Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross’ (D-N.C.) ransomware bill, the Ransom Disclosure Act, victimizes ransomware targets again by forcing them to disclose that they’ve made the payment.
While the bill does remove company details from the annual reports that it requires the Department of Homeland Security to produce, it doesn’t protect the required reports from Freedom of Information Act requests or other forms of disclosure. It also may exacerbate breaches, as some operators threaten to post victim’s data if they inform law enforcement. Companies are forced to choose between protecting their employees and customers data or protecting themselves from federal enforcement.
Arguably, the data could be useful. Even without federal reporting, experts estimate that ransomware attacks have increased by 72 percent during the pandemic. Ransomware has become such an industry that ransomware groups are now, themselves, being targeted by other criminals. Many of the targets have been critical infrastructure providers such as the food, gas, water, hospitals and transportation industries. Local governments and even schools have been targeted. However, the exact number of ransoms and the total cost to the economy can only be projected, due to a lack of data. This is the very data that Warren and Ross seek to obtain.
The federal government has already taken a strong stance towards trying to disrupt ransomware operators. The U.S. Treasury threatened to sanction financial, insurance and other firms that facilitate ransomware payments and those that make payments to sanctioned entities. Executive orders, also, already require government contractors and pipeline owners to report ransomware attacks to the Department of Homeland Security.
These measures, though, may actually lead to more confusion. Victims may fear that paying a ransomware bribe is illegal or fear involving law enforcement. If required to report only payments, firms may make decisions that put their employees’ and customers’ data at risk to avoid bad press. Moreover, the act does nothing to resolve the recent issue where victims were paying ransoms while the FBI secretly held a ransomware’s decryption key. In fact, the FBI involvement likely led to victims who had just paid the ransom being left with the unlock key, when the criminals went underground. Notably, both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) already have online forms to report ransomware related incidents, which didn’t help in this instance.
In virtually all other areas, we don’t force victims of crimes to report being victimized to the police, if they don’t want to. A homeowner (or office building operator) would, thus, not be threatened with penalties for not reporting being burglarized and a rape victim would not face possible fines or jail time for not reporting being raped. In instances where voluntary reports are made, they are protected. Laws shielding rape victims are among the strongest in this area. Ransomware, if it is clear that no data has been exfiltrated, should be no different. This is a notably different situation from a data breach, where other victims — those whose data was stolen — may not learn about it without mandatory reporting.
While data would be helpful, the benefit of knowing more about the problem pales in comparison to the potential impact to companies from the disclosure of the required reports. Even more problematic is the risk that companies may decide to not pay the ransom due to the reporting requirement, resulting in employees’, customers’ and others’ data being compromised and the organization’s operations being impaired or suspended — just to provide the federal government with a bit more information.
The federal government can and does have a role to play in preventing ransomware attacks. It can step up its efforts to apprehend ransomware groups through worldwide enforcement activities and by developing enforcement and extradition treaties with areas where these groups are known to be located. With better enforcement in place, the government can incentivize victims to make disclosures by offering to help recover the funds for the companies.
The federal government can also set up a program for companies — particularly small and mid-size firms — that may not have ransomware insurance that encourages disclosure. The government could offer to pay ransoms for firms that participate in enforcement activities. This protects the personal data held by these firms and also helps with enforcement.
It could also provide resources to insurance companies. Insurance companies that are paying millions of dollars out in these ransom payments have significant incentive to help companies avoid and respond to ransomware demands. The federal government could help them to better prepare their policyholders to avoid getting ransomware demands in the first place. It could also offer response resources.
Finally, the federal government could also invest in research related to all areas of the ransomware threat — from psychological and sociological studies to understand the phenomenon to supporting the development of ransomware mitigation and response technologies.
Forcing companies to disclose being victims of a crime that doesn’t have other victims is not good policy and is inconsistent with most other crime victim treatment standards. If disclosure is required, despite this, it must include absolute legal protections against disclosure beyond the government and de-identification of the organizations mentioned in the reports as quickly as possible.
A better approach is a holistic federal policy that targets the perpetrators of ransomware crimes instead of the victims and which incentivizes technical development and offers businesses and insurers resources (such as treaty-based international enforcement) that the federal government is uniquely positioned to offer. Companies and federal agencies should work as partners in combating ransomware, as it is a threat to businesses as well as the nation, instead of the government further victimizing corporate ransomware targets.
Zahid Anwar is an associate professor in the Department of Computer Science at the North Dakota State University and a NDSU Challey Institute Faculty Scholar. Jeremy Straub is the director of the NDSU Institute for Cyber Security Education and Research, a NDSU Challey Institute Faculty fellow and an assistant professor in the NDSU Computer Science Department. The authors’ opinions are their own.