It sounds like a classic case for declaring: “There oughta be a law!”
Not only are ransomware attacks continuing to spread like wildfire, but according to analysts, they are also costing more, lasting longer and their victims are taking longer to recover.
And government entities at all levels are frequently the targets. The Emsisoft Malware Lab reported that in 2019 alone there were ransomware attacks on at least 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges, and school districts, with estimated costs of $7.5 billion.
So yes, government should play a role in fighting ransomware. It could do so by hardening the security of its digital infrastructure and training its employees how to spot social engineering attacks.
But passing a new law to outlaw it? Not so much. The most recent Exhibit A: The state of Maryland.
As you may be aware, Maryland has good reason to be “mad as hell and not going to take it anymore” about ransomware, given that its largest city, Baltimore, has spent something north of $18 million to recover from a ransomware attack last May that used the notorious RobbinHood variant.
So, on its face, Senate Bill 30, which would prohibit the possession of ransomware “with intent” to hack into the “computer, computer network, or computer system of another person without the authorization of the other person,” might seem long overdue.
A law of unintended consequences
It’s just that you don’t have to get too deep into the weeds to see that it could generate multiple unintended consequences.
For one thing, ransomware attacks are already illegal. Unfortunately for the victims, they are usually conducted by criminal gangs in other parts of the world that are beyond the reach of any U.S. federal or state law enforcement.
Naked Security’s Lisa Vaas sardonically noted that making it “more illegal” is unlikely to protect Baltimore or any other entities any more than they are now, which is not much.
Josephine Wolff, an assistant professor of cybersecurity at Tufts University, called it a “purely symbolic gesture” in a recent Boston Globe op-ed, adding, “worse than that, it’s a waste of their time.”
And while the proposal’s stated intent is to immunize researchers or others who might possess ransomware for ethical reasons — to help disclose and patch vulnerabilities to it — the current language of the law doesn’t do very well in carving out that exemption.
As Ars Technica noted, the paragraph that prohibits the mere possession of ransomware is followed by an all-caps exemption, stating that the ban “DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES.”
But other paragraphs, covering the “unauthorized intentional access” of networks, systems, databases etc. to “cause the malfunction or interrupt the operation of all or any part” of them or to compromise a valid access code, don’t explicitly include exemptions for researchers.
Sammy Migues, principal scientist at Synopsys, said words like “possession” and “intent” can be a slippery slope.
“The question is whether this is a prelude — like some people may feel about guns, drugs, lockpick tools, etc. — to making creation illegal. What about conference talks about creation? What about public bug reports about vulnerabilities that lend themselves to ransomware attacks?”
The current language might not even protect the ransomware victims themselves. “What about company IT groups that have copies of the ransomware they were attacked with?” he said.
Meanwhile, the proposed law contains zero mandates for better security of the government agencies that have proven themselves to be easy, and lucrative, targets for ransomware attackers.
The security fault line
As blogger and activist Cory Doctorow put it, “Rather than requiring cities to allocate funds for security, training or insurance, or protecting those who disclose bugs so that they can be patched before they’re weaponized, the bill prohibits cybercrimes that are largely already defined in U.S. federal statutes … thus the problem is technical and institutional, erupting from the fracture line where poor quality software meets poor security practices.”
Indeed, the irony is that instead of spending millions to recover from such a disaster, there is a less complicated, less expensive and much more effective way to avoid being “low-hanging-fruit” for ransomware attackers. Do what security experts have been preaching for decades: Implement security basics. They include:
- Keep software updated.
- Use two-factor authentication.
- Implement a rigorous password policy.
- Apply the principle of “least privilege.” Restrict access to critical systems to as few accounts as possible.
- Conduct real-time network and event monitoring, and close possible loopholes, like RDP ports open to the outside world.
- Have a disaster and recovery plan in place that includes keeping backups offline and offsite.
To that, Wolff added that government entities should hire penetration testers to see if they can breach agency computer systems. If they can, then obviously the bad guys can too. And the testing will let organizations know what their vulnerabilities are and what they need to fix.
Yes, doing that does take money — but almost always less money than paying a ransom.
It also takes skill. Migues has said in the past that there are not nearly enough people skilled in cyber security, management and politics to handle the demands of hardening the defenses of the connected systems in government at all levels.
“It’s probably unusual to find somebody really qualified in two or three of those areas,” he said.
But if city or agency officials were interested enough to ask him what to do?
“I’d tell them the same basics we’ve been saying for decades,” Migues said. “Know your assets and be able to recover from total loss.”
But he also thinks the more practical thing for most cities is to get out of the security business and hire experts to do it for them.
“Sometimes at your house, you have to call a plumber,” he said.