NY State Wants To Ban Government Agencies From Paying Ransomware Demands – Comments

Two New York state senators have proposed two bills that ban local municipalities and other government entities from using taxpayer money for paying ransomware demands. Bill (S7246), proposed by Republican NY Senator Phil Boyle on January 14 ,and bill (S7289) introduced by Democrat NY Senator David Carlucci on January 16 are similar with the only difference being that S7246 also proposes the creation of a state fund to help local municipalities improve their cyber-security posture.

Experts Comments

January 27, 2020
Erich Kron
Security Awareness Advocate
KnowBe4
While I commend the idea behind the resolutions, making it a law, especially without having specific exceptions is not the right way to resolve the issue. While it is certainly better to avoid paying the attackers, something I see municipalities already trying to avoid whenever possible, there may be instances where paying the ransom, then fixing the issue that allowed that initial infection to take hold, would be the more prudent option. I can see cases where a single computer, or perhaps.....Read More
While I commend the idea behind the resolutions, making it a law, especially without having specific exceptions is not the right way to resolve the issue. While it is certainly better to avoid paying the attackers, something I see municipalities already trying to avoid whenever possible, there may be instances where paying the ransom, then fixing the issue that allowed that initial infection to take hold, would be the more prudent option. I can see cases where a single computer, or perhaps even a couple of computers, being infected with ransomware could impact the operation of critical services in these communities. In many cases, the ransoms are low, often only $300-$500 for an individual computer. Refusing a payment of that amount to restore something like 911 services, then having an event occur that results in the loss of life is unfathomable and puts the municipalities as a significant legal risk. Bill S7246 allocates an initial $5 Million to the fund that is expected to help secure the infrastructure of countless villages, towns and cities within the state, many of them rural. This is far too little to even begin to ensure that ransomware does not infect these areas, much less guarantee it. Making these funds available to upgrade the infrastructure and especially to train the employees to avoid phishing attacks, the most common way these attacks are successful, without the strings attached regarding the option of payment would be a far better approach.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.