The ethical dilemma of paying the crooks

AdobeStock_169435664.jpeg

I got a really uneasy feeling in the pit of my stomach yesterday as news broke that meatpacking giant JBS paid $11 million to cybercriminals following a ransomware attack that halted operations at most of its plants and threatened to disrupt a large portion of the food supply chain. This event came right on the heels of the Colonial Pipeline attack, which cost that company $5 million to reclaim its operations and restart the flow of gas to a large portion of the country.

I honestly don’t know how to feel about companies caving in to the demands of criminals and paying these huge ransom amounts. It is a true ethical dilemma, and I see both sides of the argument.

First let’s review what exactly these attacks entail. A ransomware attack happens when criminals infiltrate the cybersecurity of your operations and find a way to lock down a chunk of your data or operating system by encrypting it. This renders it essentially inoperable. They then offer you the key to unlock your stuff if you pay them a certain amount of money. As we’ve seen in both the Colonial Pipeline and JBS cases, these types of attacks essentially cripple operations, which can have huge impacts on your business’ bottom line and your people. So what’s a company to do?

This is where it gets sticky.

On one hand, simply paying the ransom is the fastest means to an end. Yes, the company takes a big financial hit. While $11 million is obviously a lot of money, remember that JBS made a net profit last year of roughly $814 million. They can afford it. And, just giving the criminals what they ask means that the company can get its people and its plants back online quickly, minimizing the impact to workers’ income, sales and the already strained supply chain.

JBS USA CEO Andre Nogueira justified the decision by saying just that: “We felt this decision had to be made to prevent any potential risk for our customers.” I get that. It’s hard to argue that this is poor logic.

But on the flip side of the argument, what are we teaching the cybercriminals if we cave to their demands? If more and more companies show that they are willing to pay to get their stuff back, won’t that encourage criminals to attack more companies and demand larger and larger sums of money? Just like a child who is rewarded for throwing a tantrum in a store, aren’t we positively reinforcing bad behavior? Shouldn’t we take a collective stand and tell criminals that these tactics won’t work? Plus, once you’ve paid the ransom, there is no guarantee that the criminals actually hold up their end of the bargain. In some cases, they provide invalid keys or simply walk away with the funds.

According to the fine reporting in the Wall Street Journal on this topic, the FBI “officially discourages” companies from paying ransoms largely for the arguments laid out above. But that is as effective as me “officially discouraging” people from making their password “password.” And, to make matters worse, even though that’s the official stance, the CEO of Colonial Pipeline has said publicly that the FBI never discouraged his company from paying the crooks.

The answer may be legislative. Again according to the WSJ, there are various efforts afoot that may straight-up prohibit companies from making these types of payments or at least require them to disclose them. But in my opinion there are two major issues with those plans:

  1. What about companies like JBS that are not U.S. based companies but have substantial U.S. operations? If the rules are not global, international companies will find a way to find a loophole if they feel they must. Many of these criminals operate overseas, so there needs to be a coordinated international effort here. The U.S. won’t be able to solve this alone.

  2. And – more importantly – if such payments are banned, what are companies to do if they find themselves locked out of their own systems by a ransomware attack? In my opinion, any legislation addressing this issue can’t simply prohibit the payment. It must give such companies access to resources and a course of action to get their stuff back. It may need to mandate cybersecurity precautions, backups and systems for all large companies so that a recovery from a backup is possible. It may need to form a new division of the government that specializes in helping companies get past a breach. And it will need to provide incredibly improved resources for finding and punishing the criminals. Without all of those components, any legislative effort will only punish the companies in question instead of helping them.

It is definitely a wide-open debate at this point in time. If you have some thoughts, I’d love to see them in the comments! I’ll be watching this space closely to see where this goes.

And, if your company runs any sort of manufacturing facility for any type of widget at all, you should be doing everything you can right now to protect your facilities from this type of attack. Manufacturing facilities often run on outdated or insecure software, which makes them easy targets. It’s clear at this point that all manufacturers are being targeted. Don’t be the next victim. Read my 5 must-dos for manufacturers here.

Previous
Previous

5 reasons to include social media in your M&A planning

Next
Next

5 cybersecurity must-dos for manufacturing plants