To pay or not to pay ... on cyberattacks

When Suffolk County’s computer systems were compromised by a devastating cyberattack last September, County Executive Steve Bellone had two options: negotiate and pay a ransom in response to the hackers’ demands for $2.5 million, or try to shut down, safeguard, and relaunch the system.

Suffolk took its chances, refusing to pay. Many other local governments and school districts have paid.

It has taken months to get Suffolk's computers and lots of services previously offered online back up and running. Some are still only available in person, like mortgage tax filings and title searches. Vendors, many of which were nonprofits, got late payments. Some personal information might have been breached. 

But the hackers did not destroy the system, or expose vast reams of highly sensitive data. 

Whether Suffolk should have paid is tough to say. A delivered ransom might have allowed the county to get its system back up much faster. But there was no guarantee the hackers wouldn't have wreaked havoc even after being paid, or demanded money again with another threat.

But what if Suffolk had been barred, by law, from paying a ransom to cyber attackers? What if delivering that $2.5 million wasn't an option?

THE CASE

Suffolk has spent over $5 million restoring the system and investigating how it came to be both vulnerable and compromised. In addition, more than $17 million is expected to be spent on new software, security licenses and hardware, though county officials say much of that would have been needed even absent a cyberattack.

While Suffolk didn’t pay, many besieged organizations do. Palo Alto Networks — the company responsible for Suffolk’s firewalls and security defenses, and for the forensic investigation into how the attack got past those defenses — often counsels clients to pay. The company says 300 of its 650 clients who faced ransom demands over the past two years paid up, according to Newsday accounts.

It’s that willingness to pay that makes cyberhacking profitable, and has led the Justice Department to oppose remitting such ransoms.

But what if the governments, school districts, and public authorities were legally barred from ever paying these computer criminals?

Such a change would immediately remove the profit motive for cyber hackers, often highly skilled employees in organized operations headquartered in rogue or hostile nations. And while it might take time for word to get out to the criminals, such a law if enacted by the State Legislature would likely eventually convince hackers not to bother attacking the Empire State’s public entities.

It would remove, for leaders, the difficult choice of whether to pay. It would  prod school districts and municipalities to keep security and technology up to date and employees up to speed on security protocols, knowing there would be no way to back off attackers if they got through.

Cyberattack operations often fund organizations and governments which use that money to spread fear, death, and destruction, another reason to ban ransom payments.

Barring such payments also would eliminate the risk of entities being blackmailed again after they give up the cash.

THE COUNTER

Industry experts who support paying ransom say it’s often the cheapest, safest, and easiest way to get a system back up. Paying ransom can be less expensive than shutting down, safeguarding, and rebuilding a system. Certainly, weaknesses exposed by such attacks ought to be addressed whether ransom is paid or not.

Perhaps more importantly, paying could be the only way to save lives, safeguard highly sensitive information, or protect both computer systems and the equipment they run from mayhem. 

A law barring a public hospital from paying a ransom when the computer system that maintains patients’ medication schedules is threatened, for instance, is alarming. So, too, is the idea that the Long Island Rail Road could be threatened with bringing down the systems that coordinate its rail traffic safely, or that a public power utility could be told to pay up or see its customers plunged into darkness. 

OUR TAKE

In the long run, removing the profitability of cyberhacking New York’s governmental entities by banning them from paying ransom is almost certainly the best way to end the threat, but how, and how fast we get there, are important questions. 

Florida and North Carolina last year became the first states to pass laws banning public entities from paying ransom. Watching them and learning would be wise.

So, too, would be acknowledging that if the state wants to ban such payments, it must assume a certain amount of responsibility for making sure municipalities, school districts, and public authorities have the resources and expertise needed to safeguard computer networks. Villages and small school districts don’t necessarily have the wherewithal to build and back up impregnable computer systems. If the option of paying ransom is withdrawn, help must be extended.

And comprehensive expertise-fed public hearings that are crucial before any such law passes in New York should dig deeply into how we’ll make certain that computer networks whose failure presents a clear and present danger to public safety have the security and redundancy they’ll need to rebuff ransom demands.