Some state legislatures are debating bills that could limit or ban ransom payments. A better option, experts say, is mandatory reporting of ransomware attacks.
Following the epic ransomware attacks on Colonial Pipeline and top meat producer JBS, some government officials have called on Congress and the administration to ban organizations from making ransom payments to threat actors. The goal of such a ban would be to codify the FBI’s current advice: Don’t pay ransomware attackers lest you encourage more of the same.
Despite some support at the federal level, most administration officials don’t seem to embrace the idea of an outright ban fully. “Typically, that is a private-sector decision, and the administration has not offered further advice at this time,” Anne Neuberger, deputy national security adviser for cybersecurity, told reporters at a White House press briefing in May. No member of Congress or the Senate has yet introduced legislation banning ransom payments.
But the picture is different at the state level. So far, four states have five pending pieces of legislation that would either ban paying a ransom or substantially restrict paying it. In New York, Senate Bill S6806A “prohibits governmental entities, business entities, and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack.”
Another New York Senate bill, Senate Bill S6154, provides money so that local governments can upgrade their networks. But it also “restricts the use of taxpayer money in paying ransoms in response to ransomware attacks.”
New York stands alone in terms of barring private sector businesses from paying a ransom. Legislatures in North Carolina (House Bill 813), Pennsylvania (Senate Bill 726), and Texas (House Bill 3892) are all considering bills that would prohibit the use of state and local taxpayer money or other public money to pay a ransom payment. This public money prohibition would likely hamstring local governments from paying off ransomware attackers.
This article appeared in CSO Online. To read the rest of the article please visit here.