Prohibited from paying ransoms to recover data, government entities must proactively create more robust cybersecurity programs
Ransomware schemes cost organizations in the U.S. and other countries millions of dollars, primarily to recover the ransomed data in order to resume business operations. Ransomware is a form of malware that encrypts files on a device and renders them unusable unless a ransom is paid to decrypt and restore the files.
One of the most active ransomware groups in the world has targeted over 2,000 victims, demanded ransoms totaling hundreds of millions of dollars, and extorted more than $120 million in ransom payments.
Ransomware remains a profitable business, which is why it continues unabated—and why U.S. federal and state legislation has been enacted to compel more effective cybersecurity behaviors among government entities and organizations who work with them.
New Federal Legislation Requires Reporting of Ransomware Incidents
Enacted two years ago, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) represents an important milestone in improving America’s cybersecurity. The Act requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payments to the agency. CISA is responsible for protecting the nation's critical infrastructure from physical and cyber threats, including ransomware. Reporting and data sharing are a vital component of that protection in both public and private sectors.
Timeline for Law to Take Effect. Because CIRCIA grants CISA certain regulatory powers, CISA must complete mandatory rulemaking activities before the reporting requirements go into effect. To that end, CISA developed a Notice of Proposed Rulemaking, which was published on April 4, 2024 in the Federal Register and is open for public comment until June 3, 2024. All agency and public comments will be considered in developing the Final Rule, which CISA must publish not later than October 4, 2025.
Voluntary Reporting is Encouraged Now. Cyber incident and ransomware payment reporting under CIRCIA will be mandatory once the CIRCIA Final Rule goes into effect. Until then, all entities are urged to share cyber incident information with CISA on a voluntary basis. When information is shared quickly, damage control can be much more effective. CISA can rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to identify trends, and quickly share that information with network defenders to warn other potential victims.
Addressing ransomware is an important element of the Act, which encompasses several initiatives, including:
- Ransom Payment Reporting. CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments resulting from a ransomware attack. CISA must also share such reports with designated federal agencies.
- Ransomware Vulnerability Warning Pilot Program. CISA must establish a pilot program to identify systems that are vulnerable to ransomware attacks and is authorized to notify the owners of those systems.
- Joint Ransomware Task Force. Building on the important work already underway, CISA has launched a Joint Ransomware Task Force to coordinate an ongoing nationwide campaign against ransomware attacks.
CISA encourages all organizations to share information about unusual cyber activity and cyber incidents via cisa.gov/report.
Florida Leads in Assertive State Ransomware Laws
Amending the state’s landmark Cybersecurity Act of 2021, House Bill 7055 took effect July 1, 2022. It requires the Florida Digital Service (FLDS) and state agency heads to further strengthen cybersecurity by complying with specific new requirements. Following are highlights.
- Creates new criminal penalties and fines for ransomware offenses against government entities.
- Prohibits state agencies and local governments from paying ransoms or otherwise complying with ransomware demands.
- Requires state agencies and local governments to promptly report ransomware and other high-severity cyber incidents to the Cybersecurity Operations Center and Office of Cybercrime within the Florida Department of Law Enforcement. Local governments must also report to the local sheriff.
- Requires employees of state agencies and local governments to undergo cybersecurity training within 30 days of employment and annually thereafter.
- Requires local governments to adopt cybersecurity standards that safeguard the local government’s data, information technology, and information technology resources.
- Defines the severity level of a cybersecurity incident in accordance with the National Cyber Incident Response Plan—a national blueprint for handling significant cyber incidents that integrates the roles of the private sector, state and local governments, and multiple federal agencies in responding to incidents.
- Requires state agencies and local governments to report low-level cyber incidents, and to submit after-action reports to FLDS following a cybersecurity or ransomware incident.
- Requires the Cybersecurity Operations Center to notify the President of the Senate and Speaker of the House of Representatives of high-severity cybersecurity incidents. The notice must contain an overview of the incident and its likely effects.
- Requires the Cybersecurity Operations Center to provide the President of the Senate, Speaker of the House, and Cybersecurity Advisory Council with a consolidated incident report on a quarterly basis.
- Requires the Cybersecurity Advisory Council to submit an annual comprehensive report regarding ransomware to the Governor, President of the Senate, and Speaker of the House.
- Expands the purpose of the Cybersecurity Advisory Council to include advising local governments on cybersecurity and requires the Council to examine reported cybersecurity and ransomware incidents to develop best practice recommendations.
Under Florida law, the required cybersecurity standards and processes must be consistent with the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF), one of the most widely adopted cybersecurity architectures in the U.S. The HITRUST CSF is another comprehensive and popular cybersecurity structure.
A new cybersecurity law in North Carolina also took effect in 2022. It prohibits state agencies and local governments from communicating with cybercriminals during a ransomware attack and from paying ransoms if they become victims of an attack. The intent of this law is to discourage ransomware criminals from targeting agencies and local governments in North Carolina since they will reap no profits. In practice, the new law requires state agencies and local governments, including public schools and universities, to become much more proactive in safeguarding their data to avoid being targeted by ransomware and other cybercriminals.
Several other states have pending legislation under review, including Pennsylvania and Texas.
How to Avoid Becoming a Ransomware Target
Proactive cybersecurity measures are crucial to robust cybersecurity programs that effectively safeguard sensitive federal and state information and reduce vulnerability to ransomware and other cybercrimes. The following measures are recommended by the FBI.
- Keep systems and software up to date and install a strong, reputable antivirus program.
- Be careful when connecting to public Wi-Fi networks and do not conduct any sensitive transactions, including purchases, on public networks.
- Create a strong and unique passphrase for each online account and do not use the same password across multiple accounts.
- Set up multifactor authentication on all accounts that allow it.
- Examine the email address in all correspondence and scrutinize website URLs before responding to a message or visiting a site. (Hover cursor over email address in “From” field to identify aliases.)
- Don’t click on links, buttons, or images in unsolicited emails or text messages.
- Don't send payments to unknown people or organizations who are seeking urgent, immediate monetary support.
In addition, employees and management should receive regular cybersecurity awareness training, including how to recognize phishing schemes, which often lead to ransomware attacks.
Summary
Ransomware continues to be a highly profitable business for cybercriminals, and costs organizations millions of dollars each year. In response, U.S. federal and state ransomware laws have been enacted to compel more effective cybersecurity behaviors. At the federal level, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires covered entities to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).
At the state level, Florida is a leader in specifying more effective cybersecurity practices among state agencies and local governments, which are attractive ransomware targets. The new Florida ransomware law imposes criminal penalties and fines for ransomware offenses, prohibits state and local entities from paying ransoms and otherwise complying with ransomware demands, and requires that ransomware and other high-severity cyber incidents be reported promptly to designated authorities.