Earlier this week, Garmin was hit by a huge ransomware attack that shut down all their operations for days. Now they’re coming back online, after supposedly obtaining the decryption key. Garmin has publicly stated that they did not pay their attackers directly, but won’t comment beyond that.

It seems pretty safe to conclude that they had their insurance company pay them off, which would be a pretty stupid thing to do.

Ransomware, which is increasingly difficult to stop by technical means, could be neutralized forever with a stroke of the pen: make it a federal crime to pay off cybercriminals. No exceptions. And this would not be a crime penalized with a easily-paid “slap on the hand” fine (like we do with environmental laws), but one with serious consequences: prison time for company executives, or perhaps forfeiture of company assets. Imagine how the federal government might react if Garmin executives had instead wired $10M to a cartel for some drugs.

Paying cybercriminals creates more cybercrime. It is a choice that we make.

File under: hard technical problems with easy political solutions.