Two bills drafted by New York state senators aim to ban ransomware payments from government agencies & municipalities following attacks on their data.
Earlier in January, two New York state senators submitted their proposals to their respective committee with a bill seeking to ban ransomware payments from government entities & municipalities. These movements would effectively prohibit payment of a ransom in the event of a “cyber-attack against such municipal corporation’s or government entity’s critical infrastructure”. Ransomware payments are made such scenarios when a victim’s files become encrypted & all other options have been exhausted for data recovery.
NY State Senate Bills
There are two current bills in committee discussion with regards to ransomware and prohibiting payments for ransomware cyber attacks. Senate Bill S7246 sponsored by 4th District Sen. Phil Boyle and Senate Bill S7289 sponsored by 38th District Sen. David Carlucci serve a purpose to block any ransomware payments from municipalities following a ransomware attack, forestalling any financial incentive for attackers. If ransomware operators are cognizant about not being able to receive extortion payments from government & municipality victims, they may look elsewhere.
New York state continues to be a leader for enacting modern laws & regulations around cybersecurity and data protection. Last summer, Governor Andrew Cuomo of New York state signed the SHIELD Act (Stop Electronic Hacks and Improve Electronic Data Security Act) which helps protect New York residents and their data. This legislation sets a positive precedent that showcases the state’s ability to keep its resident’s data safer. The New York Police Department is also developing an app that allows authorities to better collect data from victims of cyber crimes in New York City, giving more resources for better communication of these challenges.
Restricted to Pay Ransom
A blanket law forbidding ransom payments from any municipality in New York state sets a precedent for legislation surrounding the choice to a path of recovery from a cyber attack. Local governments must be prepared to handle the extremities of a ransomware attack that could leave their data encrypted & unrecoverable. More aggressive extortion techniques, such as those of the Maze ransomware variant, continue to leak data from victims to try and get them to pay the ransom. Municipalities in New York must have a strong & tested incident response plan that will ensure they are prepared.
Cybersecurity professionals and IT staff working closely with New York state towns, cities, and municipalities must pay close attention to these bills and how they will affect their data security operations. Although the payment of ransom will be outlawed in this drafted legislation, that doesn’t mean ransomware operators will aggressively stop targeting municipalities and their data. This presents a challenge as criminals will continue deploying cyber attacks to experiment & analyze how these cities and towns will react in case their data becomes encrypted (or further extorted).
Local Municipalities Continue to be Targeted
Municipalities of all sizes & government agencies have been the focus of ransomware attacks in recent months. They are an opportunistic target for cyber crime because they often lack modern cybersecurity resources & training needed to prevent severe attacks. Ransomware is not the only type of malware that seeks to cause damage to government entities & municipalities. These public agencies continue to face challenges for politically motivated cyber crime such as wiper attacks. Additionally, the attackers behind the Maze Ransomware, have begun exfiltrating data and publishing it online from private companies. This represents a new risk for government entities that store private PII data of citizens. This legislation further stresses the necessity for better security posture and brings to light the importance of collectively improving our cyber defenses.
Cyber-Security Enhancement Fund
Senate Bill S7246 introduces new funding opportunities for New York State municipalities with a population of one million or less, adding “a cyber security enhancement fund to be used for the purpose of upgrading cyber security in local governments”. This development, known as the Cyber-Security Enhancement Fund, will help bolster and enhance the cybersecurity hygiene of municipalities to defend against cyber and ransomware attacks. Cyber attacks can largely be prevented with attention from every member of an organization, and that includes municipalities as well.