The Colonial Pipeline Dilemma | Notice
A group of cyber terrorists infected Colonial Pipeline computers with ransomware, which prompted the company to shut down its pipeline. The shutdown was so disruptive it made national news and caused gasoline shortages on the East Coast. The pipeline company paid terrorists $ 5 million in ransom in order to obtain software to unlock their computer systems.
The Prisoner’s Dilemma, the most famous model in game theory, may provide insight into why the company paid the ransom and what the optimal government policy would look like to fight these terrorists. In a prisoner’s dilemma, as applied to this case, all companies whose systems have been infected with ransomware act independently. In other words, they do not communicate with each other. In this environment, all companies have an incentive to pay a ransom, whether or not other companies pay their ransoms. But companies would be better off if they all agreed to never pay a ransom. If that were to happen, cyber terrorists wouldn’t bother to infect a company’s IT system because they couldn’t do it better. Unfortunately, every business has an incentive to cheat with the “never pay” agreement. Once infected, a business would find it cheaper to pay the ransom than to honor its agreement.
The way to solve a prisoner’s dilemma is to bring in a third party, possibly the government, to make sure the companies stick to their agreement. The government could ensure compliance with the “never pay” agreement by punishing companies that cheat and preventing companies from paying the ransom.
First, the federal government could make the payment of ransoms illegal. It would change the incentives that company managers face. The CEO of a company would often not want to risk being thrown in jail by authorizing the payment of a ransom. A cyber terrorist group that repeatedly infected company systems with ransomware, but never got paid, would soon tire of pursuing such futile activity. As a result, terrorist groups would stop trying to infect company systems with ransomware.
Even if paying a ransom was illegal, some companies would probably try to make the payments illegally. They could keep their payments secret to avoid prosecution. To deal with this scenario, the federal government would have to adopt a second policy. The government should seek out and destroy the platforms that cyber terrorists use to receive payments. For example, if a terrorist group receives payments through a website, our government should disable the website to prevent those payments. The government should do all it can to stop a business from paying a ransom.
The policies I have outlined will be troublesome for future companies infected with ransomware. These companies will want to pay the ransom because it is the cheapest option that will allow them to resume normal operations. The government policies I mentioned will prevent payments and these businesses will likely suffer. However, over time, American companies will develop a reputation for refusing to pay ransoms, which will cause cyber terrorist groups to choose other targets, or better yet, find other uses for their time.