Ransomware, Cyber Sanctions, and the Problem of Timing

Abstract

This essay argues that the lack of a federal blanket prohibition against ransomware payments undermines the purpose and effectiveness of the U.S. sanctions regime. The U.S. cyber-related sanctions program suffers from an essential problem of timing: often payments to malicious cyber actors are not prohibited until those actors have been named to the Specially Designated Nationals and Blocked Persons List (SDN) maintained by the Office of Foreign Assets Control in the U.S. Department of the Treasury. Yet those actors generally are not so designated until they have been identified as malicious through a completed or attempted attack. Further, the time between a cyberattack and the designation of a party as an SDN is generally not short enough to prohibit the making of a ransomware payment in response to an attack itself. A blanket prohibition against the making of ransomware payments would supplement the OFAC regulations and remedy a structural shortcoming of that regulatory scheme.