When organisations continue to pay after a hack, they are perpetuating the revenue model of cybercriminals. This has to stop, says legal economist and cybersecurity researcher Bernold Nieuwesteeg, who has been warning about the consequences for years. 'We go from incident to incident. It's like Groundhog Day, without any thought given to a long-term solution.'
'Huge sums are still being paid,' says the researcher. For years, he has been advocating a single simple rule: do everything possible to discourage or even prevent payment. But despite major data breaches, public outrage and high demands for money from hackers, practices remain unchanged. Organisations are overwhelmingly opting for the short term, which means we are just waiting for the next data breach or ransomware attack.
The result? The Netherlands remains an attractive target. Every payment gives criminals more resources and motivation to continue. 'We are rewarding cybercriminals. That is the problem.'
Every payment increases the likelihood of a new hack
An organisation wants its data back or wants to prevent mass claims. A payment therefore seems to be an individual choice made by the company. But according to the researcher, this is a misconception: 'Every ransom payment causes social damage.'
If a Dutch company pays up after a hack, it makes our country as a whole more attractive to cybercriminals. 'Then it becomes known that payments are made in the Netherlands. It makes us an attractive target. You really have to weigh up protecting the data of millions of Odido customers now against the multiple hacks that are likely to occur in the future,' says Nieuwesteeg.
In addition, by paying, you contribute to future cyber attacks: 'They then have an extra million euros in their budget to carry out attacks. Paying ransom is not something that is specific to a company. It is as if an pyromaniac threatens to set your house on fire, and you prevent this by giving him a few jerry cans of petrol.'
Bernold Nieuwesteeg is an entrepreneur, legal economist and expert in the field of cybersecurity. He is the founder of the Centre for Law and Economics of Cyber Security, a research centre within Erasmus School of Law. He was the director and is now affiliated as an advisor.
How can we break out of this cycle?
According to the researcher, there is a whole range of measures that can help, from light to heavy. He believes these three steps are essential:
- Always mention the social damage caused by paying
As an organisation, make it clear that a payment is not just a practical choice, but a decision with national consequences. Every payment gives cybercriminals more resources for future attacks in our country.
- Register all payments nationwide
Without data, there can be no policy. And once a policy is in place, you will know whether people are actually paying less. And thus, whether the policy is working.
- Put organisations in a position where they do not have to pay
This means, of course, having your cybersecurity in order beforehand, making contingency plans that do not depend on ransom payments, and obtaining support from the government to become operational again without giving in to blackmail.
'Some sectors abroad are already saying: we will never pay again! No matter how painful it may be after a cyberattack. If you really stand your ground, you will eventually cease to be of interest to cybercriminals. They will then know that there is nothing to be gained,' says the legal economist.
Call to the cybersecurity community: stop incident response
Interestingly, his criticism is directed not only at the hacked organisations, but also at part of the cybersecurity community itself. According to him, the latter is primarily concerned with incident response rather than solving the problem.
The reasoning that organisations are given is often: if you have no other choice, you have to pay. The experts who assist in negotiations know the hackers, know which groups are "reliable" and sometimes literally negotiate the price. 'They do that very well,' he says. 'But it's purely tactical. Strategically, nothing changes.'
In other words, part of the community responsible for keeping the Netherlands cyber secure seems to be resigned to the status quo. 'They are stuck in a kind of trench. Those who are only concerned with repelling attacks are not thinking about how to end the war.'
Time for a long-term vision
In some extreme cases, a payment is justifiable. Think of a haul of unencrypted passwords. That would be a nightmare: criminals could easily take over other citizens' accounts with millions of login details. 'Then you have a cyber atomic bomb,' says Nieuwesteeg.
Nevertheless, this does not alter his fundamental message: payments should be the exception, not the norm. The issue is that they are now standard practice. As long as the Netherlands does not take a clear stance, our country will remain attractive to cybercriminals. 'We are simply allowing blackmail to happen,' says the researcher. 'That has to stop. This is an example where science really has a different view than practice. It is important that we make this view heard.'
- Researcher
- More information
More science stories? Have a look at our online magazine Erasmus Extra.
- Related content
