Tyler Cowen, Tribune News Service
The latest cyberattack, apparently emanating from Russia again, has hit at least 20 software firms affecting at least 1,000 businesses. It follows a cyberattack that left parts of the US without adequate gasoline supplies for several days, and one on the Irish public health system. There are undoubtedly many more attacks that go unreported, if only because the victims do not wish to advertise their willingness to pay ransom.
And so the obvious question arises: How is all this supposed to stop? For an answer, it’s useful to apply some game theory.
The scalability of the internet can be a major virtue. But it also makes it easier for vices to proliferate. There are now the equivalent of venture capital markets to help fund ransomware attacks.
Consider street crime, for example. There is a natural limit to it if only because most people have better options than to pursue such a life, and many who do so are simply not good at it and get caught. What’s more, street crime is constrained by the need for physical presence; you can only commit so many carjackings in a month.
In the cyber realm, these constraints do not apply. In low-wage, low-trust countries, such as Russia, you can just hire more hackers to pull off more attacks. Even if the perpetrators can be identified, Russia doesn’t seem so eager to help US law enforcement. Other havens for cybercriminals could emerge.
More aggressive regulation of cryptocurrency markets could make ransom payment more difficult, but the hackers could always resort to anonymized cryptocurrencies.
Some have proposed that paying ransoms should be made illegal. That might be hard to enforce, and it is really wise to penalize businesses that seek to restore services to their customers? Criminalization might also incentivize hackers to create ever more destructive attacks in an effort to get the ransom spigot turned back on. At least under the status quo, hackers have some incentive to seek out relatively quiet attacks that will yield a ransom but not wreak too much havoc or attract too much attention.
What about military drone attacks on ransomware terrorists? It might be an option if they are in a relatively weak country, but that is hardly likely with Russia. US President Joe Biden already is trying to pressure Russian President Vladimir Putin to help stop the attacks, but there is little guarantee this approach will yield dividends. Putin seems happy to see the US squirm, and the government has not been able to rein in many of his other misdeeds. A laissez-faire attitude toward the hackers doesn’t cost him money, and he has a degree of plausible deniability.
Ultimately, the primary long-run solution is for businesses to pay for more secure systems. This could mean much less reliance on passwords (iris scans, anyone?), additional reliance on hardware, and greater use of multi-factor authorization. Health-care providers and insurers may have to become a bit more like the CIA.
None of this will stop ransomware attacks. But it will likely cause them to decline.
How exactly all this will unfold is clear, though unpleasant to contemplate. Many businesses and institutions still don’t view a ransomware attack as major threat, and they won’t invest much more in security until they do. As more security-conscious institutions fortify their protections, hackers will switch to the less aware and less secure targets. Most countries have millions of soft targets, and this crime will continue until most of them have improved their defenses. That could take decades.
It gets worse: In economic terms, the private value of internet security is often less than the public value. A ransomware attack that results in only a slight decrease in profits for a business could translate into a major social inconvenience.
Game theory doesn’t help very much in predicting how long this cat-and-mouse game will go on. But it’s safe to say that it will be here for a long time to come.
I have learned through my son that the new form of software, such as a virus specifically designed to damage or gain access to a computer system without the user knowing, called TeslaCrypt, encrypts video games and holds them for
Economists concerned about slowing productivity have spent the past decade hotly debating the value of free digital services such as Google’s web search and Amazon’s online store. But those online services have proven their worth during
The mass walkout came after Basecamp chief executive and co-founder Jason Fried published a blog post on Monday explaining new rules adopted by the company, including a ban on "societal and political discussions on our company Basecamp account."
I often think that people don’t realise the repercussions of what they are doing; of what they are inventing. I also think that buyer’s remorse is a real thing but only in the minds of the critical thinkers and that the majority of buyers lined up to buy the latest technology
European Union Energy Commissioner Kadri Simson after a meeting with energy ministers of EU member-countries in Amiens in France on Saturday, said that the gas storage for this time of the year was less than usual, and announced
One person’s restriction is another’s protection. So as the sibling of someone who has a learning disability, I will keep wearing a mask. Boris Johnson’s decision to ditch masks shows blatant disregard for people with learning disabilities
It has been said that Christian Wakeford is a mere career opportunist who detected an early whiff of a Tory bloodbath at the next election. Many on the left and right are suspicious – united in mutual mistrust by a defector in their midst.