Monday, May 17, 2021

Should governmental entities be allowed to pay ransoms to cybercriminals?

image of NC legislative building

No one wants to pay a cybercriminal in the wake of a ransomware attack, but however distasteful, it might be a rational choice for some organizations in certain circumstances. As long as the ransom is not paid to a prohibited recipient (for example, someone on the OFAC list of SDNs), it is generally legal to pay, although discouraged by officials. Most companies now have insurance to protect themselves from at least some of the risk associated with a ransomware attack, and many would rather pay a ransom than suffer permanent loss of data or prolonged system downtime. Although paying a ransom further encourages ransomware attacks, some organizations may decide to do so if the attacker is known to release data/systems upon payment (and there are now vendors who can tell you whether or not an attacker is likely to do so). 

With governmental assets targeted more frequently in recent days, policymakers are asking whether governmental entities should have a similar ability to decide whether to make payments to recover from a ransomware attack.

In North Carolina, Rep. Jason Saine, who works in the technology sector and has introduced multiple bills addressing information technology, has introduced a bill to prevent government agencies from paying a ransom for encrypted data/systems. The bill has passed the House and is nearing passage in the Senate.

House Bill 813 would prohibit State agencies or local government entities from paying or even communicating with an entity that has engaged in a ransomware incident, and requires State agencies or local government entities experiencing a ransomware demand to consult with the Department of Information Technology. It also requires government entities (like cities, counties, school boards, and community colleges) to report cybersecurity incidents to the Department of Information Technology. Under the bill, the Department of Public Safety would manage statewide response to cybersecurity incidents, including ransomware attacks. It also "encourages" private entities to report cybersecurity incidents to the Department of Information Technology. For purposes of the proposed statute, a "ransomware attack" means a "cybersecurity incident where a malicious actor introduces software into an information system that encrypts data and renders the systems that rely on that data unusable, followed by a demand fora ransom payment in exchange for decryption of the affected data."

You can read more about the bill here.

image of keys