States weigh bans on ransomware payoffs

 

Connecting state and local government leaders

While prohibiting ransom payments could help deter attacks, some cybersecurity experts say it’s a bad idea because local governments, particularly smaller ones, may not be able to restore or rebuild their computer networks quickly, resulting in more costs and disruption than paying a ransom.

As ransomware attacks continue to wreak havoc on police departments, school districts and city and county governments, some state legislators say they’ve had enough.

At least three states—New York, North Carolina and Pennsylvania—are considering legislation that would ban state and local government agencies from paying ransom if they’re attacked by cybercriminals. A similar bill in Texas died in committee earlier this year.

Prohibiting ransom payments would help deter attacks because cybercriminals would know they couldn’t get paid and would have no financial incentive, the legislators say.

“If criminals know that Pennsylvania will not pay ransom, we are going to make ourselves a less likely target for these types of attacks,” said Republican state Sen. Kristin Phillips-Hill, who is sponsoring a no-ransom bill. “Our citizens’ personal information is on the line. We have to do everything we can to protect them.”

But some cybersecurity experts say that while banning ransom payments may be well-intentioned, it’s a bad idea because local governments, particularly smaller ones, may not be able to restore or rebuild their computer networks quickly. That could prove even more costly and disruptive than paying a ransom.

“Extortion is always wrong. It’s bad. But this way, you’re punishing the victim,” said Dan Lohrmann, chief security officer for Security Mentor, a national cybersecurity training firm that works with states. “I think it could end up causing more harm than good.”

Ransomware typically spreads through phishing, in which hackers email malicious links or attachments and people unwittingly click on them. Malware then hijacks the victim’s computer system and holds it hostage until the victim either pays a ransom, usually with the cryptocurrency bitcoin, or restores the system on their own.

In recent months, the fallout from ransomware attacks has received widespread public attention. In May, the Colonial Pipeline shutdown sparked panic buying and gas shortages along the East Coast. The company paid more than $4 million to recover its stolen data. In June, JBS, the world’s largest meat processing company, paid an $11 million ransom after it was forced to halt operations at its U.S. plants.

Last week, the Biden administration announced the creation of a multiagency task force to combat ransomware and launched a new website to help companies and government agencies better protect themselves.

Hackers frequently take aim at state and local governments. In 2020, at least 113 state and local governments were affected, according to Brett Callow, a threat analyst for cybersecurity company Emsisoft. Nearly 1,700 schools, colleges and universities also were struck.

Hackers have shut down courts, disrupted 911 systems and prevented police officers from checking suspects’ criminal histories during traffic stops. They have taken down government websites and prevented residents from paying utility bills or renewing city licenses.

For years, hackers typically didn’t steal the ransomed data or make it public. But now, many are downloading files and threatening to release sensitive information as additional leverage if they don’t get paid.

Some have made good on that threat.

In May, for example, the city of Tulsa, Oklahoma, was hit in a ransomware attack in which cybercriminals later posted more than 18,000 files, mostly police citations and internal department files, on the dark web. Hackers got access to more than two dozen people’s Social Security numbers. City officials, who refused to pay ransom, had to shut down part of Tulsa’s computer network and said it could be months before it is fully restored.

The FBI “does not support” paying a ransom in response to an attack. Nor does the federal Cybersecurity and Infrastructure Security Agency, which strongly discourages it.

“Paying ransoms only encourages this malicious activity,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in an emailed statement to Stateline. “Further, paying a ransom provides no assurance that the victim’s data will be restored.”

State bans

The North Carolina House was the first state legislative chamber to pass a no-ransom bill. The House approved the measure 114-0 in May, and it is now in a Senate committee.

The bill would bar any state agency or local government entity from paying ransom in a cyberattack.

“The main objective is to take a target off of North Carolina’s back,” said Republican state Rep. Jake Johnson, one of the bill’s primary sponsors. “We’re saying we cannot negotiate with you. It’s not legal for us to pay anything. You need to stay away from North Carolina.”

Johnson, who chairs the House Information Technology Appropriations Committee, also is proposing lawmakers allocate an additional $15 million to help state and local agencies beef up their cybersecurity.

“If you think of a small county, they don’t have the capital to go out and hire big firms to do their cybersecurity,” he said. “My vision is we would have grants set up that would help counties and local governments that need it.”

In Pennsylvania, legislators are considering a broader ransomware bill that would make possessing, using or transferring ransomware a criminal offense, ranging from a first-degree misdemeanor to a first-degree felony, depending on the ransom amount. While these actions could fall under a more general computer crime state statute, the bill would make it a specific offense and increase the maximum penalty.

The measure also would prohibit state and local taxpayer dollars or other public money from being used to pay ransom in a cyberattack. The exception would be if the governor authorizes an agency to do so in the event of a disaster emergency declaration.

“My father-in-law was a firefighter. If you’re trying to put out a fire, the last thing you want to do is pour gasoline on it,” said Phillips-Hill, who chairs the Pennsylvania Senate Communications and Technology Committee. “If they get ransom once, they’re going to come back and try it again. We want to put out the fire.”

Phillips-Hill said it’s not appropriate to use taxpayer dollars to pay ransom to “terrorist organizations, organized crime and nefarious actors working on behalf of rogue nation states.” Many ransomware attacks come from Russia and Eastern Europe, and some have been based in China, Iran and North Korea.

The Senate Judiciary Committee approved the measure 13-1 in June. It awaits a vote on the Senate floor.

In New York, lawmakers have filed two no-ransom bills this session. One bill would set up a grant program to provide $5 million to local governments to upgrade their cybersecurity. It also would bar state and local taxpayer money from being used to pay ransom, starting in 2024, by which time local governments should be able to upgrade their systems.

Another more sweeping measure would ban ransom payments by businesses and health care entities as well as government agencies. It also would require agencies to report ransomware attacks to the state.

Democratic state Sen. Diane Savino, the bill’s primary sponsor, said she figured it would prompt lawmakers to seriously address the ransomware problem. “We decided to introduce the bill like a blunt instrument to force this discussion. Granted, I understand this is probably not the way to go about it. How do we tell private businesses what to do?” Savino said. “But we need to do something. If we continue to just stand back and do nothing, that’s not a solution.”

Savino, who chairs the Senate Internet and Technology Committee, said she plans to hold hearings on the bill this fall before the legislative session reconvenes in January. That discussion will include how the state needs to help local governments pinpoint the vulnerabilities in their systems so they won’t be attacked, she said.

Local governments badly need that aid from states to fortify their systems and to restore their networks if they get hit, said Alan Shark, executive director of the Public Technology Institute, a Washington, D.C.-based nonprofit that provides consulting services to local government information technology executives.

“Without help from the state, it’s like there’s three leaks going on but you only plug up one,” Shark said. “You’ve got to put money into this.”

Thousands of local governments don’t have the expertise or money to pay for robust cybersecurity protection, Shark added. That leaves them especially vulnerable to ransomware attacks.

“There are too many governments out there that have been operating the same way they have for the last 10 years,” he said. “The threat level has ramped up and they haven’t changed.”

A 2019 study by researchers at the University of Maryland, Baltimore County found that local governments are under constant or near-constant cyberattack, “yet, on average, they practice cybersecurity poorly.”

“Serious barriers … include a lack of cybersecurity preparedness within these governments and a lack of adequate funding for it,” the report found.

Making it illegal for local governments to pay ransom to cybercriminals makes sense, and in theory, would make them less of a target, Shark said.

“In the short term, this could cause a lot of pain,” Shark said. “But local governments are going to pay one way or the other: either up front for adequately protecting their systems and data or on the back end, having to pay criminals, which encourages bad behavior.”

Experts skeptical

Some cybersecurity professionals are skeptical about states banning ransom payments.

“For many local governments it would cost them a lot more money to start over from scratch and rebuild everything, not to mention all the data they would be losing,” Security Mentor’s Lohrmann said.

And even if they were able to rebuild their systems, Lohrmann said, that doesn’t guarantee cybercriminals wouldn’t attack and sell the data on the dark web.

David Kennedy, CEO of TrustedSec, a cybersecurity company headquartered near Cleveland, said a state no-ransom ban could wind up being “catastrophic” for residents.

“It has the ability to shut down entire governments,” Kennedy said. “That means not being able to conduct business. And we’re also talking about possible outages of energy and water treatment facilities that could take months to recover.”

A state law wouldn’t have much impact on ransomware groups anyway because they often use a shotgun approach and don’t necessarily know which organization they’re going after, Kennedy added.

Even if they do figure out which states prohibit ransom payments and which don’t, they might attack anyway, he said.

“If they notice revenue streams going down, they may be thinking, ‘Let’s cause as much pain as possible in these local and state organizations so other states will think twice about cutting ransom payments,’” he said. “I don’t think they’ll stop.”

Emsisoft’s Callow agrees that ransomware attacks often are opportunistic and random, so one state passing a ban wouldn’t make much difference.

“Ransomware gangs aren’t going to hunt around to find out what the various laws are in various states,” he said. “This would need to be an all or nothing deal with every state adopting the same legislation. That could have some effect.”

Some cybersecurity specialists say lawmakers should pump more money into helping state and local governments strengthen their systems rather than banning ransom payments. That means making sure data is backed up, improving staff training and conducting risk assessments.

“If you really want to stop ransomware,” Lohrmann said, “you’ve got to be proactive.”

This article was first published on Stateline, an initiative of The Pew Charitable Trusts.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.