Meat producer JBS put $11m into the hands of its hackers. Is paying such a ransom ever justifiable?

To pay or not to pay?

This is the impossible dilemma faced by any number of organisations that fall victim to the current epidemic of cybercrime.

One of them, the US arm of JBS, the world’s biggest meat producer, has just opted to meet its hackers’ ransom demands. And how.

The company sent the equivalent of $11m (£7.8m) their way, reportedly in Bitcoin.

The hack forced the cessation of cattle slaughtering at US plants for a day last week, threatening supply chains and potentially pouring fuel on the inflationary fires burning around the country’s food prices, a consequence of high demand, labour shortages and, of course, Covid.

It also disrupted operations in other countries, although less severely.

The company said that “the vast majority” of its facilities were operational at the time of payment.

However, it said that “in consultation with IT professionals and third-party cybersecurity experts” the funds were transferred “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated”. The FBI has been kept in the loop.

But the payment will inevitably prove controversial: Every dollar, pound, euro or Bitcoin handed over to crooks will only encourage them in their endeavours.

In its explanation, the company pointed to the risk the hack posed to its data, the gold dust of the information age, and especially its customer data.

Andre Nogueira, the CEO of JBS USA, said they “felt this decision had to be made to prevent any potential risk for our customers”. He described a “very difficult decision to make for our company and for me personally”.

No doubt. Payment might look like the easy way out but it isn’t. This was made clear to me by law enforcement professionals. The equation is a delicately balanced one encompassing a careful assessment of the economic and other damage that could result from staring the hackers down.

Also, let’s be clear here, there is now a real risk of raising a gaudy sign outside the corporate HQ bearing the legend “target”. Clearly, if you prove willing to pay once, the message to another hacker in search of a target is that you might do so again.

There are also no guarantees that it will end well and improve your lot after the money’s down, given the nature of the people you’re paying.

That’s part of the reason why Britain’s National Crime Agency does not “condone, recommend or endorse payment”.

It can, anyway, sometimes be illegal if, for example, the money is destined to find its way into the hands of a terrorist organisation.

Criminalising payment in all circumstances could be one way of discouraging hackers by reducing their chances of success. But that creates uncomfortable issues too.

Quite apart from the damage that could be done through the misuse of illegally obtained data, and the economic fallout from wrecking the systems of a big employer that is legally bound not to pay, it ultimately carries the risk of criminalising the victim of a crime.

This is a story of impossible dilemmas for all concerned.

The JBS USA statement made great play of its “cybersecurity protocols, redundant systems and encrypted backup servers” that it said played a key role in its ability to swiftly resolve the issue.

The company was also at pains to stress that it “spends more than $200 million annually on IT and employs more than 850 IT professionals globally”.

One thing that is abundantly clear: an extra pound, dollar, euro or even Bitcoin spent on cybersecurity is never going to be wasted.

But it’s also true that such crimes are often facilitated through cheap backdoors left in place through sheer carelessness.

Assessing vulnerabilities and acting to mitigate them is something that is at least in the (potential) victim’s control. The lesson here is that the corporate doors and windows need to be closed and locked up as tightly as possible.

Meanwhile, any finance chief tempted to present a cost-cutting plan featuring the IT department should be sent back to their desk. Hard to believe, but they were once popular targets. Now, not so much.