Back in April, the North Carolina State Legislature became the first state to approve a law banning ransomware payments by government agencies. The law, which was part of the Current Operations Appropriations Act of 2021, S.L. 2021-180 (PDF), includes the following language:
(a) No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident on an information technology system by encrypting data and then subsequently offering to decrypt that data in exchange for a ransom payment.
(b) Any State agency or local government entity experiencing a ransom request in connection with a cybersecurity incident shall consult with the Department of Information Technology in accordance with G.S. 143B-1379.
This law applies to, among other entities, state, local, and county governments, as well schools, community colleges and public universities.
North Carolina is not the only state thinking about this problem. The Pennsylvania Senate has also approved a law that would ban ransomware payments, though this law does allow for exceptions if the governor declares a state of emergency. New York and Texas are also considering such laws.
States Are Under Attack
It makes sense that states are concerned about ransomware—according to Emsisoft, more than 2,300 local governments and schools were impacted by ransomware attacks in 2021. Despite a lot of concern about these attacks, they continue to rise and are likely to continue to do so through 2022.
There are a lot of reasons that local governments and schools are repeatedly attacked by ransomware groups:
- They often have small or no security budget
- Their networks, especially schools, often have to be relatively open
- An attack against a local government or school usually makes the news
- There are additional extortion avenues for ransomware groups, from threatening to release sensitive student data to encouraging constituents to tell the government to pay so services can be restored
Some ransomware groups, like Pysa, actively appear to target schools, in part because schools are considered easy targets. In fact, ransomware attacks against schools have become so common that school administrators have created a new designation for the days off students often get after a ransomware attack: “Cyber Days.”
Here’s a quote from another article about the ban that I have issues with:
“Lawmakers in North Carolina and Pennsylvania have suggested that if hackers know that a state or local agency is prohibited by law from paying a ransom, the hackers will have no financial incentive to attack such agencies and accordingly will look for victims in other states”
Bluntly, that is just wrong. It completely misunderstands both the way ransomware groups think and the way ransomware “targeting” works. Ransomware groups have seen hundreds of targets that talk tough about not paying ransom, while secretly paying the ransom. They have seen negotiators discuss how they can pay the ransom while keeping the transaction amounts small enough that no one will notice.
There is a lot of tough talk about not paying a ransom, and a lot of excellent advice about why organizations should not pay a ransom. But ransomware groups know that sometimes organizations have no choice.
And, we’ve seen this before. In 2019 mayors from around the country pledged not to pay ransomware groups, and that didn’t slow down ransomware groups at all. In fact, attacks on towns and cities increased after that pledge.
Ransomware groups also don’t usually target geographically—instead, they target based on vulnerabilities. Whether or not that vulnerability is exposed credentials, an unpatched system they can exploit, a network connected to an MSP that has been compromised, or a person who has opened a phishing email, it is always the vulnerability, not the region.
No ransomware group is going to say, “Oh this is a local government in North Carolina, I am going to leave the network.” Instead, what they are likely to do is steal as much sensitive information as possible to sell later—and if the government holds firm on not paying the ransom, destroy as much of the network as possible. Just as they would any victim making similar proclamations.
The law also makes it illegal for public entities to negotiate with ransomware and extortion groups. This is a mistake. There is a lot of valuable intelligence that can be gained through negotiation, without having to pay a ransom.
Ransomware negotiations are not just about discussing payment—they also involve understanding the frame of mind of the ransomware group, understanding what type and how much data was stolen, and how serious the group is about releasing the data. Ransomware negotiations do more than just determining payment, and outlawing them could hinder ransomware incident response investigations.
Unfortunately, what the law in North Carolina does is hamstring victims of a ransomware attack, rather than do anything to actually stop the attack from happening.
Poor Security Practices
For the longest time, security departments within organizations were thought of as the “Department of No.” While that is still true in some places, most security practitioners have realized that it is better to cooperate with and work with other departments to improve security collaboratively, rather than just saying no to everything (though, sometimes you still have to say no).
The North Carolina law epitomizes the old-school style of thinking: saying no, without offering solutions. The budget, for instance, doesn’t increase funding to improve cybersecurity (except as it relates to election security). This leaves local governments with the same small or non-existent security budgets, but now with additional constraints. In addition, there is another requirement in the bill:
Local government entities, as defined in G.S. 143-800(c)(1), shall report cybersecurity incidents to the Department. Information shared as part of this process will be protected from public disclosure under G.S. 132-6.1(c). Private sector entities are encouraged to report cybersecurity incidents to the Department
Reporting is good. I, and many others, have long advocated for better cybersecurity incident reporting. It’s the only way to ensure that we have a comprehensive understanding of the damage done by ransomware and other cybersecurity incidents.
But preventing this data from being disclosed to the public, whether openly or through FOIA, will allow states to cover up ransomware attacks (although ransomware attackers may have something to say about that) and keep the true extent of these attacks hidden from the public. That doesn’t help improve security either.
Good Intentions Aren’t Good Enough
I agree with the intent of the of the North Carolina law. We should discourage entities from paying ransomware and other extortion groups, but I think the execution of the law fails on several fronts:
- It gives public entities a mandate, without helping them improve their ability to stop ransomware attacks
- It doesn’t account for costs to students and constituents when their data is leaked
- It also doesn’t allow for exceptions for catastrophic failures
- It encourages additional secrecy around ransomware attacks, making it harder for everyone to understand how bad the problem is
States need to develop a more collaborative relationship with public entities if we are going to stop ransomware attacks. Yes, payment should be discouraged, but stopping payment doesn’t stop ransomware attacks.
Better defense, better information sharing and more statewide preparedness is how we can stop ransomware attacks. Unfortunately, these things are not addressed by the North Carolina law.