NY State Wants To Ban Government Agencies From Paying Ransomware Demands – Comments

Two New York state senators have proposed two bills that ban local municipalities and other government entities from using taxpayer money for paying ransomware demands. Bill (S7246), proposed by Republican NY Senator Phil Boyle on January 14 ,and bill (S7289) introduced by Democrat NY Senator David Carlucci on January 16 are similar with the only difference being that S7246 also proposes the creation of a state fund to help local municipalities improve their cyber-security posture.

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Erich Kron
Erich Kron , Security Awareness Advocate
InfoSec Expert
January 27, 2020 12:25 pm

While I commend the idea behind the resolutions, making it a law, especially without having specific exceptions is not the right way to resolve the issue. While it is certainly better to avoid paying the attackers, something I see municipalities already trying to avoid whenever possible, there may be instances where paying the ransom, then fixing the issue that allowed that initial infection to take hold, would be the more prudent option.

I can see cases where a single computer, or perhaps even a couple of computers, being infected with ransomware could impact the operation of critical services in these communities. In many cases, the ransoms are low, often only $300-$500 for an individual computer. Refusing a payment of that amount to restore something like 911 services, then having an event occur that results in the loss of life is unfathomable and puts the municipalities as a significant legal risk.

Bill S7246 allocates an initial $5 Million to the fund that is expected to help secure the infrastructure of countless villages, towns and cities within the state, many of them rural. This is far too little to even begin to ensure that ransomware does not infect these areas, much less guarantee it. Making these funds available to upgrade the infrastructure and especially to train the employees to avoid phishing attacks, the most common way these attacks are successful, without the strings attached regarding the option of payment would be a far better approach.

Last edited 2 years ago by Erich Kron
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x