Adam Shostack  Mar 19, 2024

Banning ransomware payments is an incredibly attractive idea.

Proponents need to explain why it’s going to work any better than bans on buying drugs. Why will two “willing” participants not going to find a way? What do we gain by adding criminal penalties to victims trying to recover their businesses?

Show threadAndrew 🌻 Brandt 🐇
@adamshostack Personally I don't think there should be a ban on payments. But I strongly believe there should be a ban on *insurance payouts* in cases of ransomware where a postmortem review finds easily-fixed problems that were negligently not addressed led to the incident taking place. Society should not be socializing the cost of large corporations' inadequate resourcing of security operations budget. It costs everyone more for insurance every time a huge payout has to be made.
Mar 19, 2024 at 2:48amWeb
Show threadDominic WhiteMar 19, 2024
@threatresearch @adamshostack a bit of a tangent, but I really struggle with defining “negligent” in cyber. Given hacking is looking for the place someone messed up - and relies on the complexity of modern networks/systems hiding some screwups - any compromise can potentially be called negligent.
Show threadWilMar 19, 2024
@threatresearch @adamshostack I have seen loss adjusters be much more rigorous post event than they were 10 years ago. They are much more likely to review what a policy holder claimed they did in terms of controls when they got coverage and if that wasn’t true refuse to payout.
Show threadAlun JonesMar 19, 2024
@threatresearch @adamshostack that creates an incentive to hide details of an attack.
Show threadAdam Shostack  Mar 19, 2024
@ftp_alun @threatresearch You've misspelled "Another" :)
Show threadAlun JonesMar 19, 2024
@threatresearch @adamshostack of course, we know insurers are always keen to pay out in instances where they could otherwise blame the victim...