The issue of banning ransomware payments has been contentious and hotly debated in governments throughout the world in the last few years, particularly as the problem seemed to grow out of control during the Covid-19 pandemic. In the US, the federal government has come down on the side of allowing payments but adding increasingly stringent incident reporting requirements to get law enforcement involved as fast as possible.
As with the issue of data privacy regulations, some states have decided to take their own approach. Pennsylvania was the first in January of this year, with the state Senate passing a ban that prohibits agencies or organizations that receive taxpayer funds from making ransomware payments (the bill remains before the state House awaiting a vote). North Carolina added a comprehensive ban on local and state agency ransomware payments in May, followed by a similar measure in Florida in July. New York, Texas, Arizona and New Jersey have also had bills of this nature recently come up for consideration.
State bans on ransomware payments vary in scope, requirements
Thus far the states are not attempting to compel private organizations to reject ransomware payments; the focus is on government agencies in the states that have passed such laws. However, at least one of the bills under consideration (in New York) would extend these rules to non-government entities.
While the existing state laws put broad prohibitions on ransomware payments by government entities, they do have some small differences. Florida’s CS/HB 7055 amends the existing State Cybersecurity Act to prohibit payment or compliance with ransomware demands made to government agencies. Victim agencies are given a mere 12 hours to notify the Florida Cybersecurity Operations Center as well as specific law enforcement entities after discovery of such an incident. Incidents that are “severe” or “emergency-level” must also be reported to the state House and Senate during this period. And an “after action” report must be delivered to the Florida Digital Service one week after remediation.
The Florida bill also introduces new security standards for local government agencies, to be implemented by 2025 and based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The North Carolina bill is quite similar, though a little less demanding in its terms. The ban focuses exclusively on ransomware payments in cases where data has been encrypted; it is not clear if cases of data extortion not involving ransomware would also be covered. It also gives agencies 24 hours to report attacks to the North Carolina Department of Information Technology, and does not create new cybersecurity requirements other than the appointing of an IT liaison to the State CIO and expanded mandatory annual security awareness training for all personnel.
The bills that are under consideration in Pennsylvania, Arizona and Texas are all very comparable to the one passed in North Carolina, though Texas does not put a reporting time limit on incidents. The one being considered in New York, SB 6806, would ban ransomware payments entirely, even for private companies. However, the maximum proposed penalty for violating the law is a fine of only $10,000; victims of ransomware attacks in the US now pay an average of over $6 million per incident, not to mention potentially additional tens of millions in total remediation costs.
Effectiveness of bans on ransomware payments still largely untested
The state bans on ransomware payments put a variety of new responsibilities on the agencies they impact; for example, with just 12 hours to report an incident in Florida, agencies will need to ensure that their response plans are in place and tested and that a regular backup schedule is in place.
Rules such as these are designed to spur exactly this enhanced state of vigilance, but at present there are very few real-world test cases to demonstrate that bans on ransomware payments actually reduce instances of ransomware compromise. Recent incidents, such as a string of attacks on local governments in Texas, demonstrate that smaller agencies often do not even have the budget available to effectively prevent and remediate ransomware attacks.
The primary reason that bans on ransomware payments remain relatively rare is that payment is simply the fastest and cheapest way out for many victims; some have no alternative other than catastrophic failure or a rebuild process that could cost a much greater amount of money. If these measures are not accompanied by mandates that ensure damage caused by an attack is minimized (such as backup and data encryption requirements), there is little reason to believe that payment bans actually lead to an overall positive outcome.
John Gunn, CEO of Token, falls on the pro-payment side of this argument but notes that successfully removing payment incentives is likely to cause attackers to pivot to even more destructive attacks (a situation not necessarily to the benefit of government agencies in particular): “New laws that will prohibit government agencies from paying ransomware will significantly reduce the number of attacks on these organizations. Almost all attacks are for financial gain and when you take that away, hackers will shift their efforts to targets with higher ROI, like any smart business would. Government agencies will still be targets for attacks where the primary purpose is to damage or cripple US infrastructure, which is the goal of many attacks sponsored by nations that are enemies of the US.”