Bohanon & Curott: The cost of ransomware attacks and prevention is high

  • Comments
  • Print

Just as the COVID crisis is waning and economic recovery is beginning, another cloud comes on the horizon: ransomware extortions. Gangs of criminals with access to sophisticated computer skills hack into an organization’s computer network, disabling one or more of its key components. The criminals promise to fix the hacks if the organization ponies up a sufficient ransom, sent in cryptocurrency.

It seems all those workers doing their jobs at home during the pandemic increased the number of targets. It also seems the criminals have refined their hacking skills during the COVID year. Ransomware attacks have doubled during the first part of 2021 and the costs of attacks are also rising. High-profile cases like the Colonial Pipeline and JBS Meat are the tip of the iceberg.

One industry expert asserts that, for every ransomware case we hear about, there are 20 to 30 that never make the news. Another report estimates that the cost of cybercrime—which includes not just the ransom payments, but also the economic damage from the interruptions, the reputational damage to the victims and the costs of attempted prevention—comes to $1 trillion worldwide, or around 1% of world GDP. Think of it as 1% output tax that is likely to rise.

The economic theory of crime sees criminal perpetrators engaging in a cost-benefit calculation. The standard economic remedy is to raise the expected costs and/or reduce the expected benefit from the nefarious activity.

However, it is hard to see how conventional anti-crime policies work here. The expected cost of engaging in a criminal act is the chance of being apprehended, convicted and punished. But ransomware hacks can and usually do come from outside of its victims’ nation. So the victims’ home government has no criminal jurisdiction. As long as the hackers are not bothering people in the hackers’ base country, why should the base country be concerned with the costs imposed on foreigners?

It is hard, if not impossible, for the U.S. government to impose criminal sanctions on hackers burrowed in countries openly hostile to the United States, such as North Korea, Russia or Iran.

Nor is reducing the benefit of the extortion much of an option, either. Organizations already invest resources to make ransomware extortions more difficult, but they can hardly be expected to make their operations less profitable to reduce their value as a target. Please, President Biden, talk about this with Mr. Putin.•


Bohanon and Curott are professors of economics at Ball State University. Send comments to

Please enable JavaScript to view this content.

Story Continues Below

Editor's note: You can comment on IBJ stories by signing in to your IBJ account. If you have not registered, please sign up for a free account now. Please note our updated comment policy that will govern how comments are moderated.