Hackers are taking cities hostage, and some cities are paying ransom to the criminals. That needs to change.

Ransomware attacks on municipalities are on the rise. Last year, it was Atlanta, which spent $2.6 million to recover rather than pay the demanded $51,000. Before that, it was suburbs of Dallas and of Birmingham, Alabama, and localities in North Carolina and New Mexico. Last month, hackers crippled Baltimore, which is still working to restore its systems without paying the $100,000 or so the hackers demand. And then there are places that decide to pay, such as the Florida town that decided to fork over a whopping $600,000 to the bad guys last week, desperate to deparalyze its computer systems and restore essential services to its residents.

The numbers may seem to make the case for giving hackers what they want. But that’s the point of ransomware: It is designed to convince victims that complying is cheaper and easier than the alternative. The argument for refusing to put taxpayer money into malicious actors’ coffers is stronger. Morally, taxpayer money should not be used to reward criminal enterprises. Practically, if cities collectively stop providing that reward, hackers may pack up their keyboards. Every dollar — or, more accurately, every bitcoin — that cities turn over to cybercriminals encourages them to continue attacking, and it also gives them the resources to do so more effectively and more often.

There is a way to break the cycle: pass a federal law barring ransomware payments. Along with such a prohibition, funds should be devoted to helping cities and states become more secure in the first place, focusing especially on the need to have backups of critical data. Then the Department of Homeland Security could set up a digital ghostbusters task force to help municipalities come back online after an attack. Those that had implemented adequate defenses could get aid from the feds in footing the bill. Those who surrender to hackers would face fines sufficiently larger than the ransom.

Those facing punishment might protest that resisting the criminals is too costly in money, time offline and information lost forever. But the money is an investment in preventing more attacks across the country, and it takes substantial time, too, to pay a ransom and reboot an entire government. As for the information, the threat of losing it should be an incentive to governments to get moving on backup systems. An anti-ransom law would be a dramatic step, but it’s the route to a dramatically positive result.

— The Washington Post