A Safe Harbor for Ransomware Payments: Protecting Stakeholders, Hardening Targets, and Defending National Security
79 Pages Posted: 30 Aug 2021 Last revised: 6 May 2022
Date Written: December 1, 2021
Ransomware attacks have become common. Victims range from small municipalities to non-profits to giant multi-national corporations. These attacks disable the victim’s cyber-systems and may result in financial losses, data leaks, business failures, and, in some cases, even loss of life. The hackers may be lone actors or infamous cyber-gangs; they may be hostile foreign countries or non-state actors such as terrorist groups.
Most victims pay the ransom. But payment does not guarantee the recovery of data as promised. In addition, payment transfers value to criminals and may jeopardize national security.
In an effort to cut off financial flows to the hackers, several U.S. agencies have targeted ransomware payments. Both the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) have issued advisories emphasizing the potential liability for ransomware victims (and those assisting them) who pay prohibited persons or transmit funds without the required procedures.
This Article argues that the threat of legal liability for ransomware victims who pay the ransom, with no positive incentive, is unlikely to improve cybersecurity or even to stop payments. In fact, such threats may be counterproductive if they lead victims to conceal attacks. Instead, this article suggests the creation of a safe harbor for ransomware payment that (i) enables the victim and those who assist the victim to pay when necessary (protecting stakeholders), but that also (ii) deters attacks (hardening targets) and (iii) facilitates interdiction of attacks that do occur (defending national security).
Suggested Citation: Suggested Citation