New bill would mandate disclosure of ransomware payments

The bicameral legislation, introduced by Sen. Elizabeth Warren and Rep. Deborah Ross, would require disclosure about size, currency and more within 48 hours of payments.
By Mike Miliard
09:53 AM

Sen. Elizabeth Warren (left) and Rep. Deborah Ross

Photos: Public Domain

The new Ransom Disclosure Act, a bill introduced this past week by Sen. Elizabeth Warren, D-Massachusetts, in the Senate and Rep. Deborah Ross, D-North Carolina, in the House, would require more transparency around when and how ransomware payments are made to cybercriminals.

WHY IT MATTERS
The legislation aims to give the U.S. Department of Homeland Security "critical data on ransomware payments in order to bolster our understanding of how cybercriminal enterprises operate and develop a fuller picture of the ransomware threat," according to Warren and Ross.

Among its chief requirements, the bill would mandate that organizations – but not individuals – that are targeted with ransomware disclose information about any ransom payments they make "no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom."

The law would also require the Department of Homeland Security to publicize information that had been disclosed to it over the past year (but not including any identifying information about the entities that paid up).

It also instructs DHS to set up a website to facilitate voluntary reporting of ransom payments, and calls on the DHS Secretary to launch a study on "commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity."

THE LARGER TREND
Warren and Ross note that ransomware attacks rose by 158% in North America between 2019 and 2020, and that the FBI received nearly 2,500 ransomware complaints this past year, with losses exceeding $29 million.

The bill comes as the federal government is getting much more serious about the scope and severity of the threat. It was unveiled the same week the U.S. Department of Justice said it would fine contractors for failing to report cybersecurity incidents, and months after DOJ announced it would elevate its ransomware probes to terrorism-level priority. The Biden administration has even said it would consider military action in response to certain ransomware attacks.

At HIMSS21 two months ago, a panel of cybersecurity experts debated whether or not to pay bad actors – and how to weigh the demands of data integrity and business continuity with the moral hazard of rewarding criminal cyberattacks.

"We need to outlaw ransom payments," said Alex Stamos, founding partner at Krebs Stamos Group and former security chief for Facebook and Yahoo. "Generally today, companies do not face legal sanction for this. You have the FBI saying please don't pay. But they have no way to really enforce that. And in the moment you're not going to take that advice."

"There's no broad legal prohibition in the U.S. against a company paying ransom, with one notable exception: It is illegal to pay ransom to a group, individual, nation-state or entity that's been sanctioned, either by the U.S., the United Nations or any other international body," said retired Admiral Michael S. Rogers, former director of the National Security Agency and former Commander of the U.S. Cyber Command. (Read our interview with him.)

"But whether you pay should be a different conversation than [whether you should be] talking to these individuals," Rogers added. "I always say you should be speaking to the criminals, for two reasons: One, it can give you time – time to help your defenses and help your organization respond – and two, it can sometimes be a source of insight into what this actor has done."

ON THE RECORD
"Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals," Warren said in a statement announcing the new Ransom Disclosure Act. "My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises – and help us go after them."

"Ransomware attacks are becoming more common every year, threatening our national security, economy and critical infrastructure," added Ross. "Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions. 

"The U.S. cannot continue to fight ransomware attacks with one hand tied behind our back," she added. "The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.