Ransomware Bill Would Give Victims 48 Hours To Report Payments (bloomberg.com) 89
Victims of ransomware attacks would be required to report payments to their hackers within 48 hours under a proposal from Democratic Senator Elizabeth Warren and Democratic Representative Deborah Ross. From a report: The Ransom Disclosure Act would give the Department of Homeland Security data on ransomware payments, including the amount of money demanded and paid, and the type of currency used. The lawmakers say this is essential to bolster the U.S. government's understanding of how hackers operate and the extent of the ransomware threat. "Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals," Warren said in a statement on Tuesday.
We Do Not Negotiate (Score:5, Insightful)
How about making it illegal to pay ransom? Whatever happened to "we do not negotiate with terrorists?" Include jail time for any employee that authorizes ransom payment on behalf of a company, and it would stop.
Re:We Do Not Negotiate (Score:5, Insightful)
Some companies would go out of business if they didn't pay ransomware. That's not something Elizabeth Warren wants.
Forcing them to report is a way to make it more uncomfortable without them going out of business.
Whatever happened to "we do not negotiate with terrorists?"
That strategy was gone before Bush left office.
Re: (Score:3, Insightful)
Re:We Do Not Negotiate (Score:4, Interesting)
Difficulty: The company distributes oil to the entire Eastern seaboard, manages critical healthcare facilities, or does something else that will incapacitate entire economic sectors if they "go out of business."
At some point a military response to ransomware operations becomes entirely appropriate.
Capitalism leads to the opposite..monopoly (Score:5, Interesting)
> Difficulty: The company distributes oil to the entire Eastern seaboard
Sounds like communism. In a capitalist economic system that function would be handled by many companies all competing for a piece of the business. If one failed the others would absorb the slack.
Another issues solved by capitalism. -- fark.com/politics
The natural end product of capitalism is a monopoly. Capitalism is about survival of the fittest. If one business does a superior job, they will strangle their competitors. Capitalism doesn't guarantee many choices. It actually tends to lead to the reverse when done right. One supplier does a better job than every one else and reaps the rewards while their inferior competition withers and dies a slow death or gets acquired.
Take out the dominant player and the remaining players won't be able to scale up to meet the new need. You'll have pandemic conditions all over again only much, much worse.
It's really fun to make up simple rules, like "we don't negotiate with terrorists" or "they should go out of business," but life is not that simple. People could die because of your simplistic thinking. Imagine if my local hostpital network was shut down? Yeah, we have another one that handles 1/5 of the load of the community. I think reducing hospital capacity by 80% could lead to some deaths. Imagine if Comcast was shut down. OK, my city has RCN, they'd never be able to handle the new demand. Internet would be nearly impossible to obtain and those who get it will get dial-up speeds as RCN scrambles to get their infrastructure up to meet the demand.
Look at Apple with iPads, for an example. Sure, Samsung and Microsoft produce tablets, but at a very tiny fraction of the marketshare. Tablets are more than just toys. They're mission critical for many businesses and for non-verbal autistic children to communicate via AAC program. No, Samsung and MS couldn't scale up any time soon.
There's also AWS. Imagine that going down. Azure and IBM/Oracle Cloud would take years to scale to their level and be able to serve all customers who used to be on AWS.
Sorry, Capitalism is the "least worst" system we have, but it's far from perfect and doesn't protect anyone in the scenario you described. As we saw in the pandemic, it rewards businesses who are lean to the point of being fragile, hence why no one could get toiletpaper for 6 months in most of the United States.
Re: (Score:2)
Re: (Score:1)
No, GM and whoever owns Chrysler should go bankrupt next time. Can you imagine the chaos if that many union employees were suddenly out of work...
Re: (Score:1)
Cloud services are harder than you think. (Score:2)
No, you are mistaking an open market (capitalism) with government regulated markets (which is a form of socialism). If a company grows big, it will tend to be tied up in its own bureaucracy, it cannot compete with faster and nimbler startups that can adapt to fill holes in a market.
What the US has is heavily regulated markets, this makes it so incumbents can collaborate with the regulators to strangle any newcomer. See for example, AWS/Oracle cloud debacle. The government is a large enough customer it can afford having a third party develop its own cloud system, you could literally plump a rack down in every government building and have a more resilient and distributed cloud than even Amazon can dream of, yet regulators have mandated a level of service only the incumbents can accomplish.
You underestimate how much investment and effort these cloud services take. Booting your personal Linux server?...pretty easy. Keep 100,000 of them running 24x7 with AWS level uptime? It's actually pretty hard. Monitoring, orchestrating patches, ensuring you don't get taken over by some cybercriminal gang, etc. This is hard stuff. The gov "COULD" do this, but it's unlikely they can do it as cheaply as you seem to think. It would either cost more than Amazon charges or it would quickly become the nex
Re: (Score:2)
Not really, new companies that grow big and take over usually ride a wave of new tech. Railroads, down to perhaps half a dozen that have been around for a century and a half, used to be lots. Oil companies, similar. Automotive, similar except some old foreign companies thrown in. Retail, rare but perhaps Walmart is an example of a late comer growing to be the biggest.
Today with tech, same is happening with the number of big new companies being reduced to perhaps half a dozen. After 30 years of the internet
Re: (Score:1)
Re: (Score:3)
> The natural end product of capitalism is a monopoly.
Then it isn't capitalism. Government regulation, a requirement of capitalism, is meant to break up monopolies to maintain capitalism.
We go through this every time on slashdot, but there's always a few 'slow' people.
Re: (Score:1)
Capitalism does not equal the free market. It is simply using your capital to grow, and buying government is one way of using your capital to grow.
You seem to mistake the free market with capitalism. There's no reason that a socialist economy, co-ops, credit unions, various worker owned businesses, couldn't compete in a free market. The capitalist usually wins though as capitalism encourages the worst actors to succeed as they have no morals or ethics. See Facebook.
Re: (Score:2)
When a hospital closes, it does not vanish out of existence, neither does comcast's infrastructure.
Re: (Score:2)
In this example the dominant player does not survive because it is the fittest, it survives because it has the most capital and can use it to drive rivals out of business or buy them and fold them into itself, forcing customers to rely on it alone for supply.
Once that happens it doesn't matter if the oil supplier is unfit, because many people have no choice but to keep it alive.
Re: (Score:2)
The natural end product of capitalism is a monopoly.
Should be:
The natural end product of [unregulated] capitalism is a monopoly.
The proper function of government includes establishing the laws and regulations which necessary to prevent accumulations of excessive market power. The problem isn't that "capitalism leads to monopoly" but rather that governments, legislators, etc. fail to perform their role as wise regulators of the economic system.
Gov intervention implies the unnatural (Score:2)
The proper function of government includes establishing the laws and regulations which necessary to prevent accumulations of excessive market power. The problem isn't that "capitalism leads to monopoly" but rather that governments, legislators, etc. fail to perform their role as wise regulators of the economic system.
That was my point. You're just stating it in greater detail and articulation. The natural, meaning unaltered by external forces, endpoint is a monopoly. It doesn't even have to be nefarious. Your success could simply be from delighting your customers. We need gov oversight to ensure monopolies don't get abused, to prevent the natural consequence.
Re: (Score:2)
Difficulty: The company distributes oil to the entire Eastern seaboard
Sounds like communism. In a capitalist economic system. . .
It already happened –– in the USA.
Same for the other examples.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Everything has a cost. If you're prepared for this, it costs you money, so you charge more. But your competitor doesn't have a plan and your custom
Re: (Score:3)
Re: (Score:2)
"At some point a military response to ransomware operations becomes entirely appropriate."
So you want to invade Russia and China?
(Please look up "Afghanistan" to see how well that works out.)
Re: (Score:2)
Both those countries have already invaded the US. China with Fentanyl and Russia with ransomware.
BTW, the military response doesn't have to be kinetic
Re: (Score:2)
So... maybe a non-kinetic wall?
Re: (Score:2)
(Please look up "Afghanistan" to see how well that works out.)
Sorry wrong, Afghanistan is a minor player the poses no real risk to the USA, you would need to lookup "nuclear armageddon" to really see how that works out.
Re: (Score:2)
So you think we should start a nuclear war over ransomware?
Re: (Score:2)
Maybe Putin should ask himself that very question.
Re: (Score:2)
What kind of military response do you imagine being possible? Say they are based in Russia, how exactly do you plan to retaliate?
Or how about being based in eastern Europe, or China, or North Korea? Seems like a military strike on any of those areas would be disproportionate and lead to much worse things than ransomware.
Re: (Score:2)
I agree with you.
I would also add that any company that gets hacked with an SQL injection exploit deserves to go out of business. Those can and should be avoided perfectly.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It's not a matter of "deserving" to go out of business or not. These companies will go out of business. Anyone who pays gets hit up a second time, and if they're still there after that, a third time. Recovering from a ransomware attack is the same if you pay or don't pay. Any information you think you got back is untrustworthy, any system that works again doubly so. You're starting fresh either way or you're just waiting to be held up again.
Paying a ransom should be a criminal offense with mandatory jail ti
Re: (Score:3)
That strategy was gone before Bush left office.
You misspelled "Reagan."
Re: (Score:1)
You misspelled Raygun.
Re: (Score:2)
I wonder if I hurt a Republicans feelings.
Re: (Score:1)
Re: (Score:2)
Some companies would go out of business if they didn't pay ransomware. That's not something Elizabeth Warren wants.
Forcing them to report is a way to make it more uncomfortable without them going out of business.
So??? And some people might die if you don't give the plane hijackers everything they ask for. Better a few businesses go out of business or a few people die than for this to be an ongoing threat month after month and year after year.
A more valid argument for paying ransomware on the other hand might be that if you don't pay the ransomware then these bugs are not exposed by black hats and therefore these bugs actually still exist and could be used by even more unsavory characters like other foreign powers
Re: (Score:2)
"we don't negotiate with terrorists" doesn't work as well in the private sector, especially when you have competitors that aren't going to wait for you to recover from a ransomware attack before they eat you alive in the free market.
If someone's got you by the proverbial balls and the only way out is to pay up, then you may have no choice between that and going out of business.
The only real viable solution is a good defense with proper backups that protects you from getting hijacked by ransomware in the
Re: (Score:2)
Some of the very first deals the US did with foreign governments were to negotiate protection money payments so that the Barbary states wouldn’t kidnap its citizens for ransom or to sell them into slavery. These payments made up a large proportion of the federal budget.
Re: (Score:1)
There wouldn't be a ransomware attack in the first place!
Re: (Score:2)
That's a dream.
Re: (Score:1)
What would be the motive for an attack?
Re: (Score:2)
Because people are still going to pay ransom, even if you made it illegal.
Re: (Score:1)
Not if you make it illegal enough!
Re: (Score:2)
Is there any crime in the world that is so illegal it doesn't happen?
Besides, even if America managed to succeed in preventing people from paying ransom, American computers would still get caught by criminals trying to collect ransom from companies in other countries.
Re: (Score:1)
Turns out, we do [Re:We Do Not Negotiate] (Score:2)
How about making it illegal to pay ransom? Whatever happened to "we do not negotiate with terrorists?".
You do know that this was Ronald Reagan's motto, right? And that not only did his administration negotiate with terrorists, the negotiations was to arrange arms deals for them.
The unspoken version of the motto was "we keep it secret that we negotiate with terrorists".
Which is what would happen in your proposal: the people who pay random would keep it secret.
Re: (Score:2)
I think Warren should have proposed the "Liam Neeson" law... where if you try to ransom a company... the company pays the ransom to the US government... and the government uses the funds to hire people... people with a very special skill set. /s
Re:We Do Not Negotiate (Score:4, Insightful)
Why not just create a ransomware passport. Every month that you don't pay a ransomware you get an updated valid passport.
Anyone without a valid ransomware passport can't travel by air, eat at restaurants, attends venues, etc.
We can use these passports to control people's behavior... pretty much like they were intended.
Re: (Score:2)
lol, hard to find good satire these days
Re: (Score:2)
To be fair, the only thing that it would actually completely stop if it were illegal is people reporting it. Jaywalking is illegal too, but people still do it. So is speeding. A law against it, however, would still mitigate some people who might have otherwise been willing to pay the ransom, and with fewer people willing to pay, it follows that the incentives to keep trying to perpetuate this malware would also start to diminish.
Never say NO to a hostage taker – it’s (Score:3)
Never say NO to a hostage taker – it’s in the manual!
“Never use no, don’t, won’t or can’t” in a negotiation as it “eliminates options”.
Re: (Score:2)
Re: (Score:2)
Never say NO to a hostage taker – it’s in the manual!
“Never use no, don’t, won’t or can’t” in a negotiation as it “eliminates options”.
Hmm, so are you saying this to the ransomware distributors, the victims, or congress, who's holding the victim accountable?
On the latter, look at Warren showing us we CAN learn things from TEXAS
Re: (Score:2)
I was a victim from it. I didn't pay and lost some personal files but I am surprised you think I should have been jailed if I had.
Re: (Score:2)
Making it illegal to pay the ransom just encourages the company to pay quietly and then lie on their financial statements too. It's not really any different than a ransom of a loved one where they say "come up with the money, who cares how, or your loved one gets fed to the sharks!" The ransomers don't really care if you break the law to pay them. At best I think we could make it so companies can't write off the ransom on their taxes.
Re: (Score:2)
Use regulators to shut the victims down for having lax cybersecurity.
The attackers are already taking advantage of a hole that shouldn't exist, so I'd much rather the government flunk them on an electronic health inspection.
Re: (Score:2)
How about making it illegal to pay ransom? Whatever happened to "we do not negotiate with terrorists?"
"We do not negotiate with terrorists" only works when you can afford the penalty. For instance, a government can afford to let a bunch of hostages killed, it sucks, but it signals they're serious about not paying and therefore discourages further hostage scenarios.
Not only would a lot of companies would go out of business if they didn't pay the ransomware, but they're really only going to be attacked once. This means there's no way for an individual organization to signal it won't pay and thus discourage ra
Re: (Score:2)
We have always negotiated with terrorists (regardless of what the politicians have said).
Criminalizing victimhood? (Score:1, Redundant)
Re: (Score:3)
There is no penalty for non-compliance in the bill.
https://www.warren.senate.gov/... [senate.gov]
"Criminalizing" is a stout word for a crime with no penalty.
Insecure Doors. (Score:2)
Extent? Yes. How? Don't you see that barn with the door wide open?
Here's the problem ... (Score:2)
Re: (Score:2)
Re: (Score:2)
That or they start doing it for shits and giggles.
Re: (Score:2)
Why would they care if it's reported? They're assuming that between using Bitcoin and being located in Russia makes them safe from any prosecution.
Re: (Score:2)
If we find out
Odds are that DHS will keep quiet about who reported what. Until everything is decrypted and they get an opportunity to do some intelligence collection on the hacking group.
Easy gotten around... (Score:5, Interesting)
This is so easy to get around:
1: Hire a ransomware consultant who is offshore.
2: Pay them the ransom + a "tip" as a "consulting fee".
3: Ransomware gang delivers decryption key to the consulting company.
4: Consulting company says they "broke the ransomware code", and provide a decryptor
???
6: Profit for the consulting company, the ransomware org, and the corporation who will just charge it off as a cost of doing business. Since no official ransomware payments are done, just paying a consultant company, there is nothing to report, and if there ever was proof, the company hiring the consulting company would have enough plausible deniability to get off the Fed's hook.
Re: (Score:2)
Similarly to anti-corruption laws, companies are prohibited to bribe, in the US or overseas. Some companies got creative and hired consulting firms just like you suggested, to pay the bribe. Guess what? The guys that were responsible for hiring the consulting firm got put in jail. The prohibited act is effective to both direct and indirect attempts. Hiring someone else to do the dirty work doesn't excuse the offender. Similarly to how you hire an assassin to kill someone and you
Dear Elizabeth Warren (Score:1)
More taxes coming? (Score:2)
Half measure (Score:2)
New Law to Constrain Victims (Score:2)
Way to go Elizabeth Warren and the rest of the socialists! We need new laws governing ransomware, so why not pass some that force the victims of the crime to do stuff for the government. They're easy to catch and punish if they don't comply, unlike the ransomware purveyors. And it looks like the government is doing something.
Re: (Score:2)
Microsoft windows strikes again ! (Score:2)