SVG
Commentary
Forbes

Allow the Private Sector to Fight Internet-Based Crime

The Petya Ransomware and Internet-Based Crime

harold_furchtgott_roth
harold_furchtgott_roth
Senior Fellow and Director, Center for the Economics of the Internet
A message demanding money on a computer infected by the Petya ransomare in Yaketerinburg, Russia, June 28, 2017 (Donat Sorokin\TASS via Getty Images)
Caption
A message demanding money on a computer infected by the Petya ransomare in Yaketerinburg, Russia, June 28, 2017 (Donat Sorokin\TASS via Getty Images)

It is widely known that evil hackers have struck the Internet yet again with ransomware Less well known is that these attacks are constant. Even less well known is that we have the means to fight back.

Ransomware paralyzes a computer or a network and demands payment to unlock the system. Hence the name. But ransomware is not a get-rich-quick scheme. Victims rarely pay, and electronic transactions of funds are traceable. The purposes of ransomware attacks instead are malice and mayhem. For those, ransomware achieves its ends.

The best minds and technology on the Internet are often found at the major, largely American, online companies: Google, Facebook, Amazon, Microsoft, Intel, Apple, etc. Left to their own devices, a combination--or even just one--of these companies could defeat hackers. But American businesses are not an organized part of the fight against online crime.

This is because the benefits of defeating hackers would be shared by all businesses, and not captured by a single one. That reduces the incentives for an individual firm to invest in fight hackers.

Furthermore, American businesses are neither law enforcement nor military units. Even if American businesses had the incentive to attack hackers, they do not have the legal authority to do so. Particularly where hackers have refuge in foreign countries, American businesses cannot unilaterally attack hackers.

In addition, federal regulation outlaws some forms of attacking hackers. For example, when the ransomware was first detected in Ukraine, a prudent response from an Internet service provider might have been to take steps to block traffic from suspected sources of the ransomware. Such blockage, however, would violate current network neutrality rules.

Simply stated, those entities most capable of fighting the hackers that are harming American consumers and businesses have no incentive or support to do so. That should change.

Here are three steps to fight hackers.

First, American businesses should have every incentive to identify online hackers that attack their business as well as any American interest. These incentives may range from informal support to formal bounties. Investors and consumers should see a reward for choosing companies that help protect the Internet.

Second, when intervention to block hackers requires law enforcement authority, American businesses should have the legal means and political support to proceed. This might include the 21st century equivalent of federal authorization of privateers to protect American shipping.

Third, federal rules that protect hackers and pirates should be reviewed and at least modified. The days of the federal government coddling outlaws should be over.

With these three steps, American businesses can be enlisted in the fight against online hackers.

It is vital to change the law to deal with Internet intimidation. Ransomware is but one of many varieties of harmful threats that constantly await Internet users. The threats range from sabotaging use of a computer or network, to stealing sensitive information, to purveying stolen property, to engaging in a wide range of criminal activities. Hackers are constantly probing in search of vulnerable networks. Sometimes they find what they looking for. Sometimes they find even more.

Although some hackers are bored teenagers, the more effective hacks are likely the product of organized crime and rogue governments. Most hackers do not wear military uniforms or tote automatic weapons. They do not command arsenals of deadly weapons or vast navies or air forces. They are more akin to pirates of a bygone era, preying at will on passing commerce.

Pirating in the past was not a long-term or riskless occupation. Militaries and law enforcement of affected governments would respond to piracy, and the governments would usually prevail.

Although it is the mode of communications for the contemporary economy, the Internet, paradoxically, is largely lawless. The odds of being caught and prosecuted for online hacking are small, particularly if one operates in a rogue state that actively encourages online hacking. Militaries and law enforcement rarely can reach hackers.

Like other countries, the United States has a cyber command. But the U.S. Cyber Command is focused primarily on formal military issues, not the countless non-military hackers around the world. Our law enforcement also has cyber divisions, but they often do not have the wherewithal to defeat hackers.

Our government alone cannot likely defeat these criminals. But federal laws and regulations can be changed to encourage businesses to fight back. Together with the best minds on the Internet, we can succeed.