Different Reactions From the Cybersecurity Community Regarding the Ransomware Bill

Insights into the proposed bill on ransomware attacks and the possible effect.

Oct. 13, 2021, 10:04 p.m.

TL;DR

A bill has been proposed requiring victims to disclose information about ransomware attacks to the authorities to help them combat and manage the attacks.

This information would help the DHS provide security steps and guidelines to the public to prevent more organizations from falling victim.

Key Facts

1
A law regarding the information surrounding ransomware payment is being proposed.
2
A 48hr timeframe would be given to victims of ransomware payment to disclose the information to the DHS (United States Department of Homeland Security).
3
The community of cybersecurity members is expressing a range of mixed reactions to the bill.
4
Members of the cybersecurity community opposing the bill note that the victims might further be affected if the information is disclosed.
5
Supporters of the bill note that the information would help to bring the ransomware attacks under control.

Details

In the wake of the recent surge in ransomware attacks, the U.S government has proposed a law that makes it compulsory for organizations that fall victim to ransomware attacks to disclose all information regarding payments to the authorities.

The law was introduced by Senator Elizabeth Warren and supported by Representative Deborah Ross and is directed at providing all necessary information that would help track and monitor the attackers' activities to the Department of Homeland Security, DHS. This information would help the DHS provide security steps and guidelines to the public to prevent more organizations from falling victim.

Ransomware victims would be compelled by the law to provide all information, including but not limited to the cryptocurrency used in making the ransom payment. The amount paid and all other information about the attackers should be disclosed within 48hours of payment.

Yearly, the DHS would, in turn, publish all information that it had been provided within the previous year on a website designed for reporting these attacks. However, the information from the DHS would not contain information about the victims but would link to necessary steps to take to prevent these attacks.

The proposed bill is receiving criticism as well as support from the cybersecurity community. From the people concerned about the news, the technical director of a CTO team at VetraAI Inc, Tim Wade, noted that the disclosure might not be in the best interest of the victims and their shareholders. He also noted that the law would invade the privacy and liberty of the affected individuals.

The founder of ImmuniWeb SA, Ilia Kolkchenko, also one of the persons opposing the bill, expressed the possibility of the DHS being overwhelmed by the number of reports it would receive and that the budget would not be increased to accommodate this. He suggested that the DHS join with the other law enforcement agencies to manage the attackers. The provided information should not be made public, as this would further put the victims at a disadvantage.

While the major point being made by the members of the community supporting the bill is that it would help curtail the attacks. The Vice President of the public sector at Thycotic Centrify pointed out that it would help the victims realize how common the attacks are and reduce the associated stigma. Kevin Dunne of Pathlock Inc noted that only complete information could help the government make progress.