Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security United States IT Technology

New York State Wants To Ban Government Agencies From Paying Ransomware Demands (zdnet.com) 40

Two New York state senators proposed two bills last week to ban local municipalities and other government entities from using taxpayer money for paying ransomware demands. From a report: The first bill (S7246) was proposed by Republican NY Senator Phil Boyle on January 14. The second bill (S7289) was introduced by Democrat NY Senator David Carlucci, two days later, on January 16. Both bills are under discussion in committee, and is unclear which will move forward to a vote on the Senate floor.

Both S7246 and S7289 have similar texts. The only difference between the two is that S7246 also proposes the creation of a state fund to help local municipalities improve their cyber-security posture. "The Cyber Security Enhancement Fund that will make available grants and financial assistance to villages, towns, and cities with a population of one million or less for the purpose of upgrading the cyber security of their local government," the text of the S746 bill reads.

This discussion has been archived. No new comments can be posted.

New York State Wants To Ban Government Agencies From Paying Ransomware Demands

Comments Filter:
  • What about forced change backs even after XX days

  • Insurance payouts (Score:4, Interesting)

    by omnichad ( 1198475 ) on Friday January 24, 2020 @04:44PM (#59653246) Homepage

    Neither version of the bill says anything about taxpayers funding high cyber-security insurance premiums that might happen to cover ransom payouts. And it would be hard to say whether such payment would hold up in court as allowed or not.

    • by AmiMoJo ( 196126 )

      Don't the insurance companies insist that they have proper backups? Around here they at least jack the premiums up a lot if you don't have proper security, so it's cheaper to do the right thing.

  • I get where they're coming from but if the 911 call center or government assistance programs get locked out due to ransomware - paying it off may be the best, if not only, solution. (And then sue the IT department and further harden your PCs)

    • Well, no, not even then. Especially not even then. You'll solve a big problem that once, and then have twenty more big problems a year later. Same idea as not letting people pay ransom for children. It sucks. It sucks more than any human can likely imagine. But you don't make it illegal, bang, you've got kidnapping becoming an industry. It has happened. It is happening right now.

      It isn't always evil to pay a ransom, but it should always be illegal.

      • I agree - but I don't recall paying a ransom being ILLEGAL.

        • If you did recall that you would be wrong. Hence the bill being proposed to make this ILLEGAL.

                Like all good ideas in government, someone will likely muck this up, but hopefully it goes through.

        • It depends on the country, the time period, and oftentimes the kind of ransom. There's gobs of reading on the subject if you want to get into both sides of this particular debate, and what results various countries have had when they allow things like K&R insurance. Or you can watch "Man on Fire" if you want a more cinematic opinion.

      • Same idea as not letting people pay ransom for children. It sucks. It sucks more than any human can likely imagine.

        Speaking as a parent, if someone tried to tell me that it was worth it to society to let my children be killed, raped, or tortured instead of paying a ransom, I'd tell them to fuck themselves with a cream cheese dildo while I went to the bank. Then walk into jail with my head held high.

        I'd have a harder time deciding what to eat for lunch.

    • I get where they're coming from but if the 911 call center or government assistance programs get locked out due to ransomware - paying it off may be the best, if not only, solution. (And then sue the IT department and further harden your PCs)

      This is the classic prisoner's dilemma, and the resolution depends on your goal horizon.

      If your 911 system is down, the immediate goal horizon is getting that system up and running, so paying the ransom is the best deal for the near term.

      However, the criminals are now emboldened by success and will then go on to compromise other 911 systems.

      So locally you can prevent a few avoidable deaths by paying the ransom and getting 911 back online sooner, but the overall effect is to cause *more* avoidable deaths in

      • can they pay the ransom and then after they get the key force the bank to undo the change?

        • What happens you see, is you pay the ransom, and on your credit card bill it just says "Commercial Barriers Inc." and all keys are delivered in discrete brown packaging. Due to this obfuscation it's impossible for the banks to do anything.

  • Want to stop this crap, block porn sites at work.

    You know that old saying about internet companies, that if you aren't paying then you aren't the customer? Think about that. Who is paying the porn sites? No one, they give everything away for free. Maybe it's advertisers... to other porn sites? All that bandwidth and paying their actresses is expensive. Who is paying?

    Eastern European hackers that fill the sites with traps. That's who.

    • If I remember the news correctly, it's porn AND religious sites that are the biggest risk factors.

    • If you're going to ban porn, then you might as well ban all web ads.
    • Where the heck do you work? At my work, it is already effectively blocked, and if someone was to figure a way around it and someone caught them, immediate termination, that afternoon, you are gone. It may also be against the law, depending on where you work (and what you are working on, particularly, government contracts).

    • blocking porn will only block a very small portion of attack vectors, it comes via mail, religious sites, torrent sites, dodgy forum sites and a fuck ton of others. The best defense is ensuring your infrastructure has proper security restrictions around what a user can do if compromised (none of this bullshit or relying on crunchy exterior (firewalls/proxies) to protect you because they WON'T, then ensuring proper verified backups.
  • all that does is show the criminals that their crimes are profitable, instead there should be white hat hackers hunting them down so swat teams can go in a raid the culprets and use lethal force if necessary
  • by Blitter ( 15795 ) on Friday January 24, 2020 @05:35PM (#59653432)

    If the government target was truly prohibited from paying you, then targeting them is a waste of your time.

    • by mark-t ( 151149 )
      Of course, but more likely than not, victims of ransomware are not specifically targetted in the first place. So it may well be a waste of anyone's time to target an organization that won't pay the ransom, but not being specifically targetted is unlikely to affect the rate at which it occurs.
    • It would only be a waste of time if the direct payout was the primary objective.

  • by RhettLivingston ( 544140 ) on Friday January 24, 2020 @05:56PM (#59653508) Journal

    These attacks aren't the worse threats. They are just the visible ones. Far worse is for government systems to be penetrated and quietly used for intelligence gathering or manipulated in ways not easily caught.

    But, these highly visible attacks are the ones that ignite action and cause systems to become better protected.

    Given all that, it might be interesting to limit the payouts to something like $500 and a requirement that the attack vector be divulged. Even better, publish a payload for the attackers to place on the system in lieu of actually encrypting the drives. The payload could notify administrators of the payout requirement and how it got put there. The black hats would be turned into de facto white hats.

  • ..exactly like hardware failure
    Restore from backup
    If you have no backup, you have learned an important lesson

  • How can govâ(TM)t and major corporations fall prey to ransom-ware?

    They should have a plan in place to recover their machines and data. And, they should test that plan regularly to ensure the plan and backups work.

    It only takes one successful attack to demonstrate the value of hiring well-trained and competent IT and security professionals.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...