Ransomware Payments Should Require a Sin Tax
A tax could largely mitigate the growing ransomware problem. The following is a proposal for a scheduled, gradual increase in the tax rate on ransom payments:
The ransom demanded by an attacker is a function of the expected likelihood that the victim will pay that amount.
If a tax is legally enforced, the market will adapt: “optimal” ransoms will decrease to account for tax rates. For instance, a 100% tax would have the victim be legally bound to matching a $1M ransom payment with a $1M tax to account for negative externalities. Thus, an attacker, knowing this, could only reasonably expect to demand half the amount to get paid.
With each subsequent increase in tax rates, a market equilibrium will be reached, given sufficient time.
As tax rates approach the limit of effectiveness (in terms of compliance and enforceability), the funding of ransomware is significantly reduced and attacks are much less widespread.
Why not favor an outright ban?
A ban can also be considered in terms of immediately adopting an infinite (or very extreme) tax rate, and this argument focuses on the practical implications of a gradual rate increase. If immediate implementation of a one-billion percent tax rate seems unreasonable, then a ban is similarly unreasonable.
Consider those immediately-impacted after the policy takes effect. A tax can be gradually increased as the market adapts to each tier so as not to overly-penalize those who are immediately hit by ransomware following its implementation; each time the market adapts, a cost equilibrium is reached for the victim. By starting with a low tax, attackers will adopt their demands to the commensurate lower probability of payouts for higher amounts, while organizations would have time to adapt to this norm. The tax would be raised over time to avoid imposing a special burden to those victims who are immediately hit by the new tax after its initial rollout; the gradual raising of this tax would give time for attackers to absorb this new information and adopt to lower payments with their optimal demand amounts. At each tax rate increase, when the equilibrium is reached, the victim’s cost is once-again equalized, yet the attacker’s gain is again further-reduced.
Compliance: a tax, similar to a ban, accounts for the negative externalities. A ban would reduce negative externalities, but due to the increased severity for victims, compliance of a ban would drive payments underground; conversely, a tax means that attackers are always making demands they expect the victim to be able to pay, given the current tax rate.
Case-by-case severity of the attack and costs incurred can be factored into the victim’s judgment on payment, whereas a ban immediately imposes maximum cost onto the victim.
Tax proceeds could be earmarked for a counter-ransomware agency, perhaps even with a fraction further-directed toward the recovery of the ransom payment.
The taxation approach does not aim to reduce the per-attack instance severity; it only reduces the expected frequency due to less benefit to the attacker. This follows from the attacker’s extortion-maximizing objective function that accounts for known enforced taxes and compliance rates, along with the attacker’s unknown implicit probability distribution over the likelihood of total costs that the victim is willing to pay. While the tax does not benefit the immediate next victims following its implementation (it likely harms them further with this additional tax burden), many would-be future victims are the beneficiaries of lower ransomware funding and thus a significantly-reduced number of attacks. At no stage does the magnitude of the attack become lessened for the victim; it is only the frequency of attacks that the policy aims to address. If the tax were high enough, the viral coefficient of ransomware’s growth would be < 1.0 due to declining interest as payouts diminish.
Taxation immediately reduces the frequency of payouts, as it shifts the decision threshold for payment by making it more expensive (and thus funding of future ransomware attacks). Thus, funding of and incentives for ransomware attacks almost immediately begin to drop the moment the policy gets implemented. The status quo is effectively a 0% tax rate (in most countries).
Finally, it is worth considering a similar governmentally-enforced tax policy for ransom payments in general (not just ransomware).
You didn’t say anything about tax evasion in this post, which seems like an important thing to consider. Most ransomware payments are made secretly, right?
Is the argument roughly, “some will evade taxes, so the policy will not work as well, and therefore is not worth implementing?”
Yes, currently very few companies report paying ransom payments. When this tax is introduced the motivation for hiding payments will be even higher, and go up with the tax rate. So when you say “With each increase in tax rates, a market equilibrium will be reached where the funding of ransomware is significantly reduced” I would guess instead that reporting will go down.
Do you think sufficiently stiff penalties for non-reporting (in proportion to the payment amount, perhaps) might address this?
Maybe, although what is “sufficient” depends a lot on the rate of catching the evaders. I don’t have a good guess as to what that rate is.
Who bears the cost of a tax depends on the elasticities of supply and demand. In the case of a ransomware attack, I would expect the vast majority of the burden to fall on the victim.
Right, the proposal offers no initial benefit to the next victims immediately after its implementation. Also, I agree that the inelasticity of the market for ransomware would lead to increased initial burden on the next victim, due to higher initial total payments (ransom + tax) prior to adaptation. Indeed, at any point there is a tax increase, the immediately-following victims would pay more, so perhaps a slow raising of the tax rate would be best. One assumption I made is that the attackers are already demanding their utility-maximizing amount. Since this ransom would decrease with time as all actors become aware of the existence of this tax, the benefit would be realized by the downstream effects of less funding of ransomware, and the would-be victims of the future are the real intended beneficiaries.
(End of post updated for clarity on this)
I don’t know enough about attacker motivations and economics, or what is the elasticity of attempts to extort (nor about elasticity of victims who choose to pay). It certainly won’t solve the problem. It MAY reduce the incidence, or it may just make it more expensive for victims and slightly less profitable (but sill way positive) for attackers.
I do wonder why it’s preferable to tax at punitive rates, but not to just outlaw entirely. Philosophically, sin taxes are annoying, because they assert a sin without much justification or calculation of “how bad is it”. When framed in a Pigou contex (tax enough to be neutral about the externality), it’s a much stronger theory. In this case, it’s very hard to calculate the pigouvian cost (externality value) of paying a given ransomware demand, so taxation seems a weaker tool than just outlawing it (note: I don’t know enough to really advocate for this either, I’m just comparing the two).
Thank you for the feedback; I’ve updated the post for another attempt on improved clarity with your concerns in mind. I think the optimal tax amount could be empirically determined. The use of the word “sin” carries baggage that could be avoided without its use; there is no retributive intent or even need to match the extent of negative externality; rather, there is just some theoretical tax rate and increase timeline that would reduce net harm. An empirical approach could explore various rate increases and their effects, using various proxies of both payment and compliance to estimate how the market is impacted.
Updated to include: “Taxation immediately reduces the frequency of payouts” section toward the end.