New Bill Would Require Ransom Disclosure Within 48 HoursLegislation Would Also Direct US DHS to Study Ransomware, Cryptocurrencies
U.S. lawmakers have introduced legislation that would require the reporting of ransom payments within 48 hours of the transaction. The bill, put forward by Sen. Elizabeth Warren, D-Mass., and Rep. Deborah Ross, D-N.C., would require the Department of Homeland Security to create a voluntary website to log ransom payments and task DHS with a comprehensive study of the correlation between ransomware and cryptocurrency.
See Also: What is your Exposure to Ransomware?
In a statement Tuesday, the lawmakers said that, if passed, the Ransomware Disclosure Act would make available critical data that would "bolster our understanding of how cybercriminal enterprises operate and develop a fuller picture of the ransomware threat."
Warren added, "Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals. My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises - and help us go after them."
The bill would:
- Require ransomware victims (excluding individuals) to disclose ransom payments no later than 48 hours after the date of payment;
- Require victims to report the amount demanded and paid, the type of currency used and any known information about the threat actors;
- Require DHS to make public the information disclosed during the previous year, excluding identifying information;
- Require DHS to establish a website through which individuals can voluntarily report payment of ransoms;
- Direct the DHS secretary to conduct a study on commonalities between ransomware attacks and cryptocurrencies and provide recommendations for protecting IT systems.
Agreeing with the provisions, Megan Stifel, who was the director of cyber policy at the National Security Council during the Obama administration, tells ISMG: "We're past time to require reporting of payments. … To begin to reduce the number of victims, we need information about these incidents, not just traditional information sharing of cyber threat indicators … but information about the payment details - the note, the wallet, the amount, etc."
Stifel, who currently serves as executive director of Americas for the Global Cyber Alliance, adds, "Without this type of information, we don't know the full scope of the problem and are severely limited in our ability to develop policy and legal responses to better combat it."
'Threatening Our National Security'
Rep. Ross said of the bill: "Ransomware attacks are becoming more common every year, threatening our national security, economy and critical infrastructure. Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions."
Ross said the legislation "will implement important reporting requirements" and that the U.S. "cannot continue to fight ransomware attacks with one hand tied behind our back."
Warren and Ross cited figures from cybersecurity firm SonicWall, which suggest ransomware attacks rose 62% worldwide between 2019 and 2020, and 158% in North America. In 2020, the FBI received nearly 2,500 ransomware complaints - a 20% increase year over year - with some $29 million in reported losses.
The blockchain analytics firm Chainalysis indicated that victims worldwide paid nearly $350 million in ransoms in 2020, a 300% increase over the prior year. And average payments increased by 170% to $312,000, the firm said.
Similar legislation was introduced last week by leaders of the Senate Homeland Security and Governmental Affairs Committee. The bill, put forward by committee Chairman Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio, would require certain organizations to report ransom payments within 24 hours of delivery. Also, owners and operators of critical infrastructure would be required to report security incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours of discovery (see: New Legislation Eyes Both Ransom, Incident Reporting).
Peters and Portman's bill passed the committee by voice vote on Wednesday.
No Consensus Among Experts
Stifel, of the Global Cyber Alliance, says: "The overall requirements [here] are necessary and generally headed in the right direction. I anticipate industry reluctance, citing the burden, especially under the conditions of an incident, but it's important to remember how much of this can be prevented in the first place by following known cybersecurity best practices."
Scott Shackelford, director of the cybersecurity and internet governance program at Indiana University, says, "This legislation, if enacted, would shed some light into a very dark market, and likely also have the effect of disincentivizing firms from paying ransoms in the first place for fear of disclosure."
Still, there does not appear to be a consensus on these mandates.
Von Welch, the associate vice president for information security and executive director for cybersecurity innovation at Indiana University, tells ISMG, "The requirement to report within 48 hours is very interesting. This implies some sort of operational urgency. … Reporting puts an onus on victims … and I believe that needs to be justified - especially in this case where a victim will still be in the midst of recovery and will take away key resources from that recovery."
Tim Wade, a former network and security technical manager with the U.S. Air Force and currently technical director for the security firm Vectra AI, says, "I question the prudence of compelling nonvoluntary disclosure by private parties who determine that such disclosure is not in their best interests, or the best interests of their stakeholders and shareholders."
Other Cybersecurity Legislation
Elsewhere this week, House Homeland Security Committee ranking member John Katko, R-N.Y., and Rep. Abigail Spanberger, D-Va., introduced a bill that would help the government identify "systemically important critical infrastructure." If passed, CISA would be empowered to designate groups as "systemically important" and work with sector risk management agencies to enhance cybersecurity programs.
And on Monday, Sens. Peters and Portman introduced another bill that would amend the Federal Information Security Modernization Act of 2014 and impose incident reporting requirements on federal agencies.
The bill would also confirm CISA's role as lead organization in the wake of cyberattacks and require the Office of Management and Budget to provide guidance on optimal cybersecurity funding for federal agencies.