Last year, the Netherlands faced two ransomware attacks that shook up the cybersecurity industry. This caused a major debate about whether it is right to pay ransom. Bernold Nieuwesteeg LL.M., director of the Centre for Law and Economics of Cyber Security at Erasmus School of Law, states that it is time that the Dutch government introduces updated policy advice on how organizations can deal with ransomware attacks most effectively.
In the Data Cybersecurity and Privacy magazine published in June 2020, Bernold Nieuwesteeg discusses the dilemma that companies face with regard to cybersecurity. Cybersecurity experts can often distinguish the ‘trustworthy’ attackers from the unreliable wolfs. When dealing with those professional ransomware-attackers, it can be an option to pay ransom, as the attackers stop attacking when the ransom is paid. This luckily happened in the attack of Maastricht University, where huge amounts of research data were at stake.
However, the Dutch police advises to refuse to pay ransom because it does not guarantee the victim will regain access to their data. In fact, some individuals are never provided with decryption keys after paying a ransom. Also, paying ransom reinforces the business model of the cybercriminal. The Dutch Ministry of Foreign Affairs, therefore, decided not to pay ransom in case of an ‘offline hostage-taking’. “Paying ransom would give a signal to the world that one could take every Dutch citizen hostage, considering the ransom will be paid after all”, according to Nieuwesteeg.
That is why he pleads for an updated policy on how organizations can effectively deal with ransomware attacks. In the development of this policy stakeholders like Maastricht University, and other stakeholders from the government, academia and industry should play a prominent role.
- More information