Debate Over Whether to Pay After Ransomware Attacks
The two bills come after some high-profile ransomware attacks in the state over the past two years, including against the Monroe-Woodbury Central School District and libraries across Onondaga County. On Christmas Day 2019, the Albany International Airport was targeted by a cyberattack, rendering the airport inoperable, Carlucci notes in his bill.
“Those responsible for the attack demanded a ransom in exchange for the return of data and restoration of the airport’s systems,” the bill notes. “In desperation, Albany International Airport complied, paying an undisclosed amount reported to be under $100,000.”
Carlucci’s bill argues that “when municipal corporations and government agencies comply with these ransoms, they incentivize” cyberattackers who aim to make a quick profit. Prohibiting municipalities from complying with ransom requests “will remove this incentive and safeguard taxpayer dollars,” the bill states.
As ZDNet reports, “this is the first time that state authorities have proposed a law that explicitly forbids paying the ransom following a ransomware attack.”
According to a December 2019 survey from Panda Security, 86 percent of Americans believe their local government should not pay the ransom on a ransomware attack. The survey, which was conducted using Google Consumer Surveys, had a sample of 1,000 respondents in the United States and ran in November 2019.
Cybersecurity firm Recorded Future found that while ransomware attacks against governments have been on the rise, the vast majority of governments aren’t paying the ransom. The firm’s analysis showed only 17.1 percent of state and local government entities paid the ransom, and 70.4 percent confirmed that they didn’t pay the ransom.
Bill Siegel, CEO and co-founder of Coveware, a cybersecurity company that helps victims recover from ransomware attacks and has helped entities negotiate payments, tells ZDNet that he does not think the legislation “will staunch attacks on NY based municipal organizations in the short term, it may even increase them as ransomware distributors may try to test the resolve of these organizations.”
“If a state where to pass a bill making payment of ransoms unlawful, then two large issues should be heavily considered,” Siegel tells ZDNet.
First, lawmakers should consider what would happen if a municipal hospital were attacked and whether downtime would cause loss of life that could have been prevented if a payment had been made. Secondly, lawmakers need to consider whether municipalities have enough staff and budget for adequate disaster recovery plans, backup systems and security programs “to effectively repel and recover from an attack without creating material interruption to civic operations.”
For many public sector organizations eager to restore services back to citizens and continue mission-critical work, paying the ransom may seem like the best option. For example, Jackson County, Ga., gave in to its attacker’s demands for $400,000 for decryption keys in March 2018.
Leaders in Lake City, Fla., opted to let an insurer pay a $460,000 ransom on the city’s behalf. The insurance company argued that paying up would save both the city and its insurer hundreds of thousands of dollars, if not millions, in downtime costs.
However, if New York lawmakers are able to pass the new bills, municipalities will not be able to tap taxpayer funds to bail them out of ransomware attacks.