> "The cheaper we make it to pay that ransom, then the more incentives we’re creating for companies to pay, and the more incentives we’re creating for companies to pay, the more incentive we’re creating for criminals to continue," said Josephine Wolff
In an ECON 101 sense, ransomware attackers want to set the price as high as they can such that the victim will pay. A rational victim will consider their tax bill in the cost/benefit calculation. So although giving a tax deduction for ransomware seems like it reduces the burden on the victim, in the long run it just increases the reward for the hacker at the expense of the treasury.
To be fair, AFAIK it's just a consequence of how our tax code is structured. Business expenses are tax deductible, and ransomware payments just happen to meet the definition of business expense. It's not like congress got together and thought "yep, we should definitely make ransomware payments tax deductible!".
Taxpayers are "on the hook" for this in the same way that taxpayers are "on the hook" if I decide to take an early retirement and support myself by gardening rather than earning $300k a year in a Silicon Valley tech job, and paying income taxes on that, and the same way that society is on the hook because I have stopped producing any meaningful contributions to its well-being.
That is to say, it's a sliiiightly entitled way to look at the matter.
> And now taxpayers are on the hook for shitty security. Hell why not?
They already are for more conventional crimes. If a business burns to the ground, its loss of assets is a business loss for tax purposes. Even if it doesn't, insurance premiums are a deductible expense, so the government sees its deduction for the amortized fire damage regardless (since insurers recover expenses plus profit via premiums).
The full article covers this. It's not like there's a specific "pay criminals, get a refund" item in the tax code, it's that damages and losses from crimes are treated like any other business expense.
So I can pretend paying ransom in btc, pocket money from my own company anonymously for a self controled malware, and save on taxes ? Damn this loophole is getting better and better.
Old and busted: Sorry Tolkien estate, the LoTR movies didn’t turn a profit so we have no backend for you (because we spent a billion dollars on marketing though one of our shell companies).
New hotness: Sorry IRS, our entire business didn’t turn a profit so we don’t owe taxes (because we sent $5 billion in ransoms to one of our shell companies).
Similar thing happened in Canada. A uranium miner set up a shell company in Switzerland and sold its future production to them at a market low. If the price went up, all of the profits shifted. If it went down, the subsidiary would go bankrupt and void the contract.
The shell can shift its profits tax-free back to the Canadian parent.
Why go through the trouble of ransomware, which might get the FBI involved and put you in a bad light? You can very well just pay a "consulting fee" to some offshore shell company. Any business expense is tax deductible, not just ransomware payments.
Is a ransomware payment a bribe? The linked page doesn't really say what constitutes a "bribe". The next paragraph says that it only covers illegal activities, which AFAIK isn't the case for ransomware groups unless they're a designated terrorist organization or something.
I remember seeing that there is an actual section dedicated to income from illicit income in the tax forms. Which is honestly amazing to see, and confusing too.
I don't see much that is controversial here. Losses due to crime such as assets being stolen are business losses. Certainly there is a modicum of willing victim participating here, but I don't see it as any different than other practices whereby a company is allowed to make security cuts and then deduct the inevitable crime-related losses.
If the government really wants to reduce this then perhaps they should actually help companies. Setup teams to address these situations in real time. Put that extensive NSA internet spying network to good use and track these situations. When a company calls the FBI to report an ongoing ransomware attack, they shouldn't have to leave a message in hopes that maybe someone might call them back in a couple weeks, nor should they be told to report the situation to their local cops.
In Germany Theo Albrecht (one of the Aldi founders, Forbes richest #31) tried to deduct his kidnapping ransom payment ($2mil USD in 1971) as tax deductable business expense. It went to court and was denied.
Misleading: pretty much all expenses incurred by a US business are "tax deductible" in the sense that you subtract expenses from income to arrive at profit and it is profit that is taxed. So an expense needs to be explicitly prohibited by the IRS as legitimate in order to make the equivalent amount of profit subject to tax. They didn't prohibit ransom payments.
About as easy as committing tax fraud by claiming losses from any other form of criminal activity, such as farmers burning down their barn and claiming the loss, or construction contractors claiming losses on "stolen" tools.
Also a nice way to keep profits in the hands of hard working management if those pesky shareholders fail to grant them sufficient bonuses /s
But I doubt that it could happen like that, the skillset requirements just don't have the overlap it would take.
But taking some liberties extrapolating a dark future, imagine what would happen if key persons who failed particularly hard at avoiding payment suddenly found themselves with unsolicited keys for wallets containing some amount of finder's fee. Deniable, yes, but how much would that deniability be worth in the end? If that could be the future of business computing, should we buy stocks of fax machine companies?
Sure. But now transfer the money from the “criminals” back to you in some untraceable way. Oh, and that’s money laundering, so additional charges on top of tax fraud.
Readit News
> "The cheaper we make it to pay that ransom, then the more incentives we’re creating for companies to pay, and the more incentives we’re creating for companies to pay, the more incentive we’re creating for criminals to continue," said Josephine Wolff
In an ECON 101 sense, ransomware attackers want to set the price as high as they can such that the victim will pay. A rational victim will consider their tax bill in the cost/benefit calculation. So although giving a tax deduction for ransomware seems like it reduces the burden on the victim, in the long run it just increases the reward for the hacker at the expense of the treasury.
That is to say, it's a sliiiightly entitled way to look at the matter.
They already are for more conventional crimes. If a business burns to the ground, its loss of assets is a business loss for tax purposes. Even if it doesn't, insurance premiums are a deductible expense, so the government sees its deduction for the amortized fire damage regardless (since insurers recover expenses plus profit via premiums).
The full article covers this. It's not like there's a specific "pay criminals, get a refund" item in the tax code, it's that damages and losses from crimes are treated like any other business expense.
When you still have reserve currency status for the world you can do dumb things.
Unfortunately those dumb things are catching up to us…
Seems that everyone is choosing an easy way out instead of the hard choice that needs to be made.
I would rather see the hard choices made instead.
IE, Maybe Russia cannot be directly attacked but certainly Russia forces in Ukraine can be attacked in a cyber manner,
New hotness: Sorry IRS, our entire business didn’t turn a profit so we don’t owe taxes (because we sent $5 billion in ransoms to one of our shell companies).
The shell can shift its profits tax-free back to the Canadian parent.
If you pay extortion money or bribes as a company, it‘s not just that they‘re deductible, you‘re actually obligated to account for them.
Being illegal and being deductible don‘t have to do anything with each other.
Don‘t forget Al Capone was actually convicted for tax evasion in the end, as even illegal businesses have to pay taxes.
Perhaps there is a UK, European, or other jurisdiction accountant on HN who could comment?
Dead Comment
If the government really wants to reduce this then perhaps they should actually help companies. Setup teams to address these situations in real time. Put that extensive NSA internet spying network to good use and track these situations. When a company calls the FBI to report an ongoing ransomware attack, they shouldn't have to leave a message in hopes that maybe someone might call them back in a couple weeks, nor should they be told to report the situation to their local cops.
Deleted Comment
[1] https://www.irs.gov/publications/p547#en_US_2020_publink1000...
But I doubt that it could happen like that, the skillset requirements just don't have the overlap it would take.
But taking some liberties extrapolating a dark future, imagine what would happen if key persons who failed particularly hard at avoiding payment suddenly found themselves with unsolicited keys for wallets containing some amount of finder's fee. Deniable, yes, but how much would that deniability be worth in the end? If that could be the future of business computing, should we buy stocks of fax machine companies?
Deleted Comment
So, a lot.