Why not enact into law a limited immunity for any such ransomware that (a) only charges a modest amount for decryption; (b) never exfiltrates private data to elsewhere; (c) after payment, reveals all security lapses that allowed penetration?
From a certain perspective, ransomware identifies & forces correction upon institutions that have been careless with their security or backups. Truly nasty attackers could do even worse: stealing & reselling data, or leaving silent long-term compromises in place to bleed targets more extensively.
So, carving out an safe harbor for "uncontracted vulnerability discovery & remediation" via the payment of modest ransoms could be a socially-efficient policy, aligning incentives of many participants: targets, the customers of targets, and grayware authors.
Perhaps, the whole process could be automated even without explicit support from lawmakers: leave an appropriate crypto balance, on the systems at risk, in a conventional place. It'd mean: "If you can see this, we know we've screwed up – but we're OK with you taking this amount, and no more, if you close the hole behind you & leave us a note of what we did wrong." Viewing the movement of that bounty on a blockchain would be a public disclosure of the compromise, and gray-hat actors that confined their activity to the collection of such bounties wouldn't need to fear criminal prosecution.
(Hmm, maybe we should just put private-keys controlling small bitcoin-balances into any free-form fiels of our records with typically-careless institutions – so we can independently sense when our private data has been accessed by dishonest actors – whether institution insiders or hackers.)
Why not enact into law a limited immunity for any such ransomware that (a) only charges a modest amount for decryption; (b) never exfiltrates private data to elsewhere; (c) after payment, reveals all security lapses that allowed penetration?
We can't even hold commercial software developers to enforce secure coding standards, yet we're expected to trust anonymous malware writers to write code that is proven to not exfiltrate data and trust that they are ethical enough to reveal all of the weaknesses they found?
You can still capture the malware in honeypots & analyze its behavior – and try all the investigation and enforcement methods currently used.
But, those grayhats seeking to use this safe-harbor would be more open about their identities & methods. They can even deposit their earnings into KYC'd bank accounts!
So imagine some bad-faith actor pretends to be complying, but then turns out not to be & tries to double-dip – taking both the conditional bounty, and more. Such people will now be competing with other hackers who are playing by the rules – leaving the nastier actors fewer open systems. And anyone who seems to obfuscate their identity/methods will stick out as a likely bad-faith actor. Thus I'd expect they'd be a lot easier to catch, and have more to lose, than in the status quo.
But the ransomware attackers are already breaking the law with greater proceeds. Why would they stop and decide to play by rules that require them to do more work to make the same pay?
Yes, but they're still facing some risk of criminal penalties. This removes that, in return for more orderly behavior.
To some extent, the current risk of criminal penalties will cause them to be more damaging. What they're doing is already illegal; why minimize collateral damage? Why not try to double-dip, both stealing data and encrypting it? Why not disappear if there's any risk of discovery, rather than follow-through with decryption keys and information about plugging holes?
Also, the current regime means only "criminal"-minded people are performing this activity. And yet, the activity still has some positive side-effects! It causes organizations to close security holes (which could put their customers' data at even greater risk) and improve backup procedures.
A limited carve-out for "responsible" vigilante penetration-and-remediation would allow other more-law-abiding operators to participate in this activity, with more responsible practices. (You could do this with your real name & put your wins against name-brand organizations on your resume!) This should lead to flaws being more rapidly discovered & closed, and perhaps at less cost and collateral damage than the current legal regime – which, after all, isn't doing a great job of catching perpetrators or assigning accountability to vendors and IT departments after incidents.
They're already doing this - ransomware attackers are astoundingly good at acting in a collectively beneficial manner. Most ransomware attackers will go out of their way to make sure you're able to decrypt your data because they know if enough people can't then no one will pay their ransom.
The selfish and optimal play in this scenario is to be among good-actors using ransomware and never both with the effort of allowing users to decrypt their data, but surprisingly few people are acting this way - enough that most companies have confidence gambling that the criminal that just compromised their system will act honestly. It's seriously astounding.
Why not enact into law a limited immunity for any such ransomware that (a) only charges a modest amount for decryption; (b) never exfiltrates private data to elsewhere; (c) after payment, reveals all security lapses that allowed penetration?
From a certain perspective, ransomware identifies & forces correction upon institutions that have been careless with their security or backups. Truly nasty attackers could do even worse: stealing & reselling data, or leaving silent long-term compromises in place to bleed targets more extensively.
So, carving out an safe harbor for "uncontracted vulnerability discovery & remediation" via the payment of modest ransoms could be a socially-efficient policy, aligning incentives of many participants: targets, the customers of targets, and grayware authors.
Perhaps, the whole process could be automated even without explicit support from lawmakers: leave an appropriate crypto balance, on the systems at risk, in a conventional place. It'd mean: "If you can see this, we know we've screwed up – but we're OK with you taking this amount, and no more, if you close the hole behind you & leave us a note of what we did wrong." Viewing the movement of that bounty on a blockchain would be a public disclosure of the compromise, and gray-hat actors that confined their activity to the collection of such bounties wouldn't need to fear criminal prosecution.
(Hmm, maybe we should just put private-keys controlling small bitcoin-balances into any free-form fiels of our records with typically-careless institutions – so we can independently sense when our private data has been accessed by dishonest actors – whether institution insiders or hackers.)