The Luddite

Data breaches from major companies have become so commonplace that, for most people, they no longer register as interesting or important. In 2017, Equifax, one of the "big three" credit reporting agencies (and an extremely backwards use of computers), leaked 148 million Americans' sensitive personal data, perhaps the single worst breach in history. Very few of us, if any, had consented to having our data given to Equifax in the first place, yet they still had and leaked our social security numbers, driver's license numbers, and, in the case of a smaller number of us, our credit card information. Any consequences Equifax faced pale in comparison to the severity of the breach, in no small part because the American government is a farce, but also because this novel, diffuse kind of harm made possible by the internet is so distinctly modern that the legal system we inherited from medieval England may be poorly suited to the task. Perhaps modern problems require modern solutions, and modern solutions, if they are to be serious, must necessarily be market-based. It is verboten for the government to do, so instead we must make sure to properly incentivize.

To properly incentivize, we need to understand that, for Equifax, a consumer data breach is what is called an "externality," or a cost not reflected in the price of the good. We must therefore implement a market mechanism to force Equifax to "internalize" this externality. To do this, I propose we legalize (and regulate) ransomware.

Ransomware is malware that encrypts all the contents of a target's system, rendering the system unusable and thus holding it hostage, then decrypts the contents if and when a fee is paid. The amount of the fee is, of course, set by the market, and is therefore the correct fee, by definition. Ransomware attacks have shut down critical pieces of infrastructure. In 2021, the Colonial Pipeline attack caused 17 states to declare an emergency because of the fuel shortage, and was resolved when the company paid the $4.4 million dollar ransom.¹ That same year, the University of Vermont Medical Center's (UVMMC) ransomware attack caused critical hospital systems to go offline for months, forcing healthcare staff to resort to paper records, disrupting critical communication between the hospital and its patients, and so on.

The reader here may notice that we are advocating for legalizing ransomware, while also discussing ransomware's disruptive and even dangerous effects. This may seem in tension, but to devotees of capitalism, it is perfectly normal for important industries to cause harm. It is always and can only ever be a problem of incentives. For example, we need fossil fuels; fossil fuels are also destroying life on the planet as we know it. This is because emissions are an externality.² Economists therefore, in their wisdom, instead of stopping pollution, design a less obvious but much more realistic solution — carbon markets. This allows companies that pollute to continue to do so on the condition that they pay someone else not to pollute through elaborate accounting schemes so complicated they fool not just the public, the regulators, and the auditors, but the Earth itself.

Likewise, it is not the ransomware itself that caused the harm to UVMMC, but an improperly functioning market. UVMMC refused to pay the ransom, meaning they were forced to rebuild and restore their IT infrastructure from backup, which they of course took months to do, because the kinds of organizations who do not invest enough in cybersecurity are the same kinds of organizations who cannot quickly and effectively perform basic IT tasks like restoring systems from backups. Instead of paying, they attempted to work with law enforcement, a government agency and therefore suspect, to circumvent these natural market forces, resulting in the months-long disruption to patient care.

It is precisely in that connection that we can see how we have erred. It is not for us to decide whether Equifax or ransomware should exist. These are neutral, rational entities, both competing in the market, as God intended. By outlawing ransomware, we have perturbed the benevolent yet delicate balance of market forces. For proof, one need only observe just how commonplace serious data breaches have become while ransomware is illegal. Despite our good intentions, especially when considering the destructive and predatory nature of ransomware, we failed to understand the important role it played in the ecosystem, a mistake we will surely never repeat.

We must therefore legalize ransomware, but that is not enough. Any good capitalist knows that markets must have rules. If you make cheap clothing, but a rival company makes better, cheaper clothing, it is not acceptable for you to burn the rival factory down, murder the owner, and leave her³ head on a spike as a warning to future competitors. We made that a crime to incentivize the right kind of market competition; had we not, our clothing supply chains would be riddled with violence and human suffering for the sake of cheap t-shirts, an obviously absurd outcome.

With that in mind, I propose the following rules:

1. All ransomware companies must have a ransomware license.
2. Ransoms are subject to a 10% special tax
3. Successful ransomware attacks must have their fee paid within 24 hours.
4. Ransomware companies must hand over decryption key within 24 hours of receiving payment.
5. A company that attempts to decrypt their systems without paying the fine is liable for treble damages plus reasonable attorneys' fees

The first two rules are straightforward — any government program ought to pay for itself (unless, of course, it does violence). This is obvious to anyone who knows anything and requires no further explanation. Rules 3-5 are responsible for maintaining a functioning market. We cannot have hospitals without functioning IT systems for months on end. Had these rules been in place, UVMMC would have simply paid the fee and could have restored their systems within 48 hours, causing a small but acceptable inconvenience to healthcare staff, and negligible if any loss of life.

This proposal is not perfect. Ransomware is not pleasant. Pipelines going offline and hospitals being unable to provide critical services seriously disrupt the economy, along with some other harms. However, this is a realistic proposal. We at The Luddite are not pie-in-the-sky utopians. We understand no meaningful, structural changes can ever happen again. We therefore urge you all to write your local representatives today. Ask them to legalize ransomware. It is the best we can do.