Large corporations can unilaterally ban/tax ransomware payments via bets

post by ryan_greenblatt · 2021-07-17T12:56:12.156Z · LW · GW · 3 comments

After the Colonial Pipeline ransomware attack, the idea of banning ransomware payments has become more prominent (at least in the US). This has the benefit of reducing the incentives of hackers as well as avoiding money going to criminal syndicates. It would also be possible to instead simply tax ransomware payments at a very high rate (e.g., 1000%).

While actually implementing this ban/tax at a national level might be difficult and implementing at a state level results in a competitive disadvantage for that state, I claim that large corporations should be able to unilaterally simulate some of the effects of a ransom tax while gaining a competitive advantage. They could do this just by betting against paying a ransom. Specifically, the corporation could open a prediction market for 'this corporation pays a ransom in the next 5 years' and then place a large, unhedged, and uninsured bet against paying a ransom. Of course, the exact terms and payout details could vary. For example, the payout could be proportional to the total ransomware payments over a period to simulate a proportional tax instead of a flat tax. This is is a sort of pre-commitment strategy like disabling your steering wheel in a game of chicken (except with prediction markets).

This market should be reasonably efficient, so the bet itself should have near 0 expected value for the company. However, the side effects of the bet are likely positive expected value: it should discourage ransomware attacks and signal confidence about security. Note that if only one company made this bet, that would likely just shift the targets of ransomware attacks. That's still a good enough reason for a company to use this approach. Despite the fact that penalizing ransomware payments is a public good, companies should be able to unilaterally benefit regardless of how many other companies also use this approach. Additionally, if a decent percentage of companies actually implemented this policy, than the incentives could change more broadly.

Cons

Please comment if you have seen this idea or similar suggested elsewhere (I certainly haven't).

Is anyone aware of other cases where this sort of game theoretic betting could be useful/is used? I think this is approach is generally only useful if the opposing party in the game can't participate in the bet.

3 comments

Comments sorted by top scores.

comment by Measure · 2021-07-20T23:37:15.445Z · LW(p) · GW(p)

Additional potential problem: Indiscriminate ransomware attacks (e.g. a virus that tries to autonomously spread to as many systems as possible before locking their data) wouldn't be affected by such a precommitment since there would be no incentive for the attackers to go out of their way to avoid the company in question.

comment by tomcatfish · 2021-07-18T17:15:31.907Z · LW(p) · GW(p)

Does this meaningfully differ from promising to pay $X if any money is paid to ransomware? As far as I can tell, incentives to lie/cheat/etc are the same, with the only difference being your mention of proportionality, but I feel you could just promise to pay $f(x) instead to the same benefit.

Replies from: ryan_greenblatt
comment by ryan_greenblatt · 2021-07-19T11:31:29.770Z · LW(p) · GW(p)

Yes. The difference is that betting on something is zero expected value (instead of just agreeing to pay which is negative expected value).

Legal contracts should avoid most issues with lying/cheating. The difficulty of cheating should be similar to insider trading. Companies make bets and pay those bets all the time: options and futures contracts.