Written by Benjamin Freed
A law enacted in Florida earlier this month made that state the second to ban public entities from paying claims for ransomware.
The new law, passed by lawmakers who had seen several Florida cities paying six-figure bounties for recovering encrypted data, says any statewide agency, county government or municipality affected by ransomware malware is subject to “a ransom demand not pay or otherwise comply. In passing the law, Florida followed North Carolina, which passed a similar law in April, banning public sector organizations from engaging in financial transactions with ransomware actors.
Lawmakers in at least four other states — Arizona, New York, Pennsylvania and Texas — are considering bans of their own.
But even if states take these steps in yet another attempt to contain a nagging threat to government operations and data security, cybersecurity practitioners and legal experts have doubts that payment bans will be an effective deterrent.
“It’s such a recent development, we just don’t know yet,” Elise Elam, an attorney in the cybersecurity practice at law firm BakerHostetler, told StateScoop. “It’s just too recent to get any sense of whether it will be a deterrent for ransomware actors to target these government agencies.”
“I just don’t see it working”
Brett Callow, an analyst at antivirus firm Emsisoft, who has spent the past few years tracking ransomware incidents targeting the public sector, doubts the Florida and North Carolina laws will have much of an impact.
“Localized bans limited to the public sector only?” he said. “I just don’t see it working.”
Ransomware operators, Callow said, aren’t likely to victimize state and local governments just because of a new law. And since most hail from non-English speaking parts of the world, sometimes ransomware actors are unable to distinguish between public and private organizations.
“Perhaps they are not aware that something called ‘company’ is not a corporation in the usual sense, but a public corporation,” he said.
But the public sector remains a prime target, a fact Callow says was underscored in June 2019 when the Florida cities of Riviera Beach and Lake City each paid about half a million dollars to recover data and systems used by connected Enterprises had been encrypted of the Ryuk outfit.
“I think those two payments made it clear to the attackers that the public sector is a potentially lucrative target,” Callow said.
Some states are trying to protect their communities, but those efforts could nullify agreements with cybersecurity insurers — or backfire completely by making companies not covered by the bans even more vulnerable. For insurers, the cost of a ransom is often cheaper than the cost of rebuilding an encrypted network and replacing infected technology. Meanwhile, cyber insurance premiums have been rising for years, fueled by a relentless surge in claims from ransomware victims.
“It will be necessary to restructure this relationship,” said Benjamin Wanger, an attorney for BakerHostetler, who recently co-authored a blog post with Elam on Florida law. “If government agencies cannot pay the ransom, the risks could be greater [insurers] long-term. The hope is that government agencies will become less of a target.”
But Callow said ransomware actors could respond by increasing their pressure on companies unaffected by payment bans.
“Possibly this could lead to an increase in attacks on solvent companies,” he said.
All prohibitions are not created equal
Payment bans have been a divisive concept in the cybersecurity community. The White House-backed Ransomware Task Force, which released a detailed report on the global threat last year, said payments “should be prevented as much as possible” but couldn’t agree on whether outright bans are the ideal policy.
And the legislation behind the bans varies from state to state: North Carolina’s ban, implemented under a recently passed state budget, affects the entire public sector, including the legislature and judiciary, K-12 schools and the University of North Carolina. Florida does not include educational institutions, although it does require a 12-hour window for state and local governments to report attacks to IT and law enforcement officials.
Wanger said it’s reasonable to exempt schools, particularly K-12 districts, from a payment ban given the services they provide and the amount of data they hold on children and families. The Judson Independent School District in Texas paid nearly $550,000 last summer to decrypt its systems and prevent the release of stolen student and staff information, one of many incidents in which K-12 organizations gave in to financial demands from hackers .
“Given the importance of schools, we cannot afford to have to rebuild all of their systems,” he said.
Payment bans aren’t necessarily an unchanging rule: A bill passed by the Pennsylvania Senate earlier this year would ban the use of taxpayer money to settle a claim, but would allow exceptions “in the event of a declaration of a disaster emergency” by the governor’s office.
The two ransomware ban laws have already passed in North Carolina and Florida, and the few others being considered in statehouses elsewhere are still brand new, untested tools in an ongoing battle. They could encourage greater adoption of protection strategies like multi-factor authentication, endpoint detection tools, and offline backups, say Elam and Wanger.
“What will really tell is whether it works and has the desired effect, only time will tell,” Elam said.