Two New York state senators have proposed two bills that ban local municipalities and other government entities from using taxpayer money for paying ransomware demands. Bill (S7246), proposed by Republican NY Senator Phil Boyle on January 14 ,and bill (S7289) introduced by Democrat NY Senator David Carlucci on January 16 are similar with the only difference being that S7246 also proposes the creation of a state fund to help local municipalities improve their cyber-security posture.
Two bills have been introduced last week in the NY Senate
The first one, S7246, also advocates for allocating funds for improving cyber-security at local government agencies. Probably a more sensible approach, but this doesn't guarantee it will pass. pic.twitter.com/ozZy5ajJ1c
— Catalin Cimpanu (@campuscodi) January 23, 2020
While I commend the idea behind the resolutions, making it a law, especially without having specific exceptions is not the right way to resolve the issue. While it is certainly better to avoid paying the attackers, something I see municipalities already trying to avoid whenever possible, there may be instances where paying the ransom, then fixing the issue that allowed that initial infection to take hold, would be the more prudent option.
I can see cases where a single computer, or perhaps even a couple of computers, being infected with ransomware could impact the operation of critical services in these communities. In many cases, the ransoms are low, often only $300-$500 for an individual computer. Refusing a payment of that amount to restore something like 911 services, then having an event occur that results in the loss of life is unfathomable and puts the municipalities as a significant legal risk.
Bill S7246 allocates an initial $5 Million to the fund that is expected to help secure the infrastructure of countless villages, towns and cities within the state, many of them rural. This is far too little to even begin to ensure that ransomware does not infect these areas, much less guarantee it. Making these funds available to upgrade the infrastructure and especially to train the employees to avoid phishing attacks, the most common way these attacks are successful, without the strings attached regarding the option of payment would be a far better approach.