Following the newsworthy ransomware attacks on Colonial Pipeline and top meat producer JBS, some government officials have called on Congress and the administration to ban ransomware payments by organizations to threat actors. But others have resisted an outright ban, calling it typically “a private sector decision”. However, four states are moving ahead with proposed legislation to either ban paying a ransom or substantially restrict paying it.
According to CSO Online (Four states propose laws to ban ransomware payments, written by Cynthia Brumfield), four states have five pending pieces of legislation that would either ban ransomware payments or substantially restrict paying it.
In New York, Senate Bill S6806A “prohibits governmental entities, business entities, and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack.” Another New York Senate bill, Senate Bill S6154, provides money so that local governments can upgrade their networks. But it also “restricts the use of taxpayer money in paying ransoms in response to ransomware attacks.” New York stands alone in terms of barring private sector businesses from paying a ransom.
Legislatures in North Carolina (House Bill 813), Pennsylvania (Senate Bill 726), and Texas (House Bill 3892) are all considering bills that would prohibit the use of state and local taxpayer money or other public money to pay a ransom payment. This public money prohibition would likely hamstring local governments from paying off ransomware attackers.
Pennsylvania Republican State Senator Kristin Phillips-Hill stated that she introduced her “Safeguarding the Commonwealth from Ransomware Attacks” bill to discourage at least some ransomware attacks, those aimed at public agencies, by removing the attackers’ financial incentives. If cybercriminals are rewarded for their efforts, they will simply continue to launch ransomware attacks, she says.
Phillips-Hill’s bill also aims to develop guidelines agencies should follow in beefing up their preparedness to respond to ransomware attacks. The bill, however, does not appropriate any funds to help agencies bolster their ransomware response capabilities.
But legislation banning ransom payments would likely cause more harm than good, industry experts say, particularly given the short response windows and complexity of most ransomware attacks. “Whether or not to pay a ransom is an extremely hard choice for a business to make,” Adam Kujawa, director of Malwarebytes Lab, said. “Despite what many may believe, paying the ransom isn’t the most expensive part of an attack and certainly isn’t the end ofthe experience for businesses under attack. There are many larger issues here that need to be considered, including how to prevent these attacks in the first place and how to crack down on the actors themselves.”
An outright ban on ransom payments “would mean that many businesses tempted to pay the ransom may be less likely to disclose a breach, which would impact both our understanding of the latest ransomware threats and leave customers of impacted businesses in the dark,” Kujawa said.
A better alternative to banning ransom payments is requiring companies to report ransomware attacks to a central authority, as most of the state bills also do. “We’ve clearly seen that a more effective strategy against ransomware is for everyone to share their attack data and use that information to empower our investigative services to go after the criminals, not the victims,” Kujawa said.
And, of course, the best solution to managing ransom infections is to harden infrastructure to handle these attacks better while also hiring more security personnel. Chris Ballod, associate managing director at Kroll, points to the more significant investments in data protection technology fostered by the EU’s General Data Protection Regulation (GDPR) as a critical factor in why ransomware attacks are not as severe in Europe as they are in the U.S. “It’s made [European] targets more hardened. It’s just made them harder to get into, [making them less attractive], particularly when you’ve got wide open targets here in the United States, or more of them, anyway,” he says.
It will be interesting to see how much push back the four states get on these bills, especially in New York, which has the only proposed bill impacting the private sector. Legislation often begets litigation.
So, what do you think? Do you think there should be laws that ban ransomware payments by organizations and government entities to ransomware attackers? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.