A newly proposed law that would force companies to disclose a ransom payment following a ransomware attack to the U.S. government has received mixed responses from the cybersecurity community.
The proposal law – the Ransomware Disclosure Act, has been introduced by Senator Elizabeth Warren (pictured) and Representative Deborah Ross. The bicameral bill is pitched as allowing the Department of Homeland security to obtain critical data on ransomware payments to bolster understanding of cybercriminal enterprises and the ransomware threat.
The act, if passed, would require ransomware victims, excluding individuals, to disclose information about ransom payments no later than 48-hours after the data of the payment. Information that would be required to be disclosed includes the amount of the ransom paid, the type of cryptocurrency used for the payment and any known information about the entity demanding the payment.
The DHS will be required to publicize the information disclosed in the previous year, excluding identifying information on the victim and the amount paid. The DHS would also be required to establish a reporting website and study commonalities among ransomware attacks to provide recommendations for strengthening cybersecurity.
“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” Senator Warren said in a statement. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them.”
The response from the cybersecurity community ranges from supportive to having serious concerns.
“While studying and facilitating the voluntary reporting of ransomware payments both sound to be well within reasonable bounds, I question the prudence of compelling non-voluntary disclosure by private parties who determine that such disclosure is not in their best interests or the best interests of their stakeholders and shareholders.” Tim Wade, technical director, CTO Team at artificial intelligence cybersecurity company Vectra AI Inc., told SiliconANGLE. “Such actions would appear to weaken some standards of privacy, fairness and liberty with respect to individual protections and the choices individuals may make with respect to their best interests within their rights.”
John Bambenek, principal threat hunter at IT service management company Netenrich Inc. is also concerned about the proposed law, saying that “it is likely that disclosing ransom payments, while also seeking to use regulatory power to disincentivize them, will only discourage businesses from working with law enforcement. This will have the net effect of closing a valuable channel of intelligence that actually helps the possibility of gaining convictions.”
Ilia Kolochenko, founder of application security company ImmuniWeb SA and a member of Europol Data Protection Experts Network, notes that while the proposed law will provide the DHS with better visibility on international ransomware actors, without an increase in their budget, they will likely drown in an avalanche of submissions.
“The DHS should probably consider implementing efficient information exchange with U.S. states and international law enforcement agencies to better coordinate the prosecution of cyber gangs,” Kolochenko said. “Importantly, the reports shall not be publicly available, otherwise, they will be a treasure trove for cybercriminals to better select solvent victims ready to pay a ransom.”
Those supporting the bill include Bill O’Neill, vice president of public sector at ThycoticCentrify, who says that “the proposed bill could be a positive step in removing the stigma around being a cybersecurity attack victim, helping those organizations realize that they are not alone, and availing them to resources that can help them shore up their cybersecurity defenses to avoid future costly incidents.”
Describing disclosure of this information as vital for the government to understand the risk, Kevin Dunne, president at access orchestration firm Pathlock Inc., wrote that government and private collaboration is critical to creating a united front against ransomware attacks.
“While admitting a ransomware attack is a sensitive subject for many organizations, stemming the rising tide of these ransomware attacks can only happen when the government can operate off complete information,” Dunne said.
Callum Roman, head of threat intelligence at cybersecurity solutions provider F-Secure Corp. was also positive, saying that “compulsory reporting of ransomware payments can help shed light on the true scale of the problem and not just the tip of the iceberg we see reported in the media.”