Public entities in North Carolina are prohibited from paying a ransom demand following an attack, an idea that may be spreading to other U.S. states.
The ban applies broadly to all state agencies. From the article:
The new law applies to all local government entities, including cities, counties, local school administrative units, and community colleges. All state agencies—including boards, commissions, bureaus, officials, and other entities of the executive, legislative, and judicial branches, as well as The University of North Carolina—also are subject to the payment and communication prohibitions.
In addition to the ban on payments, public agencies have to report all cybersecurity incidents, including of course ransomware. Private organizations aren’t under the same restriction, although North Carolina “encourages” them to similarly report incidents.
Although North Carolina is the first state to put such a law on the books, CSO reports that it’s being considered in at least three other states, including New York, Texas, and Pennsylvania. According to the CSO story, New York’s is the only bill that would also prohibit private organizations, including “business entities, and health care entities,” from paying a ransom.
As of the date of this writing, none of the other states have passed the bills, which are all sitting in committee: New York’s is in the Senate Committee; Texas is in the House State Affairs Committee; and Pennsylvania’s is in the Judiciary Committee.
The question of whether prohibiting ransom payments is a good idea is another question altogether. One school of thought says that ransomware threat groups are unlikely to attack an organization that is legally barred from paying up.
On the other hand, the consequences of suffering an attack and losing access to all the encrypted data would cripple the entity. There are plenty of examples of hospitals, school districts, and other important public agencies being shut down for days, weeks, or months in the wake of an incident. The clamor to pay the ransom would be loud—maybe not publicly, but certainly behind the scenes.
Consider, for example, if a county’s 911 service was brought down by an attack. Would the ban still hold under that kind of pressure? It’s an open question.
Another aspect to be considered is the fact that paying a ransom, rather than resolving a situation, simply creates more attacks against the victimized organization, and new attacks are sometimes launched immediately, demanding another payment.
U.S. FBI Director Chris Wray, in an article on AOL News, said much the same thing: "In general, we would discourage paying the ransom because it encourages more of these attacks, and frankly, there is no guarantee whatsoever that you are going to get your data back," he recently testified.
With so much to ponder, it’s clear that the issue of refusing to pay ransoms for organizations—both public and private—is far from settled.