Proposed Ransomware Law Would Add Insult To Injury For Hacking Victims
Ransomware attacks are on the rise, and it may feel like there is no recourse for many victims. A new law has been proposed in the United States by Senator Elizabeth Warren and Congresswoman Deborah Ross to attempt to address that, but with an added dilemma.
The new law, the Ransomware Disclosure Act, would require businesses to disclose any ransom payments within 48 hours of the payment to the Department of Homeland Security (DHS). If the bill passes, victims who decide to pay the ransom will be required to report the payment sum, the currency, and any information they have about those who are demanding payment.
The Ransomware Disclosure Act would not require everyone who is a victim of ransomware to report it to the DHS. It will only be applicable to those who choose to pay the ransom. And this brings about the aforementioned dilemma: to pay and report it, which can be embarrassing for the victim, or not to pay.
Often businesses will opt to pay the ransom because it is the fastest way to recover from the attack. There is a risk in doing business this way, however, because they are not guaranteed their systems will be restored and data returned. Paying the ransom could also make them a more likely target for more attacks in the future.
On the flip side, businesses that decide not to pay the ransom face large losses because of the downtime and could have their reputation damaged if the attacker decides to publish all their data online. Twitch is one recent example where leaked data can result in a loss of reputation.
Senator Warren says about, the Ransomware Disclosure Act (PDF), "Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals. [The bill] would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises - and help us go after them." She says that the act is designed to give the DHS the vital intelligence it needs to disrupt the economics of ransomware.
Congresswoman Ross added, "Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions."
While ransomware is an issue that needs to be addressed, is the government simply adding insult to injury? Is requiring victims to disclose that they decided to pay the ransom and all the information that goes along with that necessary for the DHS and the US government to combat ransomware more effectively? Let us know your thoughts down in the comments.