Two U.S. lawmakers are proposing a new law that will require organizations that are hit with ransomware and pay the ransom to disclose to the U.S. Department of Homeland Security information about the payment and attack.
According to Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.), the bill is designed to improve the U.S. government’s understanding of ransomware operators and help agencies better combat those threats.
In a press release announcing the bill, the lawmakers site the growing threat of ransomware and the increasing average ransomware payment, which they say is now over $300,000.
Currently, ransomware victims are not required to report attacks or payments to federal agencies like the FBI or DHS. Lawmakers say that information could be useful in developing a more complete picture of the ransomware threats facing U.S. organizations.
In a statement, Warren said ransomware attacks are skyrocketing while federal agencies are lacking critical data to counter the attacks.
“My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them,” Warren said.
The proposed law will require organizations to disclose information about ransomware payments no later than 48 hours after the date of payment. That information includes the amount paid, type of currency used and any information about the group demanding the ransom.
The law also requires DHS to make that information public, but in a way that protects the identity of the victims.
In addition, the law proposes a DHS website through which individuals can report payment of ransoms.
Finally, the law will direct DHS to conduct a study on commonalities among ransomware attacks, the role of cryptocurrency and provide recommendations for protecting IT systems.
Motivated by the increase in cybercrime, the federal government has recently stepped up its cybersecurity efforts, bolstering the U.S. Cybersecurity and Infrastructure Security Agency and requiring more stringent cybersecurity defenses among the federal government.
In addition, a new Connecticut law that shields businesses from liability for data breaches as long as they adopt industry-recognized cybersecurity standards went into effect Oct. 1. The law incentivizes companies to strengthen their network defenses to be protected against certain lawsuits.
