New York State may soon ban municipalities from paying ransomware demands in the event of a cyberattack.
State Senators Phil Boyle, George M. Borrello and Sue Serino introduced Senate Bill S7246 earlier this month, in response to the rising tide of cyberattacks targeting government agencies and municipal entities across the country. Some of these – such as Riviera Beach and Lake City in Florida – have paid the ransom, after remediation was deemed to be more expensive than shelling out to the hackers. Others, such as New Bedford, Mass., and the city of Atlanta, have ridden out the infection without paying up. In the latter case, the city ended up spending $2.6 million to recover, with expenditures for incident response and digital forensics, additional staffing and Microsoft Cloud infrastructure expertise.
Though cybersecurity experts have noted that the decision to pay or not to pay is a complex one, dictated by individual circumstances, budget and risk to data. The bill, S.B. S7246, proposes a blanket policy in New York State that’s aimed at removing the incentive for ransomware operators to keep targeting its agencies, towns and cities.
To accommodate the expected remediation costs, the bill proposes the creation of a “Cyber Security Enhancement Fund.” This would be earmarked for municipalities with populations of less than a million residents to upgrade their security postures.
“A small investment in local government cybersecurity now, can help stop cybercriminals from profiting on the backs of New York State taxpayers and protect important state and local government services from disruption,” reads the bill. “To incentivize these upgrades, the bill will prevent state and local governments from paying ransoms for ransomware attacks after January 1, 2022 by which time they should be able to sufficiently upgrade their cybersecurity systems.”
The investment should go into recovery contingencies, according to Adam Laub, CMO at STEALTHbits Technologies. This includes creating data backups (widely considered the best defense against a ransomware demands).
“[The funding] doesn’t necessarily mean they need to be able to detect and prevent an attack, but they certainly will need to be able to recover from one quickly and completely,” he told Threatpost. “That would mean increased funding and acquisition of talent or services, which the lack of is a major component as to why municipalities find themselves the target in the first place.”
A similar bill, proposed by State Senator David Carlucci, was also introduced this month. It would also ban municipalities from paying ransoms, but it omits the creation of the security fund. Both bills are in the early stages and have not yet made it to the floor of the Senate for debate.
Security expert response was mixed.
“The bill will need to be flexible to deal with critical or life-threatening situations,” Joseph Carson, chief security scientist at Thycotic, told Threatpost. “I believe such a bill could have positive outcomes – however, it could expect some unforeseen situations, so exclusions should also be considered. For companies to not have an option to pay ransoms must mean the only alternative option is to have a solid backup and business-continuity plan.”
The New York bills come on the heels of the U.S. Conference of Mayors last year declaring that it will no longer meet attackers’ ransom demands. And, the FBI has consistently maintained its stance that giving into ransomware attackers’ demands only encourages more crime; and, those that pay have no guarantee that they will actually be able to recover their data.
Carson warned however that ransomware attacks could take on a more pernicious nature in the wake of such a bill’s passage: “Criminals will not get paid for the cybercrime, so any ransomware targeting N.Y.-based companies means they will be destructive in nature,” he added.
Laub took a different tack: “You could make an argument that while this could potentially be perceived as antagonistic by the attacker, given the number of targets they have to choose from, they’re most likely to just continue to take the path of least resistance and turn their focus elsewhere,” he told Threatpost. “Taking this stance, however, means that these municipalities need to be better prepared for a successful compromise of their data.”
Not everyone was so positive about the development.
“There will be many unintended consequences from removing the decision-making from people who are paid to make decisions,” Colin Bastable, CEO of Lucy Security, told Threatpost. “Taxpayers are going to pick up the tab in lost services and bigger tax bills. Look how it worked out for Baltimore…rather than tie the hands of decision-makers, the politicians need to get out of the way and make sure that municipalities have the resources and skills to prevent ransomware attacks.”
He also pointed out that municipalities have a loophole, in the form of cyberinsurance: “Of course, insured municipalities can get around this, as they don’t pay the ransoms. The terms of their policies require that they cede control of the situation to the insurance company.”