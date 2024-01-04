Don’t bansomware.

That’s the message from the majority of respondents to a Washington Post poll asking cyber experts if banning payments to ransomware gangs at the government level is the right move for the industry. The findings were published December 19.

Ban bans. Three-quarters of the experts surveyed—74%—were against a ban, telling the Post that such a move would only make it more likely that victims of attacks would pay the ransoms illicitly. Amy Hogan-Burney, Microsoft’s general manager and associate general counsel for cybersecurity policy and protection, told the Post that whether or not to ban payments was a “complicated issue.”

“While government should empower companies to avoid paying ransoms, a total ban runs the risk of penalizing cyberattack victims,” Hogan-Burney said. “In some cases, critical infrastructure, like hospitals, face no choice but to pay so that they can keep vital systems running.”

And banning payments is unlikely to have the positive effect that advocates hope for, Institute for Security and Technology CSO Megan Stifel said. Stifel told the Post that in her view, banning payments would be a race to the bottom, with less wealthy ransomware attack targets bearing the pain.

“Not only would banning payments effectively revictimize the victim, it will also not work in reducing payouts to gangs,” Stifel said. “Instead, it will drive the activity underground, where investigators will have even less visibility into the nature of this threat, these funds and the organizations who transmit them will be even further beyond the reach of law enforcement and regulators.”

Government’s role. The 26% of respondents in favor of a ban told the Post they believe barring payments would remove a lot of the reason for attacks in the first place. UC Berkeley graduate school professor Steven Weber said he backs a ban because it’s “a classic collective action problem” where people who pay attackers are “free-riding on those who refuse to pay.” Having the government step in and enforce the rules will help, he said.

“Government can assure a better outcome by punishing those who would otherwise free-ride,” Weber said. “Doing so would also force more effort and expenditure on prevention and protection.”

Researchers wanted to get clarity on what experts thought about the questions, in part due to a strategy document from the Australian government suggesting a ban. While the Commonwealth parliament declined to take action, the idea isn’t unique to Canberra—the White House was considering a similar ban earlier this year.