From a public policy perspective, the proper response to a ransomware attack is anything but straightforward. On one hand, this brazen criminal act is abhorrent and worthy of the most aggressive response possible. On the other hand, banning private companies from paying ransoms would likely exacerbate an already nightmarish situation.
From both sides of the aisle there have been calls for mandatory reporting of ransomware attacks, as well as penalties for companies that decide to pay up. In this article, we analyze the merits and downsides of proposed ransomware-reporting legislation, as well as potential solutions.
Proposed state legislation
North Carolina—In a 114-0 vote, North Carolina’s House of Representatives overwhelmingly passed a no-ransom bill in May. This bill, which advanced to a state Senate committee, would ban all state and local government agencies from paying ransoms. Representative Jake Johnson (R-NC)’s bill seeks $15 million to help these government entities bolster their cybersecurity infrastructure.
New York—Sponsored by Sen. Phil Boyle (R-NY), Senate Bill S6154 establishes a grant program, which would give local government agencies $5 million to bolster their security, and it also would prevent taxpayer funds from being used to pay ransom.
Another proposed bill, S6806A, not only would ban ransom payments by government agencies, but it also would prevent businesses and healthcare entities from paying ransoms as well. Without a doubt, this is the most sweeping legislature proposed to date. Even the bill’s sponsor, Sen. Diane Savino (D-NY), seems to think this bill might be taking things too far. Savino admits,
“I understand this is probably not the way to go about it. How do we tell private businesses what to do? But we need to do something. If we continue to just stand back and do nothing, that’s not a solution.”
It’s not every day that we hear the primary bill sponsor admit that it’s flawed.
Pennsylvania—Sen. Kristin Phillips-Hill (R-PA) has sponsored a similar no-ransom bill, which passed a Senate Judiciary committee and currently awaits a decision from the full state Senate. Philips-Hill’s bill prohibits all taxpayer money from being used to pay ransoms, although there is a clause that allows the governor to make an exception in the case of an emergency.
Given that many ransomware attackers threaten to leak corporate data if they do not receive payment, Phillips-Hill has framed the issue as one affecting the data privacy of many everyday Pennsylvanians. As Phillips-Hill states,
“Our citizens’ personal information is on the line. We have to do everything we can to protect them.”
According to Phillips-Hill’s memorandum seeking bill co-sponsors, “In 2019 at least 966 U.S. government agencies, educational establishments, and healthcare providers experienced ransomware attacks at a potential cost in excess of $7.5 billion.” Phillips-Hill sees her state-level bill as a way to take the target off Pennsylvania’s back.
Although this strategy is well-intentioned, it does beg the question: Do ransomware attackers really care which states have laws against paying ransoms? It seems unlikely that these bad actors are that discerning.
Proposed federal legislation
Cyber Incident Notification Act of 2021—Alongside Sen. Marco Rubio (R-FL) and Sen. Susan Collins (R-ME), Sen. Mark Warner (D-VA) has put forth the Cyber Incident Notification Act of 2021. As Warner says in a recent Axios interview,
“As we have this debate about ransomware, let’s at least make the payments more transparent.”
Warner’s bill proposes mandatory reporting for federal contractors, government agencies, and “critical infrastructure owners and operators,” such as businesses involved in energy, manufacturing, and finance. Warner has made it clear that reporting will be kept confidential, and he’s vowed to give businesses immunity—as long as they report. As an aside, it is technically illegal to pay ransoms to entities that have been sanctioned by the U.S. government, and this likely happens quite frequently. As Warner explains,
“Congress needs to act. What I’m working on now—and this topic is bipartisan…we are working on a bill that would require mandatory reporting if you are a critical infrastructure company or a federal government contractor or the government itself. There would be mandatory reporting to the government so law enforcement and our private sector partners—the cloud providers, the cyber defense firms—can all hear mid-stream.”
It remains to be seen how Warner’s bill will be received, but it does seem to be a step in the right direction.
Study on Cyber-Attack Response Options Act—Another bipartisan bill has been proposed by Sen. Sheldon Whitehouse (D-RI) and Sen. Steve Daines (R-MT). This bill, tentatively titled the Study on Cyber-Attack Response Options Act, would allow private companies to retaliate against bad actors. As it stands now, only the US government has the legal authority to go on the offensive against ransomware criminals; however, Whitehouse and Daines wonder if this should be changed.
If it were up to them, they’d like to see the Department of Homeland Security conduct a study to determine whether or not private entities should be allowed to retaliate against cybercriminals.
Whitehouse and Daines are asking DHS to recommend 1. Which federal agency or agencies may authorize proportional actions by private entities. 2. What level of certainty regarding the identity of the attacker is needed before such actions would be authorized. 3. Which entities would be allowed to take such actions and under what circumstances. 4. What actions would be permissible; and 5. What safeguards should be in place. In a recent press release, Daines writes,
“The United States is home to some of the best and brightest technological minds in the world—we should be doing all we can to support them, not hold them back. The federal government should do more to empower the private sector to directly counter cyber threats from across the globe rather than tie their hands.”
Aside from mandatory reporting legislation and potential retaliation clauses, there is an additional question as to whether or not ransomware payments should be banned altogether.
Should the U.S. make it illegal to pay ransoms?
It is tempting to ban ransom payments altogether. After all, if companies were not allowed to pay out ransoms, there would be no incentive for bad actors to conduct ransomware attacks. However, this would likely make things worse. For many companies, it is far cheaper to pay the ransom payment than to rebuild their security networks. Of course, the type of company is significant; if a water treatment center or energy facility is breached, civilians could be without clean water or power for long periods of time. Ransomware is a serious issue to be sure—and one that the Biden administration is actively focused on.
As we learned from the Colonial Pipeline incident, there are times when it does make sense to pay the ransom, lest millions of Americans are stuck without access to gas. In that case, Colonial voluntarily reported the ransomware attack, and the Department of Justice and FBI were able to recover some of the ransom; in fact, they recovered 63.7 of the 75 Bitcoins that the Colonial CEO paid out.
In this instance, the encryption tools handed over did not work, so one could argue that paying the ransomware was not the right thing to do. However, alerting the authorities did pan out, and that is because they followed the money.
In the case of an attack, report the incident and follow the money
Other than Monero, which markets itself as a truly private, untraceable cryptocurrency, the majority of cyrptocurrencies can be tracked down. Simone Maini, the CEO of Elliptic—the London-based blockchain analysis software provider that tracked down the DarkSide privacy wallet—explains how her company helps find ransomware attackers. Speaking to Vorawan Wangpanitkul during a decentralized finance summit, Maini says,
“We estimate that 15% of all money laundering in Bitcoin involves the use of privacy wallets. Criminals will also try to convert transparent cryptocurrencies, like Bitcoin, into Monero—to help break the funds trail. And frequently that will involve exchanging funds in unregulated exchanges, in countries that have little or no regulation in place around crypto.”
Bad actors ask for the ransom payments in a transparent cryptocurrency, e.g., Bitcoin, and then they engage in “chain hopping,” which is essentially moving the currency from one blockchain to another, in an attempt to break the chain of traceability. Ideally, ransomware attackers want to receive Monero. As Maini says,
“In particular, we see this happening with ransomware attackers. They’ll rely on Monero, and the combination of unregulated exchanges, as part of their money laundering techniques.”
So, it seems that part of the ransomware solution may be to establish some international norms when it comes to ransomware response and cyrptocurrency regulation.
The U.S. government should continue to work with the private sector to track down ransom payments and identify attackers. To further this effort, companies should voluntarily report ransomware attacks. That said, not all companies should be mandated to report such attacks; only critical infrastructure companies and government agencies should be forced to report them. And last but not least, ransomware payments should not be made illegal.
Featured image courtesy of Sebastian Pichler/Unsplash