US senator and former Democrat presidential candidate Elizabeth Warren, alongside North Carolina congresswomen Deborah Ross, have introduced a new bill that, if enacted, would require US-based victims to publicly disclose information on ransomware incidents.
The bicameral Ransom Disclosure Act will supposedly provide the Department of Homeland Security (DHS) with data on ransomware payments with the intention of improving understanding of how cyber criminal groups operate, and paint a fuller picture of the extent of the ransomware problem.
“Ransomware attacks are skyrocketing, yet we lack critical data to go after cyber criminals,” said Warren. “My bill with congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cyber criminals are siphoning from American entities to finance criminal enterprises – and help us go after them.”
At its core, the law requires organisations that decide to pay a ransom – not private individuals – to disclose information about ransom payments within, and no later than, 48 hours after payment is made. This would include how much they paid, what currency was used, and any known information about their attackers.
The legislation will also require the DHS to set up a reporting service, publish the information disclosed on an annual basis, redacting the victims’ identities, and conduct a study on the commonalities among ransomware attacks, and the extent to which cryptocurrencies facilitate them, in order to offer recommendations for better protection.
“Ransomware attacks are becoming more common every year, threatening our national security, economy and critical infrastructure, but unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cyber criminal enterprises and counter these intrusions,” said Ross.
“I am proud to introduce this legislation with senator Warren which will implement important reporting requirements, including the amount of ransom demanded and paid, and the type of currency used. The US cannot continue to fight ransomware attacks with one hand tied behind our back. The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cyber criminals pose to our nation.”
Callum Roman, threat intelligence head at F-Secure, commented: “Governments know ransomware is a problem, but just how much of a problem is unclear. Compulsory reporting of ransomware payments could help shed light on the true scale of the problem and not just the tip of the iceberg we see reported in the media.
“The legislation may run into issues on reporting based on how and where organisations decide to pay the ransom. If they organise payment through an intermediary, will they have to report? If they pay the ransom from a company in their portfolio that is not under US jurisdiction, will they have to declare? There will always be ways round this type of legislation, but if constructed well, it can have a positive impact on informing government of the real scope of the issue.”
Roman added that the proposal to investigate links between the ransomware and cryptocurrency ecosystems was particularly noteworthy, and suggested it may lead to further legislation and regulatory focus on cryptocurrencies further down the line.