Sen. Elizabeth Warren, D-Mass., and Rep. Deborah Ross, D-N.C., have introduced legislation that would require ransomware victims to report information about ransom payments no later than 48 hours after the date of payment.
The ransomware bill proposed in the House and Senate follows at least three other broader breach notification bills introduced in Congress this year, one of which has already passed the House as part of the National Defense Authorization Act. Those bills would require breaches of significance to be reported to the Cybersecurity and Infrastructure Security Agency, which will be left to develop much of the rules. Notification periods proposed range from 24 hours to 72 hours and even up to a week.
According to the Ransom Disclosure Act proposed this week, victims would have to provide information to the Department of Homeland Security (DHS) on the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom.
The bill also requires the Department of Homeland Security (DHS) to make public the information disclosed during the previous year, excluding identifying information about the organizations that paid ransoms. It would also require DHS to establish a website through which individuals can voluntarily report payment of ransoms and direct the DHS secretary to conduct a study on the nature of ransomware attacks, including the impact of cryptocurrency (bitcoin), and then make recommendations on how to protect organization from continued attacks.
Congress finally took action following the dramatic increase in ransomware attacks, most notably attacks on Colonial Pipeline, JBS and Kaseya. Between 2019 and 2020, ransomware attacks rose by 62% worldwide and 158% in North America. In 2020, the FBI received nearly 2,500 ransomware complaints, up 20% from 2019, which identified losses of over $29 million.
“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” said Warren. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them.”
Governments know ransomware has become a problem, but we still don’t know the full scope of the problem, said Callum Roman, head of threat intelligence at F-Secure. Roman said compulsory reporting of ransomware payments can help shed light on the true scale of the ransomware issue — and not just the tip of the iceberg reported in the media.
Roman added that the legislation may run into issues on reporting based on how and where organizations decide to pay the ransom. For example, if they organize payment through an intermediary will they have to report? Or if they pay the ransom from a company in their portfolio that’s not under U.S. jurisdiction, will they have to declare?
“There will always be ways around this type of legislation, but if constructed well, it can have a positive impact on informing government of the real scope of the issue,” Roman said. “The most interesting aspect of the suggested legislation is the directive to the DHS to investigate the cryptocurrency facilitation of ransomware. This may spark further legislation and focus on this medium by the U.S. government. It certainly will help arm it with the information it needs to decide if this is an effective avenue for combating ransomware.”
Ransomware has become a transnational threat capable of taking away human lives by paralyzing hospitals and disrupting critical national infrastructure, said Ilia Kolochenko, founder of ImmuniWeb. The proposed law will certainly provide the DHS with better visibility on international ransomware actors, but unless the DHS gets a tenfold cybercrime budget increase, Kolochenko said it will likely drown in an avalanche of submissions.
“Mere information gathering about ransom payments will unlikely bring the desired results, as transactions on cryptocurrencies are often untraceable and uninvestigable,” Kolochenko said. “Thus, it would also be worthwhile to consider expanding the law to provide additional authority to existing law enforcement agencies, increase their cybersecurity budgets, provide free training and 24x7 support to the victims, and expand international cooperation in the investigation and prosecution of cybercrime. Countless cybercrime cases are never cleared because of slow or otherwise ineffective collaboration across different countries.”