Across the U.S., states and territories are working to establish cybersecurity training requirements, standardized security policies and incident response plans to help reduce the risk of falling victim to a costly ransomware attack.
By Casey Dolen
Ransomware, a type of malicious attack carried out by a computer hacker to extort money, is on the rise. Recent reports of ransomware trends are alarming, with such attacks occurring every 11 seconds in 2021, according to Cybersecurity Ventures, and average ransom payments reaching $812,000. Attackers are becoming more sophisticated in their methods, and this criminal activity is increasingly carried out by cyber gangs that operate not unlike legitimate businesses, outsourcing their work, investing in recruiting top talent and growing their operations to meet (illicit) market demand.
In 2021, America also saw an increase in attacks against the critical infrastructure sectors that provide essential services to citizens, including access to electricity, healthcare, water, communications technology, transportation and more. In response, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March. A key feature of CIRCIA is a requirement that critical infrastructure owners and operators report ransomware payments to the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours to enable a coordinated response to the incident and mitigate subsequent damages.
While the requirements outlined in CIRCIA will not take effect until CISA undergoes a formal rulemaking process, state policymakers are actively enacting their own measures to combat ransomware losses.
In April, North Carolina became the first state to prohibit state and local government agencies from remitting a ransom demand to an attacker who has compromised its systems. Under this new law, impacted agencies are instructed to report the ransomware attack to the North Carolina Department of Information Technology and refrain from communicating or negotiating with the hacker. In July, Florida established similar legislation, requiring its state and local government entities to submit notice of a ransomware incident within 12 hours of discovery.
The move to call out ransomware explicitly in legislation is a growing trend across the country, signifying the urgency of the threat. Currently, there are ransomware related bills pending in Arizona, New York, Pennsylvania and Texas, all aimed at restricting ransom payments to various extents. More broadly, several states – including Indiana, New Hampshire, North Dakota, Virginia and West Virginia – have passed cybersecurity incident reporting laws that institute deadlines for notifying the government of unusual activity.
Across the U.S., states and territories are pushing their government agencies to establish cybersecurity training requirements, standardized security policies and incident response plans, which is a powerful step to elevate the importance of baseline cyber hygiene and reduce the risk of falling victim to a costly ransomware attack.