Damned if You Do, and Damned if You Don't (Pay the Ransom)

Episode 331 of the Cyberlaw Podcast


In this episode, Jamil Jaffer, Bruce Schneier, and I mull over the Treasury announcement that really raises the stakes even higher for ransomware victim.  The message from Treasury seems to be that if the ransomware gang is the subject of OFAC sanctions, as many are, the victim needs to call Treasury and ask for a license to pay – a request that starts with a "presumption of denial."

Someone has been launching a series of coordinated attacks designed to disrupt Trickbot Bruce explains.

CFIUS is baring its teeth on more than one front. First comes news that a newly resourced CFIUS staff has begun retroactively scrutinizing past Chinese tech investments. This is the first widespread reconsideration of investments that escaped notice when they were first made, and it could turn ugly. Next comes evidence that the TikTok talks with CFIUS could be getting ugly themselves, as Nate Jones tells us that Treasury Secretary Mnuchin has laid down the elements the US must have if TikTok is to escape a shutdown. None of us think this ends well for TikTok, as China and the US try to prove how tough they are by asking for mutually exclusive structures.

The US government is giving US companies some free advice about how to keep sending their data to the US despite the European Court of Justice decision in Schrems II: First-time participant Charles Helleputte offers a European counterpoint to my perspective, but we both agree that there's a lot of value in the US white paper. If nothing else, it offers a defensible basis for most companies to conclude that they can use the standard contractual clauses to send data to the US notwithstanding the court's egregiously anti-American opinion. The court may not agree with the white paper, but the reasoning could buy everyone another three years and might be the basis of yet another US-EU agreement.

The UK seems to be preparing to take Bruce's advice on regulating IOT security, but he thinks that banning easy default passwords is just table stakes.

Bruce and I once again review the bidding on voting by phone, and once again we agree: No. Just No.

Nate questions the press stories (and FBI director testimony) claiming that the FBI is pivoting to a new strategy for punishing hackers by sending Cyber Command after them. He thinks it's less a pivot and more good interagency citizenship, which I suspect is still a change of pace for the Bureau.

Bruce and I explore the possibility of attributing exploits to individuals based on their coding style. You might say that their quirks leave fingerprints for the authorities, except that at least one hapless hacker has one-upped them by leaving his actual fingerprints behind in an effort to get himself approved in a biometric authentication system.

And in updates, we note that Microsoft has a new and unsurprising annual report on cyberattacks it has seen; the Senate will be subpoenaing the CEOs of Big Social to talk section 230 in an upcoming  hearing; and the House intel committee has a bunch of suggestions for improving the performance of the intelligence community against evolving Chinese threats.

And more!

Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design.  Hope you like it!

Download the 331st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

NEXT: Poetry Monday!: "Clancy of the Overflow" by A.B. "Banjo" Paterson

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. I thought this was going to be about Trump.

    "The media said I got Covid because I didn't wear a mask."

    "So I decided to wear a mask and go out to greet some well wishers then I was told that I was unnecessarily spreading Covid."

    "I thought if you worn a mask you couldn't spread or get Covid?"

    Or is wearing a mask now like going to a BLM protest? You can only get the virus if you are the "wrong" kind of politician and immune if you go to the "right" type of protest?

    1. “I thought if you worn a mask you couldn’t spread or get Covid?”

      What idiot told you that?

      1. CNN, MSNBC, and lots of other places.

        1. No they didn't. Time to go back to school and work on your critical reading and listening skills. I think they start in about third grade, but this is probably sixth grade level stuff. Maybe you know some kids the right age who can help you out. In the meantime, here's an article from CNN on the topic to pair with your new skills:


          Since reading such a long article might be hard, I'll pull out some handy excerpts, which help you to understand that masks reduce risk but do not convey immunity.

          ""Cloth face coverings are meant to protect other people in case the wearer is unknowingly infected but does not have symptoms," the CDC said.

          But the benefits go both ways. "We know now there's scientific evidence that masks both keep you from infecting others but may also partially protect you from getting infected," said Dr. Deborah Birx, the White House coronavirus task force coordinator."

          ""People need to know that wearing masks can reduce transmission of the virus by as much as 50%, and those who refuse are putting their lives, their families, their friends, and their communities at risk," said Dr. Christopher Murray, director of the Institute for Health Metrics and Evaluation."

          1. What this person said, only with "dummy" tacked on at the end.

  2. Unauthorized hacking should become a capital offense. Trials in absentia, and guilty verdicts should be permitted. Remote executions, as with drones, should be permitted. The financiers of such hackers should be included. To deter.

    1. the sole plank of my campaign for the Presidency is to deploy SEAL teams against spammers.

      The problem with using them for hackers is that YOUR hackers have to correctly ascertain WHO hacked you, and the hackers out there in the wild are good at misdirection.

    2. Great. They just decided you're a hacker. Now what?

  3. I also propose to end all sovereign immunity. If the drone blasts the wrong people, their estates may seek compensation in torts. To deter.

  4. The message from Treasury seems to be that if the ransomware gang is the subject of OFAC sanctions, as many are, the victim needs to call Treasury and ask for a license to pay

    "Yes, but all our business is locked and we can't earn money! How will we pay our taxes? Will you..."

    IRS: Nope!

    1. Rebuild your system from clean backups. It's cheaper in the long run than paying off ransomware. Once they know you'll pay up, they'll start deliberately targeting you.

      1. And pay a good security professional to set you up so it won't happen again. Look for CISSP in the qualifications of the person you hire to do it.

Please to post comments