Any state, city, or local government that is not thinking seriously about how to protect itself from ransomware has not been paying attention.
Over the course of the past two years, Atlanta, Baltimore, Albany, and Pensacola, among many other cities, have fallen victim to these attacks, in which hackers encrypt their computer systems, snarling all online operations in the city, and demand massive cryptocurrency payments to restore the targeted infrastructure to working order. Last month, New Orleans declared a state of emergency in the wake of one such attack.
But it’s not clear that government officials are learning the right lessons from these attacks about how to secure their citizens and online infrastructure. Never was this more apparent than in January, when the Maryland state senate introduced a bill that would make it illegal to possess ransomware with the intent to distribute or use it on other people’s computers. It’s a largely unnecessary policy change given that it’s already illegal to carry out ransomware attacks — the only thing that would change is that the possession of ransomware code, even if it hasn’t been distributed, could become a misdemeanor, carrying penalties of up to 10 years of imprisonment and/or fines up to $10,000. Other violations outlined in the bill carry higher fines and penalties.
Undoubtedly, people who deliberately distribute ransomware should be heavily penalized, but most of the people in possession of ransomware never wanted that code on their computers in the first place. Most of them would probably not be affected by this bill, since most ransomware victims presumably do not intend to use the code that infected them against other people, even if their devices do inadvertently spread it to others. But it still seems ill-advised to criminalize possession of code that is designed to spread rapidly from computer to computer. Another concern is that the bill offers only limited exceptions to cybersecurity researchers who are studying ransomware for the purposes of figuring out how to better protect against it.
But the biggest problem with the bill is that it won’t help. The major cybercrime organizations that are developing ransomware programs and distributing them in bulk are not based in Maryland — or anywhere in the United States. Ramping up penalties for possession of ransomware with an intent to distribute is a purely symbolic gesture for the Maryland state legislature. And worse than that, it’s a waste of their time.
Maryland policy makers are not wrong to view themselves as playing a vital role in protecting the state from further ransomware attacks. State legislatures should take steps to protect their systems. These steps should include:
- Regulations mandating regular security audits of municipal IT infrastructure; backups of critical databases; and plans for how to restore online systems in the event of an attack.
- Drills to test those plans, in which skilled testers are brought in to try to penetrate critical government computer systems within the state and identify any vulnerabilities and problems.
- Splitting computer networks into segments so that a ransomware infection on one device or server cannot spread easily across the rest of the system.
- Most important, states must help fund these initiatives.
Regulation and policy-making is critical to improving cybersecurity for state, city, and local governments, and the slew of ransomware attacks directed at government systems in the past two years should have motivated a wave of new policies that will help mitigate these risks. Yet instead of focusing on how they can help public agencies bolster their security and incident-response tactics, many government officials — and not just in Maryland — seem to have looked for ways to offload their own cybersecurity responsibilities.
For instance, several cities purchased cyber-insurance policies in the wake of their own ransomware incidents — or after reading about those suffered by other towns. Last year, Lake City, Fla., paid a bitcoin ransom worth roughly $460,000, of which their insurer covered all but $10,000. Following its own ransomware attack, Baltimore last year purchased $20 million in cyber-insurance as well, including coverage for “network extortion.” These policies help cover the costs of paying ransom demands, lessening the financial drain on the targeted city. However, an unintended consequence is that it ensures ransomware will continue to be a lucrative endeavor for the attackers, funding future criminal enterprises.
If states want to take the threat of ransomware seriously, they should focus on investing in network and device security measures, contingency backup plans, and simulated emergency and attack exercises. Finding new ways to punish people outside of their jurisdiction, or pay their attackers, is, at best, a waste of their resources and, at worst, actively harmful.
Josephine Wolff is an assistant professor of cybersecurity at the Fletcher School at Tufts University and author of “You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches.”