Sanctioning Ransomware Victims Creates Catch-22
Another example of failed communication between private industry and government is the U.S. Department of Treasury, Office of Foreign Assets Control (“OFAC”) October 1, 2020 “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” For those in the dark, OFAC alerted current and future ransomware victims that in addition to state and federal regulators, customers, predatory attorneys, and other cyber-criminals, OFAC may also seek penalties for cybersecurity failings.
An initial reaction to OFAC’s alert is expectedly negative. Entities and individuals may read the alert and raise the following challenges: 1) victims should not be twice-victimized by their own government; 2) victims have the right to protect their businesses and data (property); and 3) penalties by OFAC will dissuade victims from sharing threat information with authorities. Two of these concerns hold substantial merit.
First, confronting the double-victimization objection, OFAC must understand that it is essentially demanding a wallet from a person who just suffered a carjacking. Unfortunately, there are few manners in which to mitigate this concern as monetary penalties damage businesses in the same manner as ransomware demands. A potential alternative by OFAC would be offer the following option: OFAC waives penalties if victim participates in and completes a cybersecurity remediation process (at its cost) to prevent reoccurrence. Serving as both a carrot and a stick, a company could come forward to authorities knowing that it will be shown (or even provided) tools for future success.
Next, civil rights champions are likely to argue that penalizing victims for attempting to reclaim data and business operations is akin to limiting constitutionally guaranteed property rights. However, this is a red herring. No one is guaranteed profitability or protection against poor business judgment (such as not investing in cybersecurity resources), especially in a manner that requires him/her/it to fund illegal activity.
In paying demands, ransomware victims unknowingly fund all forms of criminal behavior initiated by hostile nation-state actors and/or criminal gangs. Indeed, victim payments encourage future ransomware attacks while sponsoring other types of criminal behavior, including, but not limited to human trafficking, illegal drug trade, and weaponization. OFAC’s advisory indirectly, but accurately, equates paying ransomware to known hostile nations with acting an accessory to a crime or treason.
Lastly, and perhaps the biggest obstacle to OFAC’s warning, is that it discourages cyber threat information sharing, conflicting with the Cybersecurity Information Sharing Act. Consider this scenario, victim suffers ransomware attack. Attackers persuade victim to pay the ransom and instruct victim on how to disguise payments as those to penetration teams (similar to what Uber tried). Victim weighs options: 1) pay attackers, keep quiet, and reclaim business operations without loss of goodwill, data breach notifications, and potential penalties; OR 2) alert authorities and likely not recover its equipment, data, and business operations. Victim will also lose public goodwill (or stock value), potentially be forced to alert regulators about the breach, and provide notifications to victims. From a business perspective, option no.1 is extremely tempting, especially when so much livelihood is at risk.
OFAC’s advisory seems to at least partially comprehend the position its threats of sanctions creates for victims: OFAC’s Economic Sanctions Enforcement Guidelines (Enforcement Guidelines) provide more information regarding OFAC’s enforcement of U.S. economic sanctions, including the factors that OFAC generally considers when determining an appropriate response to an apparent violation. Under the Enforcement Guidelines, in the event of an apparent violation of U.S. sanctions laws or regulations, the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider when determining an appropriate enforcement response (including the amount of civil monetary penalty, if any).
Under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.
Unfortunately, a pledge to “consider” certain factors “in determining an appropriate enforcement outcome” is a weak consolation to victims facing ransomware. While OFAC’s mission is noble in issuing the advisory, its failure to acknowledge the catch-22 imposed on ransomware victims is another display of the lack of communication between government and private industry.