Ransom Disclosure Act would require companies disclose ransom payments to Department of Homeland Security, with public website aggregating stats
There are no firm numbers on the number of ransoms, nor the total payouts.
Context
“Ransomware” technology hacks or blocks a company’s business account or a user’s personal account until a ransom is paid, often demanded in untraceable cryptocurrency.
A particularly prominent example this year was May’s cyberhacking of Colonial Pipeline, which resulted in gas shortages across the U.S.. Even though only its billing software was affected, Colonial shut down its pipeline and CEO Joseph Blount authorized a $4.4 million ransomware payment.
In May, the Department of Homeland Security (DHS) issued a security directive requiring pipeline owners and operators to report ransomware attacks, while that same month President Joe Biden issued an executive order requiring the same of government contractors. But overall, we don’t know how often ransomware attacks happen, nor for what dollar amounts.
Companies are not required to report ransomware attacks — and indeed, many companies don’t, for fear that it would spark bad publicity and potentially lose customers. A cybersecurity firm called Coalition sparked headlines with their recent report estimating that in 2021, for the first time, the average ransom has now exceeded $1 million. But it’s just that: an estimate.
What the legislation does
The Ransom Disclosure Act would require organizational ransomware victims to report such payments within 48 hours to DHS, including the type of currency used and the amount. Individuals would be exempt: this would only apply to institutional or organizational victims, such as the aforementioned Colonial Pipeline case.
DHS would also be required to maintain a public website, updated annually with cumulative information over the previous year (such as the total number of ransomware cases and the total payout amount), while withholding any specific identifying information from the public.
The House version was introduced on October 5 as H.R. 5501, by Rep. Deborah Ross (D-NC2). The Senate version was introduced the next day on October 6 as S. 2943, by Sen. Elizabeth Warren (D-MA).
What supporters say
Supporters argue that a major and increasing threat in our modern society lacks hard data and numbers on the subject.
“Ransomware attacks are becoming more common every year, threatening our national security, economy, and critical infrastructure. Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions,” Rep. Ross said in a press release. “The U.S. cannot continue to fight ransomware attacks with one hand tied behind our back. The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation.”
“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” Sen. Warren said in a separate press release. The legislation “would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them.”
What opponents say
Opponents counter that the legislation would violate a critical element that exists across almost all the rest of U.S. law.
“In virtually all other areas, we don’t force victims of crimes to report being victimized to the police, if they don’t want to,” North Dakota State University computer science professors Zahid Anwar and Jeremy Straub wrote in an opinion column for The Hill. “A homeowner (or office building operator) would, thus, not be threatened with penalties for not reporting being burglarized and a rape victim would not face possible fines or jail time for not reporting being raped.”
“Ransomware, if it is clear that no data has been exfiltrated, should be no different,” Anwar and Straub continued. “This is a notably different situation from a data breach, where other victims — those whose data was stolen — may not learn about it without mandatory reporting.”
“Even more problematic is the risk that companies may decide to not pay the ransom due to the reporting requirement,” Anwar and Straub added, “resulting in employees’, customers’ and others’ data being compromised and the organization’s operations being impaired or suspended — just to provide the federal government with a bit more information.”
Odds of passage
The House version has not yet attracted any cosponsors. It awaits a potential vote in the House Energy and Commerce Committee.
The Senate version has also not yet attracted any cosponsors. It awaits a potential vote in the Senate Homeland Security and Governmental Affairs Committee.
— — — — — — — — — — — — — — — — — — —
This article was written by GovTrack Insider staff writer Jesse Rifkin.
Want more? Follow GovTrack by email, on Twitter, and for our “A Bill a Minute” video series — on Instagram, or on YouTube.
Like our analyses? Support our work on Patreon.
