An inside look into states’ efforts to ban gov’t ransomware payments
North Carolina and Florida broke new ground earlier this year when both states banned government entities from paying ransoms connected to ransomware attacks.
But lawmakers across the U.S. are having trouble replicating that legislative success as experts decry the bans and party leaders balk at wading into an evolving cybersecurity landscape.
Cybersecurity has become a hot topic for state legislatures in 2022, with at least 250 cyber-related bills introduced or considered by lawmakers across 40 states and Puerto Rico, according to data from the National Conference of State Legislatures.
But — with most of these bills focusing on training, funding and election security — North Carolina stood out for passing the first state law banning government entities from paying ransoms connected to cyberattacks.
The prohibition covers all state agencies, the University of North Carolina, cities, counties, local schools, community colleges and more. Administrators and cybersecurity specialists are restricted from even communicating with ransomware groups in the event of an attack.
The law additionally requires all agencies to immediately notify the North Carolina Department of Information Technology (NCDIT) in the event of a ransomware attack, which is tasked with responding to the incidents.
Rob Main, state chief risk officer for North Carolina within the NCDIT, told The Record that ransomware attacks are an increasing concern for state and local governments in North Carolina. He said there are several reasons why paying a ransom is ill-advised, noting that data by definition is compromised through the incident, and payment does not guarantee a safe return of the information.
It also incentivizes more attacks, Main added.
“With the law in effect, it takes the decision of whether or not to pay ransom off the table and allows the N.C. Joint Cybersecurity Task Force to streamline the response and recovery phases of effort,” he said. “We believe this law is essential in our cyber defensive posture by disincentivizing threat actors from seeking payment from public sector entities in North Carolina.”
The N.C. Joint Cyber Security Task Force is composed of NCDIT, as well as the N.C. National Guard, N.C. Department of Emergency Management, N.C. Local Government Information Systems Association Cybersecurity Strike Team, and other local, state and federal agencies, according to Main.
It provides a range of options to victims in addition to cyberattack coordination, resource support and technical assistance to reduce the impact to an affected organization. The task force also provides on-the-scene response personnel. Main said there are no exceptions to the ransomware payment ban.
Florida’s ban on government entities paying ransoms came a few months after North Carolina’s and was similarly tied to larger changes to how state entities respond to cyberattacks. The law mandates that all Florida government agencies and departments report all ransomware incidents within at least 12 hours and requires organizations to provide detailed information on the data stolen and ransom demanded.
Near the end of the bill, the lawmakers said a “state agency… a county, or a municipality experiencing a ransomware incident may not pay or otherwise comply with a ransom demand.”
Mixed statehouse success
While the bills succeeded in those two states, lawmakers elsewhere are having far more trouble passing similar legislation.
As of July 1, at least 12 states have addressed ransomware in a law, according to the National Conference of State Legislatures.
California, Florida, Indiana, Louisiana, Maryland, Michigan, North Carolina, North Dakota, Oklahoma, Texas, West Virginia, Wyoming all passed laws referencing ransomware, with most effectively adding ransomware to criminal penal codes and outlining specific penalties for those involved.
Florida, Indiana, Louisiana, North Carolina and North Dakota require public entities to report ransomware incidents while Texas now authorizes the Texas Department of Transportation to purchase insurance coverage for ransomware.
“I think in a lot of states, what they don't understand, they don't know how to write laws for. We were really trying to spur a public conversation at the state level about what we can do to improve conditions so that we reduce our risks and we make ourselves less vulnerable to these ransomware attacks.”— New York State Senator Diane Savino
Tennessee and others formalized demands that state organizations provide information about cyberattacks and ransomware incidents. New Mexico and Maryland passed bills that provide funding for cybersecurity training and ransomware response tools.
Kentucky passed a resolution demanding the federal government do something to address the issue and “take appropriate measures sufficient to protect the Commonwealth from cyberattacks and prevent ransomware demands.”
But Florida and North Carolina had the only bill that explicitly bans government entities from paying ransoms.
New York State Senator Diane Savino, whose bill resembles the ones in Florida and North Carolina, said her ban did not make it out onto the Senate floor this year, telling The Record that the assembly has been somewhat reticent to do anything around cybersecurity issues because “quite obviously, they don't understand it.”
“I think in a lot of states, what they don't understand, they don't know how to write laws for,” Savino said. “We were really trying to spur a public conversation at the state level about what we can do to improve conditions so that we reduce our risks and we make ourselves less vulnerable to these ransomware attacks.”
She noted that some cyber insurers have said they will no longer pay out claims because they see many entities are not practicing good cyber hygiene, which is placing them at risk.
But from a state perspective, Savino said more coordination between New York’s Office of Homeland Security and local entities was sorely needed.
Savino joked that in many small towns and villages across New York, the local chief information security officer might also be the gym teacher or the person running the lunchroom. But she spoke at length about the challenge state officials face when dealing with hundreds of municipalities buying their own software and hardware.
Her bill sought to standardize how state entities procure their technology and have the state’s Homeland Security office handle it for all organizations.
One of Savino’s largest complaints is directed toward the federal government. When state lawmakers go to the federal government and ask what they can do to address ransomware, they are not provided with much guidance.
“If you speak to the FBI or you speak to our partners in Washington, their response is that we should advise our local governments, we should advise our school districts or healthcare institutions that they shouldn't pay,” Savino said.
“They told us that the payment of ransom for cybersecurity incidents, while it's not a direct violation of law, a case can be made that these payments are assisting criminal enterprises. So their response is ‘just don't pay it.’ But of course that's not always been the solution that people are looking for.”
The Justice Department declined to comment. The FBI, White House and Cybersecurity and Infrastructure Security Agency did not respond to requests for comment about the federal stance on these ransomware payment bans.
During a discussion on ransomware last month, Michael Stawasz — Deputy Chief for Computer Crime for the Department of Justice — told a panel organized by the Atlantic Council that while it is impossible to anticipate every instance of ransomware, as a federal government, they “have said we’re not going to pay.”
“I am not a local government who has to run their local government when it may have important law enforcement files locked up or something else,” he said, claiming that the insistence on not paying would protect government organizations.
“The hope is that means we are less of a target because they have more confidence that the U.S. government means what it says when it makes a statement like that. We’ll see how that plays out, but for the U.S. government, we have said we won’t pay.”
‘Pouring gasoline on it’
Pennsylvania State Senator Kristin Phillips-Hill told The Record that her ransomware payment ban bill had made its way to the House Judiciary Committee in January and is still awaiting consideration.
Phillips-Hill said like most lawmakers, she became interested in a ransomware bill after the attack on Colonial Pipeline disrupted fuel supply to the East Coast last May.
The incident — and the fact that poor password practices were the origin of the attack — prompted discussions Phillips-Hill began to have about how to harden IT environments against ransomware and other cyberattacks.
“Having had a father-in-law who was in the fire service, when you're going to put out a fire, the last thing you want to do is to just pour more gasoline on it. Enabling ransomware payments by governmental entities are just that. It is the accelerant for more attacks on our nation's and on our commonwealth IT systems.”— Pennsylvania State Senator Kristin Phillips-Hill
She added that the groups behind these attacks are “bent on seeking to destroy everything that we have in this country” and said she “fears it will only get worse.”
Sending taxpayer dollars to “rogue nation states, terror cells and other nefarious characters” was where she wanted the bill to start.
“Having had a father-in-law who was in the fire service, when you're going to put out a fire, the last thing you want to do is to just pour more gasoline on it,” she said. “Enabling ransomware payments by governmental entities are just that. It is the accelerant for more attacks on our nation's and on our commonwealth IT systems.”
The legislation she put together was one tranche of efforts to clarify Pennsylvania’s IT, privacy and cybersecurity regulations.
Like Savino, Phillips-Hill said IT procurement policies were part of the issue, noting that about a billion dollars is spent by the state on technology.
Her bill would consolidate all IT functions, duties and infrastructure to state agencies under the governor's jurisdiction, to give them “a more unified rather than a scattershot approach that we're currently using.” It bans any state or any local governmental entity or university from using any taxpayer dollars to pay for a ransomware attack. It also mandates a study be done on the state’s ransomware preparedness.
The only exception is in the event of a disaster declaration by the governor.
State entities would be mandated to report all ransomware incidents to state officials and it adds specific penalties for those who participate in ransomware attacks.
She is unsure whether the bill will make it all the way through the legislative process but said she has spoken with officials who believe the state needs a more concrete cybersecurity strategy.
Arizona Rep. Kevin Payne was a co-sponsor of a ransomware payment ban bill in his state that died after it failed to get a hearing in committee.
He said part of the bill’s focus was coordinating approaches to ransomware at the state, county, city and town levels.
“We can't have different responses where some pay and some don't,” he said. “I wouldn't want any ransom paid, else we become future targets, but rather report to Arizona Department of Homeland Security and let them deal with it.”
How experts feel
Cybersecurity experts have not held back in expressing their deep disdain for laws that ban state-backed entities from paying ransomware demands.
The laws may end up resulting in some agencies permanently losing their data, according to Emsisoft ransomware expert Brett Callow.
“[Ransomware groups] understand that if they were to cease attacks in states with prohibitions, more states would introduce prohibitions. It is, therefore, in their best interests to continue attacking in states with bans,” Callow said. “While there is certainly a case for restricting the circumstances in which public bodies can pay demands, I really don’t think that sector-specific prohibitions at the state level make sense.”
Allan Liska, a ransomware expert and director of threat intelligence at Recorded Future, which owns The Record, said he understood the fervor among state lawmakers to look like they are doing anything to deal with the ransomware problem.
It is “one of the few things that is nonpartisan that everybody can get on board with,” he said, adding that the regulations allow lawmakers to look like they’re taking action without actually solving the problem.
“It doesn’t cost anything because all you’re saying is no. Everybody hates ransomware. So these bills are popular,” Liska said. “What states actually need to stop ransomware attacks is money, and that’s the one thing no lawmaker wants to give them.”
Most small towns don’t even have a full-time security person, Liska noted, highlighting that on a deeper level, whatever investment is made in these public entities is going to be less than what a single ransom payment is going to cost.
“It doesn’t cost anything because all you’re saying is no. Everybody hates ransomware. So these bills are popular. What states actually need to stop ransomware attacks is money, and that’s the one thing no lawmaker wants to give them.”— Allan Liska, ransomware expert at Recorded Future
These ransomware payment bans are “all stick and no carrot,” banning organizations from doing something without providing them with the tools needed to help protect systems, Liska said.
The laws may also have several unintended consequences. Liska explained that they may open up an extra avenue for extortion.
Data collected by Liska shows that state entities are already some of the victims least likely to pay ransoms because payments generally have to be reported to regulators in some fashion.
“Imagine your school gets hit and they say, ‘We're going to publish your student data like Social Security numbers if you don't pay.’ The school pays a ransom through an incident response firm but it is only recorded by the state as a monthly fee to the incident response firm,” he said.
“Now those ransomware actors can come back and say, ‘Hey, we're going to let everybody know you paid the ransom, we have the transaction and the chat negotiations to prove it, unless you give us more money.’”
State entities will now be faced with the difficult decision of whether to deal with the fallout of sensitive information being leaked or find another way to pay the ransom that won’t violate local laws, Liska added.
He also expressed worry about how ransomware groups will respond to the laws and the comments from lawmakers about them.
One of the sponsors of the North Carolina bill — State Rep. Jake Johnson — said in 2021 that the bill was meant to “take a target off of North Carolina’s back” and that ransomware groups “need to stay away from North Carolina.”
Liska expressed concern that some ransomware groups may view the laws and the conversations around them as an explicit challenge.
“I'm actually surprised we haven't seen more ransomware attacks against North Carolina,” he said. “Just because ransomware actors like to be spiteful.”
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.