During the 1960s and 70s, the UK developed a non-negotiation policy in response to terrorist incidents primarily involving Northern Ireland. This stance was also adopted by the US in the 1970s and 1980s, specifically relating to the Middle East. The famous soundbite, “We do not negotiate with terrorists,” became popular but does not reflect the reality that both countries do negotiate in certain situations. This approach has resulted in missed opportunities, loss of lives, and hypocrisy.
The Good Friday Agreement in 1998 is a clear example of successful negotiations with terrorist groups. The UK and Irish governments, along with multiple political parties from Northern Ireland, brokered an agreement that led to a power-sharing assembly and the decommissioning of weapons. On the other hand, the fate of hostages held by ISIS demonstrates the different outcomes of negotiating and not negotiating. While some captives were released after negotiations and ransom payments, others were executed.
There is an argument against paying ransoms or negotiating, as it can incentivize further criminal activity. However, Joel Simon argues in his book that adhering to a no concessions policy actually puts people at greater risk. Making ransom payments illegal may have negative effects, such as decreased incident reporting and criminalizing victim organizations. It also removes a valuable tool for incident responders, as negotiations can provide intelligence and buy time for investigation and recovery.
To improve company culture and tackle cyber security, boards and executives should be held personally accountable for data security. This could include fines, loss of bonuses, or even imprisonment. Engaging with threat actors and being open to negotiation, as demonstrated in hostage situations, can lead to better outcomes. Targeting the financial systems of threat actors, particularly through the use of ZKPs and scoring transactions, may also discourage transactions with known bad actors while respecting privacy rights.
Overall, a multi-faceted approach is needed to address cyber security concerns, including holding individuals accountable, being open to negotiation, and targeting the financial aspects of cyber crime.