> In the real world we don't accept the argument that the victim is primarily at fault.
If you're worried about X, and Y promises to prevent X for a cost, you seek recourse against Y.
X: I can't miss this flight. Y: Pay this surcharge to reserve a seat. Overbooking ensues. I'm blaming Y and not the other passengers.
X: Really don't want this disease to kill me. Y: Take these pills to not die. Death ensues. I'm (well somebody else is) blaming Y and not the disease.
In life we can't always control the cause so we aim to minimize the effect. Thus, while the ransomers are culpable for the blast, IT security are accountable for the size of the blast radius.
They're not the same but when you can't control the cause what's the difference?
Due to the nature of the web, unless you unplug from the Internet, the risk is persistent. So although a cybercrime-free world would be swell, until that day arrives we must control the effects.
I'm not convinced this isn't the answer. What are we gaining by putting hospital networks on the Internet? Are those gains worth the cost in increased vulnerability?
How we talk about these situations and the expectations we have are very important. If we collectively signal that extortion is OK and just something everyone needs to get used to then you are de-stigmatizing criminal behavior. I don't think that is a good idea.
I agree, extortion is not OK. Simply saying that this could have been mitigated and if there's someone's job to mitigate things like this, it's on them.
If you're worried about X, and Y promises to prevent X for a cost, you seek recourse against Y.
X: I can't miss this flight. Y: Pay this surcharge to reserve a seat. Overbooking ensues. I'm blaming Y and not the other passengers.
X: Really don't want this disease to kill me. Y: Take these pills to not die. Death ensues. I'm (well somebody else is) blaming Y and not the disease.
In life we can't always control the cause so we aim to minimize the effect. Thus, while the ransomers are culpable for the blast, IT security are accountable for the size of the blast radius.