There is an increasingly troubling scenario afoot. You’re the CEO of a major corporation, maybe a public corporation. It’s not yesterday’s kidnapping of a rich man’s child, but an extortionate cyberattack that has effectively closed or threatened to close down your company and even possibly a major segment of the American economy.
The extorters who operate behind a dark veil of secrecy insist that company “pay” through an untraceable mechanism—maybe Bitcoin. No fingerprints. Ransomware! You’re told by the extorters not to engage the FBI. For now, there is no crime in a corporation complying.
Colonial Pipeline, a privately-held firm that supplies nearly half the gas, jet fuel, and diesel to the East Coast was cyberattacked by a criminal group called DarkSide that froze Colonial’s business records, but not its operational side. To address the crisis that made Colonial unable to charge customers for deliveries, Colonial itself shut down the pipeline.
The public was understandably aghast—gas station lines were backed up, prices surged and the airlines’ ability to keep planes aloft was jeopardized. As the New York Times gently put it, “Colonial failed to communicate effectively with government officials and ultimately paid a $4.4 million ransom—against the usual advice of the FBI.” Whatever that means. Either Colonial didn’t report it to the FBI, or the FBI gave a wink and a nod.
Put aside whether DarkSide, with operations in Russia, was connected to the Russian government—an issue of consummate “American security” interests. At bottom, though, the public doesn’t care if the FBI wasn’t contacted, or even if Colonial ignored an FBI demand that Colonial not give in. And it was likewise unconcerned about the precedent of paying ransom to economic “terrorists.” The public wanted to fill its gas tanks, period.
The Government Response
The government has properly asked businesses to take extreme measures to deter ransomware. Indeed, it may use executive orders or pass legislation to do so. Or even criminalize complying with extortion demands without first engaging law enforcement—particularly when involving national security.
Still, without such criminal legislation, corporations, like a parent confronting a kidnapper’s demand for payment, may choose to decline to involve law enforcement—particularly if the “terrorist” group can easily increase the business threat if it suspects law enforcement engagement.
This piece is not a polemic against Bitcoin or other cybercurrency mechanisms. Still, as Warren Buffet’s deputy Charlie Munger at Berkshire Hathaway has essentially said, and as reported by Forbes, it’s a “go-to payment method for criminals.”
Rather, it’s about the advisability of engaging with cyberterrorists without law enforcement’s intervention. In that vein, I always advise “victim” clients who wish to engage law enforcement, just so they know, “When you engage them, you totally lose control of the effort. They’re not a like dog to which you say ‘zig em’, and then say ‘down boy’ when it suits your purpose.”
That said, occasionally, one must admit, simply paying extortion may be the most efficient way to proceed. Maybe $4.4 million is not an inordinate sum for Colonial Pipeline. The problem, of course, is that DarkSide didn’t give Colonial a “general release,” and so it remains at risk. DarkSide might make the same demand tomorrow with the same consequences. Not to say that the FBI could have reached a better immediate result, particularly given America’s then urgent need to restore commerce with Colonial yielding to the extortion.
Congress Has Not Criminalized Paying Ransom
These are tough options given that Congress has not criminalized paying without FBI approval and thus removing the self-help option. Importantly, no legislature will criminalize the conduct of a kidnapped child’s parent who “pays.” And it shouldn’t do so for a corporation that declines to engage the FBI in a ransomware scenario given that, currently, law enforcement seems unable to ferret out the terrorists, at least in sufficient time to save the day.
Importantly, the FBI announced on June 7 that it has now secured almost half of the Bitcoin that Colonial paid. This is a valuable accomplishment, but nearly a month after the shutdown occurred. This is not a criticism of the FBI, just the lay of the land.
In the Wall Street Journal’s interview of Colonial’s CEO, Joseph Blount, he said, “I know that [paying was] a highly controversial decision. I didn’t make it lightly. I’ll admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do for the country.”
“The right thing to do for the country,” likely wasn’t Blount’s real motivation, or was at least an overstatement. Either way, though, it appears, for now, to have been the right thing to do for Colonial. Unholy precedent or not, wasn’t that payment when made, therefore, the clear duty of Blount?
Blount defended the company’s response at a Senate hearing June 8.
The FBI, fortunately, has now made a significant inroad into the Colonial Pipeline extortion plot by securing half the Bitcoin paid. Still, notwithstanding this recent helpful development, should a victimized corporate executive reflexively decline to pay, alert the FBI, and await instructions from it, rather than from the cyberterrorists?
Absent criminalizing legislation, choosing the course to take remains a very tough decision. And extremely fact intensive.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Joel Cohen practices white collar criminal defense at Stroock & Stroock & Lavan LLP. Previously, he served as a federal and state prosecutor. He is the author of “Blindfolds Off: Judges on How They Decide,” and is an adjunct professor at Fordham University School of Law and Cardozo School of Law.