N.Y. Could Ban Cities from Paying Ransomware Attackers

State senators have issued proposals they say would encourage municipalities to upgrade their cyber-postures.

New York State may soon ban municipalities from paying ransomware demands in the event of a cyberattack.

State Senators Phil Boyle, George M. Borrello and Sue Serino introduced Senate Bill S7246 earlier this month, in response to the rising tide of cyberattacks targeting government agencies and municipal entities across the country. Some of these – such as Riviera Beach and Lake City in Florida – have paid the ransom, after remediation was deemed to be more expensive than shelling out to the hackers. Others, such as New Bedford, Mass., and the city of Atlanta, have ridden out the infection without paying up. In the latter case, the city ended up spending $2.6 million to recover, with expenditures for incident response and digital forensics, additional staffing and Microsoft Cloud infrastructure expertise.

Though cybersecurity experts have noted that the decision to pay or not to pay is a complex one, dictated by individual circumstances, budget and risk to data. The bill, S.B. S7246, proposes a blanket policy in New York State that’s aimed at removing the incentive for ransomware operators to keep targeting its agencies, towns and cities.

To accommodate the expected remediation costs, the bill proposes the creation of a “Cyber Security Enhancement Fund.” This would be earmarked for municipalities with populations of less than a million residents to upgrade their security postures.

“A small investment in local government cybersecurity now, can help stop cybercriminals from profiting on the backs of New York State taxpayers and protect important state and local government services from disruption,” reads the bill. “To incentivize these upgrades, the bill will prevent state and local governments from paying ransoms for ransomware attacks after January 1, 2022 by which time they should be able to sufficiently upgrade their cybersecurity systems.”

The investment should go into recovery contingencies, according to Adam Laub, CMO at STEALTHbits Technologies. This includes creating data backups (widely considered the best defense against a ransomware demands).

“[The funding] doesn’t necessarily mean they need to be able to detect and prevent an attack, but they certainly will need to be able to recover from one quickly and completely,” he told Threatpost. “That would mean increased funding and acquisition of talent or services, which the lack of is a major component as to why municipalities find themselves the target in the first place.”

A similar bill, proposed by State Senator David Carlucci, was also introduced this month. It would also ban municipalities from paying ransoms, but it omits the creation of the security fund. Both bills are in the early stages and have not yet made it to the floor of the Senate for debate.

Security expert response was mixed.

“The bill will need to be flexible to deal with critical or life-threatening situations,” Joseph Carson, chief security scientist at Thycotic, told Threatpost. “I believe such a bill could have positive outcomes – however, it could expect some unforeseen situations, so exclusions should also be considered. For companies to not have an option to pay ransoms must mean the only alternative option is to have a solid backup and business-continuity plan.”

The New York bills come on the heels of the U.S. Conference of Mayors last year declaring that it will no longer meet attackers’ ransom demands. And, the FBI has consistently maintained its stance that giving into ransomware attackers’ demands only encourages more crime; and, those that pay have no guarantee that they will actually be able to recover their data.

Carson warned however that ransomware attacks could take on a more pernicious nature in the wake of such a bill’s passage: “Criminals will not get paid for the cybercrime, so any ransomware targeting N.Y.-based companies means they will be destructive in nature,” he added.

Laub took a different tack: “You could make an argument that while this could potentially be perceived as antagonistic by the attacker, given the number of targets they have to choose from, they’re most likely to just continue to take the path of least resistance and turn their focus elsewhere,” he told Threatpost. “Taking this stance, however, means that these municipalities need to be better prepared for a successful compromise of their data.”

Not everyone was so positive about the development.

“There will be many unintended consequences from removing the decision-making from people who are paid to make decisions,” Colin Bastable, CEO of Lucy Security, told Threatpost. “Taxpayers are going to pick up the tab in lost services and bigger tax bills. Look how it worked out for Baltimore…rather than tie the hands of decision-makers, the politicians need to get out of the way and make sure that municipalities have the resources and skills to prevent ransomware attacks.”

He also pointed out that municipalities have a loophole, in the form of cyberinsurance: Of course, insured municipalities can get around this, as they don’t pay the ransoms. The terms of their policies require that they cede control of the situation to the insurance company.”

Suggested articles

Discussion

  • Thomas Yohannan on

    Ransomware attacks on IT functions of municipalities are not new. However, as IT is enhanced, better forms of data capture are created for a municipality's citizens. This data is oftentimes PII so while a ban on ransomware may be a deterrent, the increased value of data may certainly increase the monetary value of subsequent attacks. The perspective that this regulation is taking is that ransomware attacks are systemic issues and not situational problems.
  • Threatpost reader on

    I think that this bill has potential to do more harm than good. There are always going to be some municipalities that don't have a proper cyber security plan in place, which would lead to the potential loss of confidential information and assets. I believe this law might even provoke hackers to look for vulnerabilities in NY because they would know that NY is basically screwed when it comes to getting the information back. This law actually seems like a sure way to bring a city to a complete halt.
  • Brian Healey on

    If you want to stop ransomware you're banned Bitcoin all together. All cryptocurrency and now put a stop to all of it.
  • Anonymous on

    why dont you write a bill to fully fund cybersecurity?

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.