With respect to Chris Vickery and other people who've made this suggestion, it's not that easy.
Illegalizing ransoms is actually something with historic precedent. It's shown success against kidnappings in the past
But here's the thing...
In either case, countries find it extreme to penalize victims being coerced. Many will still pay - just illegally - which means they won't disclose to law enforcement, regulators or customers. And there are situations, like hospitals, where you may actually want people to pay.
Won't everyone know if a company is under ransom due to work stoppages? Won't that make it hard to pay a ransom? Well, no. Criminals will continue switching to a leak model.
To be blunt, ransomware can be an opportunistic crime, requiring very little risk, labor or cost on the part of the criminal. Unlike with physical kidnappings, there's a very low opportunity cost to continue.
I'm not even necessarily saying banning payments is the wrong option. What I am saying is that there's a risk in being reductive about a really complex problem without simple solutions.

I wrote about banning ransom and other policy options here.


• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Joe Uchill

Joe Uchill Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JoeUchill

5 Apr
I had a thread yesterday about why banning payment of ransomware is not an easy solution to the problem
Just to go through some of the other policy options that are worth considering or combining into a comprehensive package:
One idea is to impose know-your-customer laws and mandatory intervention with warrants on cryptocurrencies sold on legitimate exchanges.

It would help recover funds and impose an extreme cost on criminals trying to stay anonymous.

Speculators would super hate it.
There are international diplomacy angles - increasing cooperation between the United States and traditional havens for ransomware gangs. Obviously, this would be incomplete without Russia and could escalate to sanctions.
Read 7 tweets
3 Apr
This is a weird article, but not for the reasons people seem to think it's a weird article.

The article makes the assertion that 200 years in the future, only the Beatles and Bob Dylan will be remembered.

If you're angry about that name three 1760s composers.
If you didn't get Hayden, you probably didn't name two composers from the decade.
Read 4 tweets
10 Mar
CISA leadership will be testifying before the House Appropriations Committee's Homeland Subcommittee in about an hour about "Modernizing the Federal Civilian Approach to Cybersecurity."

I'll be live-tweeting it. 🧵
Interesting notes to consider in advance.

- Brandon Wales will testify as Acting Director.
While the Biden administration has discussed a task force in the wake of Hafnium, there's no confirmed CISA director, someone you'd expect on the task force.
Eagle-eyed readers will notice I've deleted and reposted that tweet twice after misspelling "Interesting" in two different ways.
Read 36 tweets
9 Mar
The interesting thing about gaffs is not that they happen.
They happen to everyone. Today, I forgot the word acronym. What's interesting is how the ones that stick are ones that confirm what people already suspect about the person who said them.
That's not to say legitimately not knowing something important isn't a problem. But if you give 4 hours of speeches a day, you're going to trip over words.

Yet no one honestly thought Obama didn't know how many states there were when he said he visited 53 of them.
Trump was unique in that regard: To the best of my knowledge, he is the only president to claim the facts change to justify a gaffe. Saying "covfefe" was intentional, altering weather maps to show Alabama would be hit by Hurricane Dorian, claiming he said "Tim from Apple".
Read 4 tweets
12 Feb
There's a ton of stuff we don't know about Bloomberg Supermicro 1 and 2 that I'm not sure we're going to know. Here's what I do know about Supermicro 1, the original story:
I know a ton of national security and cybersecurity reporters and contractors who tried to substantiate the first story without success.

I tried to substantiate the first story without success.
People who I spoke to on Capitol Hill said they *wished* it was true to confirm what we generally know about China's industrial espionage.

People I spoke to in industry launched expensive investigations to see if they had been hit. They hadn't.
Read 11 tweets
10 Feb
The EAC is about to vote on the Voluntary Voting System Guidelines 2.0.

The most contentious point in VVSG is that it says wireless technology should be disabled and not completely removed from voting machines.
I'll try to live-tweet anything interesting, but am also expecting a call for work. So this thread may cut short at any time.

It could be very dramatic.
Disabling wifi rather than not purchasing machines that have wifi allows for more maneuverability in commercial, off the shelf purchases.
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!