Should Disclosure of Ransom Payments be Mandatory?
As ransomware wreaks havoc across the globe and criminal entities continue to fill their coffers with ransom payments, legislators search for a way to stem the tide. The average ransom paid is $136,576, according to Coveware whose analysis also noted how 75% of ransomware attacks were against companies with less than 1000 employees. Perhaps the most telling statistic is that the average disruption suffered by a company hit by a ransomware attack is 23 days. The FBI estimates that 25% to 30% of ransomware attacks are never reported, according to Bryan Vorndran, assistant director of the FBI’s cyber division in testimony before the U.S. Senate Judiciary Committee in late July.
While the average ransom paid is less than $150,000, it’s the larger ransoms that grab headlines and garner the attention of lawmakers, most recently the Colonial Pipeline ($4.4 million) and JBS USA ($11 million). It was these attacks that served as a catalyst for President Biden’s cybersecurity executive order and his unambiguous demand that Russian Federation president Putin clean up the cybercriminal activities originating from Russia.
United States Ransom Legislation
In late July 2021, the Cyber Incident Notification Act of 2021 was introduced by Senators Mark Warner (D-VA), Marco Rubio (R-FL) and Susan Collins (R-ME) of the Senate Select Committee on Intelligence. If this legislation is passed, it will require “federal agencies, government contractors and critical infrastructure owners and operators to report cybersecurity intrusions within 24 hours of discovery.”
Also in late July, the Judiciary Committee hearing America Under Cyber Siege: Preventing and Responding to Ransomware Attacks was held to discuss how best to address ransoms and ransomware. Testifying at the hearing were Vorndran of the FBI, Eric Goldstein, executive assistant director for the Cybersecurity and Infrastructure Security Agency at DHS, Richard Downing, deputy assistant Attorney General, Criminal Division, and Jeremy Sheridan, assistant director, Office of Investigations of the Secret Service.
Goldstein noted how important it was that victims of ransomware immediately report the incident to both law enforcement and CISA. In doing so, CISA is positioned to provide “technical guidance to help an organization effectively recover and develop alerts to help protect other possible victims.”
Vorndran, in his prepared remarks said, “regardless of whether or not a victim chooses to pay, the FBI strongly encourages victims to report ransomware incidents to the FBI.” He also made it clear that payments of ransom should not be banned.
Sheridan, speaking on behalf of the Secret Service, also supported a reporting requirement and notes that the “insurance industry will likely play a key role in both enhancing incident reporting and raising organizational defenses.”
Downing suggested at the hearing that three areas needed to be addressed legislatively to better combat ransomware, including statutory reporting:
- Prompt reporting of specific computer intrusions as a means of preventing them elsewhere
- Improving the ability to disrupt criminal activity
- Enhancing the ability to prosecute offenders and improving the effectiveness of such prosecutions
He continued, “The administration strongly supports congressional action to require victim companies to report significant breaches, including ransomware attacks.”
The timing of the congressional hearing and the introduction of federal legislation to mandate reporting of ransomware incidents follows the actions of a few States who already have legislation concerning cybersecurity incidents on the books, including ransomware attacks. Louisiana passed legislation in July which required managed service providers (MSPs) and managed security service providers (MSSPs) to register with the state, provide public investigative access to the MSP and MSSP and require MSPs and MSSPs to report cybersecurity incidents and payment of ransom or ransomware. New York, North Carolina and Pennsylvania legislators are all considering making the payment of ransoms following a ransomware attack illegal.
Legislative action isn’t limited to the United States. An example can be found in the contemporaneous discussions occurring in Australia.
Australia’s Law
Australian government analysts estimate that the cost of ransomware to the Australian economy is over $1 billion. The Australian Cyber Security Centre (ACSC) has characterized ransomware as the most dangerous cybersecurity threat facing Australian businesses. As such, minister of parliament Tim Watts introduced a bill (Ransom Payments Bill 2021) to make payments of ransoms a mandatory reporting event for Commonwealth entities, state or territory agencies, corporations and partnerships. The bill does not forbid the payment of ransom; it does, however, make it mandatory to provide details to the government if an organization does pay a ransom. The bill would require that details of the ransomware attack be provided to the Australian Cyber Security Centre which, in turn, will:
- Share de-identified information to the private sector through the ACSC threat-sharing platform.
- Collect and share information that may be used by law enforcement.
- Collect and share information to inform policymaking and to track the effectiveness of policy responses.
What does the future hold?
In the United States, given bipartisan support at the federal level, companies should expect to see legislation passed with respect to cybersecurity incidents and that includes a reporting requirement if organizations pay a ransom. The ability to quietly pay the ransom will largely disappear. On a state level, legislators are leaning toward outlawing the paying of ransoms. Given that few, if any, companies can afford the loss incurred by 23 days of disruption due to a ransomware attack, the importance of the public-private partnership involving CISA and the FBI will become all the more necessary in enhancing cybersecurity.
