The cause of the chaos?
A stealthy, malicious cyberattack that hit the city on June 10. The hackers encrypted municipal data, locking officials out, and sent the city a chilling message: Pay a ransom to get the decryption key and all your data.
Already this year, 22 such attacks on public-sector organizations have been reported. More are sure to follow. When attacked, public officials have to make the difficult choice of paying the ransom and retrieving their data, or not paying and having to conduct expensive system reconstructions.
In some cities, officials have decided to pay (or have their insurance companies pay) as opposed to footing the bill for a costly rebuild that inconveniences citizens in the meantime. Lake City had its insurer fork over more than $400,000 in ransom; taxpayers were only stuck with a $10,000 deductible. In Riviera Beach, Florida, insurance covered a $600,000 ransom.
Those decisions might be understandable, but to the extent that taxpayer dollars are used, they should be spent to prevent ransomware attacks, not to pay off digital pirates:
❚ Payouts only encourage more attacks. According to the cybersecurity firm Recorded Future, about 170 county, city or state governments have had their systems hobbled by such attacks since 2013. Reported attacks rose from 38 in 2017 to 53 last year, and 2019 might see an even higher number.
❚ Municipal payments could easily inspire attacks on other crucial public infrastructure. Hospitals, for example, are targets because they need access to patient records.
❚ Paying off digital pirates ultimately strengthens the criminal enterprise. When governments pay cyberattackers, the money is reinvested in more sophisticated attacks.
To be sure, refusing ransom demands can carry a high price. When hackers attacked Atlanta this spring demanding $51,000, the city refused. That has cost Atlanta up to $17 million, according to a report obtained by The Atlanta Journal-Constitution.
Despite the pain, public officials are best off following FBI advice: Don’t pay. Instead, officials ought to invest in preventive measures such as awareness and training programs, spam filters and other cybersecurity software.
This default position is on the rise. The U.S. Conference of Mayors has agreed to “stand united” in refusing to pay ransoms. The FBI should ensure that the nation is playing offense, not just defense, against cyberattacks.
Pirates are pirates, whether they are sailing the high seas or surfing the internet. Paying them off is an ancient but worn-out solution. The Greeks and Romans of antiquity would pay barbarians not to sack their cities. In its early years, America paid tribute to pirates to secure safe passage of its ships.
Ultimately, the ways to end extortion remain the same. Kill or capture the pirates. Turn scams into nonprofit enterprises. The same holds for cybercrimes.