Large corporations can unilaterally ban/tax ransomware payments via bets

by ryan_greenblatt2 min read17th Jul 20213 comments

9

World Optimization
Frontpage

After the Colonial Pipeline ransomware attack, the idea of banning ransomware payments has become more prominent (at least in the US). This has the benefit of reducing the incentives of hackers as well as avoiding money going to criminal syndicates. It would also be possible to instead simply tax ransomware payments at a very high rate (e.g., 1000%).

While actually implementing this ban/tax at a national level might be difficult and implementing at a state level results in a competitive disadvantage for that state, I claim that large corporations should be able to unilaterally simulate some of the effects of a ransom tax while gaining a competitive advantage. They could do this just by betting against paying a ransom. Specifically, the corporation could open a prediction market for 'this corporation pays a ransom in the next 5 years' and then place a large, unhedged, and uninsured bet against paying a ransom. Of course, the exact terms and payout details could vary. For example, the payout could be proportional to the total ransomware payments over a period to simulate a proportional tax instead of a flat tax. This is is a sort of pre-commitment strategy like disabling your steering wheel in a game of chicken (except with prediction markets).

This market should be reasonably efficient, so the bet itself should have near 0 expected value for the company. However, the side effects of the bet are likely positive expected value: it should discourage ransomware attacks and signal confidence about security. Note that if only one company made this bet, that would likely just shift the targets of ransomware attacks. That's still a good enough reason for a company to use this approach. Despite the fact that penalizing ransomware payments is a public good, companies should be able to unilaterally benefit regardless of how many other companies also use this approach. Additionally, if a decent percentage of companies actually implemented this policy, than the incentives could change more broadly.

Cons

  • A company must be large and well known to implement this policy. It's not useful if ransomware groups don't hear about it.
  • Due to asymmetric information and adverse selection, it may be difficult for companies to secure good rates on the prediction market. This should be less of an issue for public companies and companies could just allow external audits. If these external audits disclosed security issues to the company (perhaps this would be required), then this should also improve security.
  • The bet might end up being very high risk (and it can't be hedged without eliminating the whole point).
  • Insider trading concerns.
  • Ransomware groups participating in the prediction market could undermine the approach and allow for 'pump and dump' schemes. It should be possible to reduce this issue in exchange for losing market liquidity and some efficiency. For instance, the company could make the bet with a large institution instead of on an open market.

Please comment if you have seen this idea or similar suggested elsewhere (I certainly haven't).

Is anyone aware of other cases where this sort of game theoretic betting could be useful/is used? I think this is approach is generally only useful if the opposing party in the game can't participate in the bet.

9

3 comments, sorted by Highlighting new comments since Today at 7:15 AM
New Comment

Additional potential problem: Indiscriminate ransomware attacks (e.g. a virus that tries to autonomously spread to as many systems as possible before locking their data) wouldn't be affected by such a precommitment since there would be no incentive for the attackers to go out of their way to avoid the company in question.

Does this meaningfully differ from promising to pay $X if any money is paid to ransomware? As far as I can tell, incentives to lie/cheat/etc are the same, with the only difference being your mention of proportionality, but I feel you could just promise to pay $f(x) instead to the same benefit.

Yes. The difference is that betting on something is zero expected value (instead of just agreeing to pay which is negative expected value).

Legal contracts should avoid most issues with lying/cheating. The difficulty of cheating should be similar to insider trading. Companies make bets and pay those bets all the time: options and futures contracts.