Full-time economist and part time troll Walter Block is infamous for arguing that many things society regards as evil are, in fact, good. Well, maybe not good, but better than the alternative, at least. Probably the hottest of his hot-button issues was arguing for child labor as better than child prostitution. In 1976, he wrote Defending the Undefendable and followed it up this year with Defending the Undefendable II: Freedom in All Realms.
One of the more interesting cases made is that of blackmail. The basic argument is that under the current system, if someone stumbles across sensitive data, they have only one legal form of profitable recourse: publishing the data, usually through a tabloid. As a result, the victim has no options to prevent the data from being disclosed, other than to try to kill the blackmailer.
With legalized blackmail, however, the victim does have an--admittedly expensive--option. He can pay off the blackmailer. Under such a system, if the blackmailer were to disclose the material, or later demand payment in excess of the agreed upon amount, the victim would have legal recourse to sue, based on breach of contract. Of course, going to trial would disclose the information, but if you’re suing for breach of contract, well, then the material is already disclosed, now isn’t it?
The other salutary effect that legalizing blackmail would arguably have, especially on public figures, is to make people more cautious what behaviors they engage in. If it’s perfectly legal to take pictures of a politician and his mistress, well, then said politician might think twice about having one.
Maybe.
At any rate, it’s an interesting thought experiment.
Recently, the Colonial pipeline was shut down by a ransomware attack. More recently, the country’s largest meat packer, JBS, has also been hit. Both attacks have caused large-scale economic harms.
I find this amusing, because a former employer of mine was hit by a ransomware attack. A coworker making up the month’s schedule downloaded a free Microsoft Word template.
Never trust a .docx file.
The result was that the entire system was encrypted the next morning. I don’t know how much Bitcoin was demanded, because they didn’t pay. The IT security guy at the time was exactly the sort of obsessive paranoid you want in an IT security guy, and had the servers backed up every 24 hours to an icebox. As a result, he was simply able to scorched-earth the servers and reinstall everything. There was maybe six hours of data lost.
In my opinion, that is just basic security, and that any large infrastructure firm does not have such a plan in place is frankly guilty of malpractice. If a tiny [redacted] on the [redacted]-end of Nowhere, MT, has an effective plan for ransomware attacks, a multi-state pipeline should, too.
Colonial reportedly paid $11 million to the hackers to unfreeze the data, the bulk of which has been seized by the FBI. Of course, anyone familiar with civil asset forfeiture in America knows that the FBI ain’t giving that [redacted] back. So essentially, Colonial paid $11 million to the FBI to...do what, exactly? Wreak vengeance on the hackers, I guess?
Here’s the thought experiment, though: what if we legalized ransomware attacks? Up to a certain amount, that is. Say, $1,000 for individuals, $10,000 for small businesses, and $100,000 for large businesses.
Now all of a sudden, you can’t depend on the FBI chasing down the hackers and twisting their arm to give you your data back. Now, it’s all on you to take the appropriate actions to secure your systems.
And news flash: it’s all on you anyway. Sure, if you’re a large corporation whose data lock is going to cause sufficient disruption to get John Q. Public to scream, the FBI will come into the picture long enough to make themselves look like they’re doing something. But for everyone else, you’re just not worth their time.
The underlying assumption is that the government exists to provide a credible threat of violent reprsal against evildoers, thereby deterring their evildoing. But if they did provide that credible threat, then why did the hackers hack? Now, we can argue whether the threat is not credible due to incompetence, misdirection, and/or lack of resources on the FBI’s part, or that the hackers were just too insane to appreciate the credibility of the threat. However none of that changes the fact that the threat failed to achieve its desired effect.
With legalized hacking, however, every hacker would be constantly attacking every major business looking for any hole possible. As a result, every company would be incentivized to take appropriate steps to secure their data. And much like how a human’s normal flora outgrows pathogenic microbes, the small-time hackers would likely find those holes before the handful of truly malicious actors do.
Granted, this is a top-down solution. And like all top-down solutions, it would likely have unintended consequences. How would small businesses who can’t afford a full-time IT staff get by? What if a large corporation decided it was cheaper to pay a $100,000 ransom every so often rather than $250,000 a year in competent IT staff?
Of course, this would also open the market for solutions like ransomware insurance and a bigger gig economy for IT security for small businesses. And while $100,000 is less than $250,000, once word got out that a company had made that decision, it would quickly become a target for multiple hacks a year. So those problems might be mitigated. Eventually.
A better bottom-up solution would be for companies to voluntarily offer rewards and blanket non-prosecution agreements for hackers. I’ve watched enough DefCon videos to know that contracted red teams are usually hamstrung by their contracts against doing anything truly effective. A blanket bounty system for anyone, on the other hand, allows the security system to be truly tested by a large body of hackers that aren’t restricted by terms. I mean, this is basically the entire concept behind open source code for security projects like Signal.
Again, it’s an interesting thought experiment.
So remember, kids, get a VPN, back up your data to the cloud and an icebox, don’t open strange emails, don’t look at USB drives you find in a parking lot, and use a USB condom when you’re charging at the airport. Because you’re on your own.
No comments:
Post a Comment