American business leaders are looking for advice on how to deal with ransomware - a kind of software designed to seize a computer system until money is paid.

    The question is whether payments should be made for ransomware attacks. But the U.S. government has not yet given clear rules or policies on the issue.

    How to respond?

    Eric Goldstein is a top cybersecurity official in the Department of Homeland Security. Goldstein told a congressional hearing last week, "It is the position of the U.S. government that we strongly discourage the payment of ransoms." Discourage means to try to make people not want to do something.

    Goldstein told lawmakers that paying a ransom does not guarantee that you will get your data back or that stolen files will be safe. He added even if the criminals keep their word, the money will be used to pay for the next round of attacks.

    But current laws do not punish business for making ransomware payments. Refusing to make the payments would be bad for businesses, however, especially for small and medium-sized companies. And the effect of non-payment could be serious for the U.S. itself.

    Recent well-known ransomware attacks led to a shortage and high gas prices in the eastern U.S. and threatened the nation's meat supplies. The issue has left public officials searching for an answer.

    Congress is now looking at legislation requiring immediate reporting of ransomware attacks to federal officials. The idea is that such reporting would help identify those responsible and even help get back some of the ransom money.

    Recently, U.S. law enforcement recovered most of the $4.4 million that Colonial Pipeline paid to a gang of criminal hackers called DarkSide. That was the first time the U.S. government has said that it had recovered money from the Russia-based gang.

    Last week, U.S. President Joe Biden met with Russian President Vladimir Putin in Geneva to talk about several issues including cybersecurity. Biden said he gave Putin a list of 16 "critical infrastructure" items, including energy and water systems, that are considered off-limits to criminal activities.

    Without additional action soon, however, experts say ransomware attacks will continue to increase.

    Cybersecurity experts

    U.S. Energy Secretary Jennifer Granholm said this month that she supports banning payments. But she did not know whether Congress or the president would.

    Some of the strongest supporters of a payment ban are those who know ransomware criminals best — cybersecurity experts.
    赎金禁令 的一些最强烈支持者是最了解勒索软件犯罪分子的网络安全专家。

    Lior Div is the head of Boston-based Cybereason. He compared ransomware criminals to digital-age terrorists. "It is terrorism in a different form, a very modern one," Div said.
    Lior Div 是总部位于波士顿的Cybereason公司的负责人。他将勒索软件犯罪分子比作数字时代的恐怖分子。他说:“这是一种形式不同的、非常现代的恐怖主义。”

    A 2015 British law forbids United Kingdom-based insurance firms from paying back companies for terrorism ransom payments. Some believe this idea should be applied to ransomware payments.

    Adrian Nish is the threat intelligence chief at BAE Systems. Nish noted that "terrorists stopped kidnapping people because they realized that they weren't going to get paid."
    埃德里安·尼斯是BAE Systems公司的威胁情报主管。尼斯指出,“恐怖分子不再绑架人,因为他们意识到他们拿不到赎金。”

    U.S. law forbids material support for terrorists, but the Justice Department in 2015 waived the threat of criminal prosecution for citizens who pay terrorist ransoms.

    Standing up against attacks

    Some ransomware victims have refused to make payments at a high cost.

    One is the University of Vermont Health Network, where the bill for recovery and lost services after an October attack was around $63 million.

    Ireland, too, refused to negotiate when its national healthcare service was hit last month. Five weeks later, healthcare information technology in the nation of 5 million remains badly damaged.

    Most ransomware victims end up paying. Insurance company Hiscox says over 58 percent of its affected customers pay the ransom. And leading cyber insurance company Marsh McLennan says about 60 percent of its affected U.S. and Canadian customers pay theirs.
    大多数勒索软件受害者最终会支付赎金。Hiscox保险公司表示,超过58%的受影响客户支付了赎金。领先的网络保险公司Marsh McLennan表示,其受影响的美国和加拿大客户中大约有60%支付了赎金。

    But paying does not guarantee anything near full recovery. In a study of 5,400 technology decision-makers from 30 countries, the cybersecurity company Sophos found that on average, ransom-payers got back just 65 percent of the encrypted data.
    但是支付赎金并不能保证服务完全恢复。在对来自30个国家的5400名技术决策者进行的一项研究中,网络安全公司 Sophos 发现,支付赎金者平均只拿回了 65% 的加密数据。

    In a separate study of nearly 1,300 security professionals, cybersecurity company Cybereason found that 4 in 5 businesses that chose to pay ransoms suffered a second ransomware attack.
    在另一项对近1300名安全专家的调查中,网络安全公司 Cybereason 发现,80%选择支付赎金的企业遭受了第二次勒索软件攻击。

    I'm John Russell.