Ransomware attack bill advances in Senate
Legislation that could result in a fine for businesses and government agencies that pay a ransomware demand has advanced in the state Senate.
That doesn’t mean the bill is in its final form, a fact Sen. Diane Savino, D-Staten Island and the bill’s sponsor, acknowledged during a recent meeting of the Senate Internet and Technology Committee.
“This is a continuing conversation,” Savino said. “We’re going to move the bill today. It’s going to Veterans and Homeland Security. I have a feeling there will be a couple of amendments before it gets to the floor.”
As currently written, S.6806A bans the payments of ransom in cyber-incidents by government entities, businesses or health care companies or by another entity on their behalf while requiring reporting of cyberattacks against government entities to the state Division of Homeland Security and Emergency Services. Those who pay the fine could face a fine of up to $10,000.
It was the provision of a fine that prompted state Sen. George Borrello, R-Sunset Bay, to vote against the measure.
“If it was taxpayer money I would get that,” Borrello said. “You’re saying businesses in New York state, and that’s my money, and I have a problem with someone who doesn’t know the circumstances of the situation to say you cannot do it and you could face a penalty of $10,000.”
Savino said in her legislative justification that there are better uses of money for those dealing with cyberattacks than paying ransoms, including securing sensitive data, encrypting and backing up data, conducting regular cyber-security audits and training staff to avoid exposing networks.
A poll in late 2021 by the Pearson Institute and the Associated Press showed roughly 90% of Americans are concerned about hacking that involves their personal information, financial institutions, government agencies or certain utilities. About two-thirds say they are very or extremely concerned. Roughly three-quarters say the Chinese and Russian governments are major threats to the cybersecurity of the U.S. government, and at least half also see the Iranian government and non-government bodies as threatening.
The broad consensus highlights the growing impacts of cyberattacks in an increasingly connected world and could boost efforts by President Joe Biden and lawmakers to force critical industries to boost their cyber defenses and impose reporting requirements for companies that get hacked. The poll comes amid a wave of high-profile ransomware attacks and cyber espionage campaigns in the last year that have compromised sensitive government records and led to the shutdown of the operations of energy companies, hospitals, schools and others.
In New York City recently, an attack on third-party software vendor Illuminate Education didn’t result in canceled classes, but teachers across the city couldn’t access grades. Local media reported the outage added to stress for educators already juggling instruction with enforcing COVID-19 protocols and covering for colleagues who were sick or in quarantine.
Borrello didn’t take issue with the need to deal with cyberattacks, but instead argued for flexibility in Savino’s proposal.
“I just have a hard time explaining to my businesses in my district that this is something that is appropriate,” Borrello said. “I agree with you it’s the federal government that should be doing something about this. By saying we’re going to come in and say your hands are tied, I know people that have had their systems shut down, not their data stolen. For a $500 ransom they could get back into business. I can’t see the threat of you can’t pay the $500 to get your business back up and running. I’m in the seasonal restaurant business. If my (point-of-sale) system shut down on a beautiful July Sunday and they want $500 to turn it back on and it’s going to cost me $30,000 not to in lost revenue, I can’t see restricting our businesses that way.”
One of the cyber incidents with the greatest consequences this year was a ransomware attack in May on the company that owns the nation’s largest fuel pipeline, which led to gas shortages along the East Coast. A few weeks later, a ransomware attack on the world’s largest meat processing company disrupted production around the world.
Victims of ransomware attacks have ranged from key U.S. agencies and Fortune 500 companies to small entities like Leonardtown, Maryland, which was one of hundreds of organizations affected worldwide when software company Kaseya was hit by ransomware during the Forth of July weekend.
The broad consensus highlights the growing impacts of cyberattacks in an increasingly connected world and could boost efforts by President Joe Biden and lawmakers to force critical industries to boost their cyber defenses and impose reporting requirements for companies that get hacked. Biden has made cybersecurity a key issue in his young administration and federal lawmakers are considering legislation to strengthen both public and private cyber defenses.
“Quite honestly the federal government should be stepping up to do more but they’re not,” Savino said. “… I understand the complications of, ‘What would a business do, how would a school district be able to retrieve its data?’ The truth of the matter is most of the time they can’t retrieve it anyway even if they pay the ransomware. When we speak to our counterparts at the federal level, particularly the FBI, their response is don’t pay it because you’re aiding and abetting a terrorist organization. Obviously that’s not a solution either. The question is, is the passage of bills like this banning the payment of ransomware, will New York become less of a target to cybercriminals if they realize they can’t get paid or they won’t get paid. It’s a valid question.”