The numbers may seem to make the case for giving hackers what they want. But that’s the point of ransomware: It is designed to convince victims that complying is cheaper and easier than the alternative. The argument for refusing to put taxpayer money into malicious actors’ coffers is stronger. Morally, taxpayer money should not be used to reward criminal enterprises. Practically, if cities collectively stop providing that reward, hackers may pack up their keyboards. Every dollar — or, more accurately, every bitcoin — that cities turn over to cybercriminals encourages them to continue attacking, and it also gives them the resources to do so more effectively and more often.
There is a way to break the cycle: pass a federal law barring ransomware payments. Along with such a prohibition, funds should be devoted to help cities and states become more secure in the first place, focusing especially on the need to have backups of critical data. Then the Department of Homeland Security could set up a digital ghostbusters task force to help municipalities come back online after an attack. Those that had implemented adequate defenses could get aid from the feds in footing the bill. Those who surrender to hackers would face fines sufficiently larger than the ransom.
Those facing punishment might protest that resisting the criminals is too costly in money, time offline and information lost forever. But the money is an investment in preventing more attacks across the country, and it takes substantial time, too, to pay a ransom and reboot an entire government. As for the information, the threat of losing it should be an incentive to governments to get moving on backup systems. An anti-ransom law would be a dramatic step, but it’s the route to a dramatically positive result.