New Ransomware Bill Would Require Organizations Report Ransom Costs
A bill introduced this week would require companies to disclose ransomware attacks and how much they cost victims within 48 hours.
It's not the first and definitely won't be the last but yet another bill designed to help reign in ransomware was introduced in Congress this week.
This one, The Ransom Disclosure Act, introduced by Democrats Sen. Elizabeth Warren and Rep. Deborah Ross, would require ransomware victims to disclose within 48 hours after it was breached what type of cryptocurrency it was asked to pay with.
The goal of the bill is mostly research; by reporting what type of cryptocurrency is being demanded of them and how much, the politicians hope to learn more about the illicit cryptocurrency ecosystem and ongoing ransomware epidemic.
“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” Senator Warren said in a statement on Tuesday. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises -- and help us go after them.”
Under the Ransom Disclosure Act, organizations hit by ransomware would have to supply the Department of Homeland Security with the sum asked, the sum paid, and what type of cryptocurrency the attackers demanded.
After the Act goes into effect, the Department of Homeland Security would publish a website dissecting the aforementioned information, including a total dollar figure for the amount of ransom paid by organizations. Obviously, any information that could reveal the identity of the victim would be omitted from the report.
It's the second bill focused on ransomware to be introduced in the last week.
Last Tuesday, Homeland Security and Governmental Affairs Chairman Gary Peters (D-Mich.) and ranking member Sen. Rob Portman (R-Ohio) introduced a bill, The Cyber Incident Reporting Act, that would require critical infrastructure companies to report cyberattacks in which a ransomware payment is made to the federal government - the Cybersecurity and Infrastructure Security Agency in particular - within 72 hours.
The bill builds on previous legislation introduced by U.S. Representatives John Katko (R-NY), House Homeland Security Committee Ranking Member, and Yvette Clarke (D-NY)
That timeline fits with a recent request made by two groups, one comprised of banking groups, and another by tech companies like Google, Amazon, and Oracle, for a 72-hour window for reporting data breaches. It runs counter to the Cyber Incident Notification Act of 2021, legislation that pitched a 24-hour window earlier this summer.
Ever since this year's ransomware attacks on gas company Colonial Pipeline and meat producer JBS, the Biden administration has been pushing hard to combat ransomware attacks. Last week the White House announced it had plans to meet with 30 other countries to discuss the looming threat; it also last month sanctioned a cryptocurrency exchange for its role in facilitating cybercrime.