Bernold Nieuwesteeg, Director of the Centre for the Law and Economics of Cyber Security at Erasmus School of Law, spoke out on the increasing challenge of the payment of ransomware for cyberattacks in an article in the Financieele Dagblad. He did so with other experts, including Bibi van den Berg, Professor of Cybersecurity Governance at Leiden University.
"Taking companies hostage by locking their computer systems, a so-called ransomware-attack, is currently the most successful business model cybercriminals have at their disposal", states Nieuwesteeg in Trouw.
The domino-effect
During a ransomware attack, all systems and data of an organisation are held hostage until the ransom is paid. This is an increasing problem that affects many companies. For example, during the large-scale cyber-attack at the weekend of 3 July 2021: "During the attack, a software distributor was targeted. This distributor supplied software to other tech companies that, in turn, provided them with the possibility to gain remote access to their customers' computers. Therefore, this attack caused a domino effect and affected hundreds of businesses around the world", explains Nieuwesteeg at Radio 1.
To pay or not to pay?
"Paying a ransom to unlock data and systems is no societal solution for this problem", according to Nieuwesteeg. Although the inability to offer their services or products and rebuild the IT infrastructure could cost a company much money, Nieuwesteeg stresses in the Financieele Dagblad that the payment of the ransom is in no way a societal solution as it only strengthens the criminal business model.
Taking down the criminal business model
"The criminal business model will only be taken down when companies stop paying. However, companies need to be enabled by society to do so by making the costs of not paying money lower than the costs of paying ransom", according to Nieuwesteeg. This could be facilitated in many different ways, by offering insurance for the damages of a cyberattack, for example. In contrast with the common insurances for a part of the ransom, insurance for damages of a cyberattack protects a business against the threat of bankruptcy without stimulating the criminal business model.
Nieuwesteeg concludes in the Financieele Dagblad: "It is important that companies with a public role speak up collectively against the payment of criminals for ransomware-attacks, and set an example for future attacks by not paying. Working together and sharing information with organisations in the same industry and with policy and judicial authorities is essential in this regard."