Paying an extortionist a few thousand dollars to leave your network alone might make bottom-line business sense if the alternative is enduring a distributed denial-of-service attack that could cost your company millions in lost revenue and public relations damage.
The trouble is that paying criminals to leave you be is also dangerously shortsighted - especially from a broader societal standpoint - and ought to be every bit as much against the law as extortion.
That's certainly not the case today and is unlikely to become so in the near future, given the clout of big business and the dominant strain of hands-off regulation in the US and elsewhere. And that might be one reason why reports of distributed DoS-based extortion attempts are on the rise. "It's happening enough that it doesn't even raise an eyebrow anymore," says Ed Amoroso, chief information security officer at AT&T.
Although the problem is getting worse, it has been around a while. The network extortion scam is not new, banks across the globe have told disturbing tales of corporate executives both paying up and clamming up.
The reticence of victims to speak out makes quantifying the phenomenon difficult. The FBI tells us it pursues such cases on a regular basis.
Victims typically are asked to wire payment to offshore banks, and, in some cases, the perpetrators are willing to negotiate on the price.
Current countermeasures - anti-distributed DoS products and services, coupled with anemic law enforcement - offer limited hope of turning this tide.
So what should be done?
There ought to be a law that takes the decision making out of the victims' hands.
Let's start with the easiest part: irrespective of whether a company chooses to pay, reporting such crimes to law enforcement should be mandated under threat of civil and criminal penalties - penalties severe enough to persuade even the most bottom-line-conscious business executive to comply.
Yes, criminal prosecution of extortion might be difficult, most notably in cases in which criminals operate from unfriendly countries but there can be no reasonable hope of legal deterrence without a universal embrace of the first step, which is calling the cops.
A tougher call is whether payments to extortionists should be prohibited.
Some will argue that I'm blaming the victim and in a sense I am. After all, these extortion attempts are crimes against all online businesses - against all of us - not merely those being targeted today. As long as companies are willing to pay, the ranks of extortionists will continue to grow. Addressing the responsibilities of business executives in no way lessens the need to step up criminal enforcement and diplomatic pressure on governments that countenance criminals.
The government could even get creative by funnelling any fines collected from business into a pool that offers discounted distributed DoS-attack insurance to those that pledge to abide by the reporting rules.
Details aside, something has to change. The alternative is to continue to treat extortion payments as just another business expense. . . . which is crazy.
Have a better idea? Feedback to email@example.com