Hour glass and cryptocurrency in front of laptop showing ransomware payments

24, 48 or 72 Hours? New Bill Complicates Regulation of Ransomware Payments, Introduces Terms That Conflict With Existing Legislation Under Consideration

There are two pieces of legislation already in front of Congress that would set reporting requirements for ransomware payments, each proposing different time windows for different industries and company sizes. One would subject many companies to a 24-hour reporting requirement, another would set the window at 72 hours.

Amidst debate over whether even 72 hours is feasible for many organizations, Senator Elizabeth Warren (D-Mass.) and Representative Deborah Ross (D-N.C.) have jumped into the discussion with a new bill that lands in the middle at 48 hours. It also establishes a series of other reporting terms that could conflict with the existing bills that are already being considered, muddying the picture of what legislation will ultimately emerge from all of this.

Reporting requirements for ransomware payments no closer to consensus as new bill shoots for 48 hours

The Warren-Ross bill, entitled the Ransom Disclosure Act, not only sets the reporting requirement for ransomware payments at 48 hours but also appears to apply to any organization of any size (only “individuals” are excluded in the bill’s language). This differs from the two bills presently on the table, which set differing requirements for different industries (along the lines of their general relevance to national security) and companies that have more than 50 employees.

“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” said Senator Warren. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them.”

The bill also differs in that it makes this the responsibility of the Department of Homeland Security (DHS), which is involved (along with other government agencies) in other proposals but is not necessarily a point agency.

Under the new bill, victims that opt to make ransomware payments would be required to disclose the amounts of ransom initially demanded and actually paid, the currency used to make the payment, and any information available about the identity of the criminal making the demand. The bill would protect the identities of companies that report ransomware payments, making information available to the public the following year but anonymizing it.

The bill would also task DHS with studying this collected information, preparing an annual report on the use of cryptocurrency in ransomware payments and commonalities among the attacks. DHS would be asked to provide recommendations for security measures alongside these findings.

Senator Warren spent the summer on a campaign against cryptocurrency, calling for heavy regulation of it on the basis of its use for ransomware payments and its energy use. Her arguments have seemed technologically naive at times, however, drawing tenuous connections between coal mining and crypto mining and claiming that “shadowy super coders” would control the money supply if it became a standard.

There has been robust debate about how the law should handle ransomware payments as of late, as attacks have increased considerably during the pandemic and attackers are showing more willingness to cause real-world damage. The US government has toyed with the idea of outlawing ransomware payments but has stopped short for now, only forbidding them to parties in embargoed countries and those on the Specially Designated Nationals And Blocked Persons (SDN) List. Companies can be fined if they make payments to sanctioned entities.

Callum Roman, Head of Threat Intelligence for F-Secure, sees potential loopholes in this bill should it be passed: “The legislation may run into issues on reporting based on how and where organizations decide to pay the ransom. If they organize payment through and intermediary will they have to report? If they pay the ransom from a company in their portfolio that is not under US jurisdiction (aka abroad) will they have to declare? There will always be ways round this type of legislation, but if constructed well it can have a positive impact on informing government of the real scope of the issue.”

Ilia Kolochenko, Founder/CEO and Chief Architect of ImmuniWeb, also points out that more information gathering has not always proved to be helpful when conducted in this particular way: “Mere information gathering about ransom payments will unlikely bring the desired results, as transactions on cryptocurrencies are oftentimes untraceable and non investigable. Thus, it would also be worthwhile to consider expanding the law to provide additional authority to existing law enforcement agencies, increase their cybersecurity budgets, provide free training and 24/7 support to the victims, and expand international cooperation in the investigation and prosecution of cybercrime. Countless cybercrime cases are never cleared because of slow or otherwise ineffective collaboration across different countries.”

Competing bills will require compromise

There is strong pressure for the federal government to take immediate and decisive action, given that attacks jumped by 158% in North America in 2020 and the FBI received a 20% increase in complaints. Ransomware attacks cost $29 million in 2020, with that number very likely to be dwarfed by the 2021 total.

One of the existing bills, sponsored by U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH), would mandate reporting ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours for most businesses. However, certain types of organizations (such as state and local governments and businesses that oversee critical infrastructure) would be required to report within 24 hours.

An earlier bill introduced by Senator Mark R. Warner (D-VA) mandates reporting to both CISA and DHS also pushed for a 24-hour requirement for similar categories of organization. This prompted a backlash from various industry groups, which claim that the reporting window is not realistic for most businesses.

Two bills already in front of Congress. One with a 24-hour reporting requirement for #ransomware payments, another would set the window at 72 hours. A third now seeks a 48-hour limit. #cybersecurity #respectdataClick to Tweet

There is a general expectation that Congress will have to hash out the varying conflicting terms of these bills, with a final product being included in the National Defense Authorization Act for 2022. The House voted to approve its version of the act, which includes the Warner provision, in mid-September. The Senate is currently working on its own version, and the two chambers will have to come to agreement on a final version in the coming months.


Senior Correspondent at CPO Magazine