Paying an extortionist a few thousand dollars to leave your network alone might make bottom-line business sense if the alternative is enduring a distributed denial-of-service attack that could cost your company millions in lost revenue and public relations damage.
The trouble is that paying criminals to leave you be is also dangerously shortsighted — especially from a broader societal standpoint — and ought to be every bit as much against the law as extortion.
That’s certainly not the case today and is unlikely to become so any time soon, given the clout of big business and the dominant strain of hands-off regulation in Washington. And that might be one reason why reports of distributed DoS-based extortion attempts are on the rise. “It’s happening enough that it doesn’t even raise an eyebrow anymore,” says Ed Amoroso, chief information security officer at AT&T, in a recent story by two of my colleagues, Network World (U.S.) senior editors Denise Pappalardo and Ellen Messmer.
Although the problem is getting worse, it has been around for several years. I first heard of the network extortion scam at a 2003 security conference where a speaker spun disturbing tale after disturbing tale of corporate executives both paying up and clamming up.
The reticence of victims to speak out makes quantifying the phenomenon difficult. The FBI tells us it pursues such cases on a regular basis, although a bureau spokesman was unable to provide specifics. But the brazenness and even the “reasonableness” of the criminals speak to the comfort with which they work: Victims typically are asked to wire payment to offshore banks, and, in some cases, the perpetrators are willing to negotiate on the price. Current countermeasures — anti-distributed DoS products and services, coupled with anemic law enforcement — offer limited hope of turning this tide.
So what should be done?
There ought to be a law that takes the decision making out of the victims’ hands.
Let’s start with the easiest part: Irrespective of whether a company chooses to pay, reporting such crimes to law enforcement should be mandated under threat of civil and criminal penalties — penalties severe enough to persuade even the most bottom-line-conscious business executive to comply.
Yes, criminal prosecution of extortion might be difficult, most notably in cases in which criminals operate from countries unfriendly to the U.S. But there can be no reasonable hope of legal deterrence without a universal embrace of the first step, which is calling the cops.
A tougher call is whether payments to extortionists should be prohibited.
Some will argue that I’m blaming the victim and that it’s the victim’s right to pay. They will equate the decision to that of paying a kidnapper to secure the safe return of a loved one.
The analogy is weak, but, yes, in a sense I am blaming the victim. After all, these extortion attempts are crimes against all online businesses — against all of us — not merely those being targeted today. As long as companies are willing to pay, the ranks of extortionists will continue to grow.
Addressing the responsibilities of business executives in no way lessens the need to step up criminal enforcement and diplomatic pressure on governments that countenance criminals.
Congress might even get creative here. How about funneling any fines collected from businesses into a pool that would be used to offer discounted distributed DoS-attack insurance to companies that pledge to abide by the reporting and payment rules?
Details aside, something has to change. The alternative is to continue to treat extortion payments as just another business expense. And that is nuts.
QuickLink 056866
–Paul McNamara is the associate news editor of Network World (U.S.). He can be reached at buzz@nww.com.