New York State Wants To Ban Government Agencies From Paying Ransomware Demands (zdnet.com) 40
Two New York state senators proposed two bills last week to ban local municipalities and other government entities from using taxpayer money for paying ransomware demands. From a report: The first bill (S7246) was proposed by Republican NY Senator Phil Boyle on January 14. The second bill (S7289) was introduced by Democrat NY Senator David Carlucci, two days later, on January 16. Both bills are under discussion in committee, and is unclear which will move forward to a vote on the Senate floor.
Both S7246 and S7289 have similar texts. The only difference between the two is that S7246 also proposes the creation of a state fund to help local municipalities improve their cyber-security posture. "The Cyber Security Enhancement Fund that will make available grants and financial assistance to villages, towns, and cities with a population of one million or less for the purpose of upgrading the cyber security of their local government," the text of the S746 bill reads.
Both S7246 and S7289 have similar texts. The only difference between the two is that S7246 also proposes the creation of a state fund to help local municipalities improve their cyber-security posture. "The Cyber Security Enhancement Fund that will make available grants and financial assistance to villages, towns, and cities with a population of one million or less for the purpose of upgrading the cyber security of their local government," the text of the S746 bill reads.
Re:Good (Score:5, Insightful)
This is basically a negotiation with criminals. And it makes good sense to ban it.
Negotiating with criminals always lets the criminals come out ahead.
If you refuse to even listen to them, it frustrates them and teaches them that they're wasting their time trying to get you to negotiate. Negotiating with them just gives them a reason to threaten you, because then they can try to get something in return out of you.
And then there's the whole "funding the criminals" and "teaching them to treat you as an income source and come back for more / increasing their war chest"
It's easy to see why an individual might pay off a bitlocker, they're being selfish and only considering what they personally might lose. After they've paid off the gang and te gang uses the money to pay for more bot time to hack more computers, it just ends up harming more people. You win, at the cost of a bunch of other people losing. Very selfish.
But when you look at an organization like "the government" or "your city government" even, you have to start to consider how your selfish behavior can threaten to harm other members of your own organization. "If we got a payoff by bitlocking the city courthouse records, I bet they'll pay us off again if we can hack the fire department or police department computer systems!" Now that selfish behavior comes back to bite you, as you haven't just rewarded them for their criminal behavior and boosted their war chest to go after other innocent people, now they've got reason to come after YOU again. And that's pretty much why they're making this decision to ban it. It's still a selfish decision in the end, but at least it's looking at the bigger picture.
Re: (Score:1)
I've said before, a person can't ignore everyone. That applies doubly when using a computer system designed to connect to the world and triply when using 'look at me' social media (eg. Facebook, Twitter, Instagram). This is why isolation and recovery protocols (That is, offine-ing and back-ups) are mandatory. This bill isn't demanding responsibility and mitigation, it's demanding the government has more rights than the criminals.
Yes, not paying means criminals are discouraged from repeating the crime. B
Re: Good (Score:2)
You should treat a ransom as the terrorist attack that it was. No different than when the Oklahoma City bomb. Your computers are destroyed, do the best you can to recover. Under no circumstances should you ever pay a ransom. Paying a ransom is no different than a deal with the devil that spares your life in exchange for killing two random strangers elsewhere. It is just kicking they can down the road to the next victim. You did not fix anything, you actually made the whole thing worse by paying the r
What about forced change backs (Score:2)
What about forced change backs even after XX days
Insurance payouts (Score:4, Interesting)
Neither version of the bill says anything about taxpayers funding high cyber-security insurance premiums that might happen to cover ransom payouts. And it would be hard to say whether such payment would hold up in court as allowed or not.
Re: (Score:2)
Don't the insurance companies insist that they have proper backups? Around here they at least jack the premiums up a lot if you don't have proper security, so it's cheaper to do the right thing.
Re: (Score:3)
Ransoms paid through insurance are paid BY the insurance company - not the insured.
Don't pay the terrorists law? (Score:2)
I get where they're coming from but if the 911 call center or government assistance programs get locked out due to ransomware - paying it off may be the best, if not only, solution. (And then sue the IT department and further harden your PCs)
Re: (Score:2)
Well, no, not even then. Especially not even then. You'll solve a big problem that once, and then have twenty more big problems a year later. Same idea as not letting people pay ransom for children. It sucks. It sucks more than any human can likely imagine. But you don't make it illegal, bang, you've got kidnapping becoming an industry. It has happened. It is happening right now.
It isn't always evil to pay a ransom, but it should always be illegal.
Re: (Score:2)
I agree - but I don't recall paying a ransom being ILLEGAL.
Re: (Score:2)
If you did recall that you would be wrong. Hence the bill being proposed to make this ILLEGAL.
Like all good ideas in government, someone will likely muck this up, but hopefully it goes through.
Re: (Score:1)
It depends on the country, the time period, and oftentimes the kind of ransom. There's gobs of reading on the subject if you want to get into both sides of this particular debate, and what results various countries have had when they allow things like K&R insurance. Or you can watch "Man on Fire" if you want a more cinematic opinion.
Re: (Score:2)
Same idea as not letting people pay ransom for children. It sucks. It sucks more than any human can likely imagine.
Speaking as a parent, if someone tried to tell me that it was worth it to society to let my children be killed, raped, or tortured instead of paying a ransom, I'd tell them to fuck themselves with a cream cheese dildo while I went to the bank. Then walk into jail with my head held high.
I'd have a harder time deciding what to eat for lunch.
Re: (Score:1)
Well, I guess...thanks for supporting my point that it's not always evil but should always be illegal?
Prisoner's dilemma (Score:2)
I get where they're coming from but if the 911 call center or government assistance programs get locked out due to ransomware - paying it off may be the best, if not only, solution. (And then sue the IT department and further harden your PCs)
This is the classic prisoner's dilemma, and the resolution depends on your goal horizon.
If your 911 system is down, the immediate goal horizon is getting that system up and running, so paying the ransom is the best deal for the near term.
However, the criminals are now emboldened by success and will then go on to compromise other 911 systems.
So locally you can prevent a few avoidable deaths by paying the ransom and getting 911 back online sooner, but the overall effect is to cause *more* avoidable deaths in
Re: (Score:2)
can they pay the ransom and then after they get the key force the bank to undo the change?
Re: (Score:1)
What happens you see, is you pay the ransom, and on your credit card bill it just says "Commercial Barriers Inc." and all keys are delivered in discrete brown packaging. Due to this obfuscation it's impossible for the banks to do anything.
Re: (Score:2)
Government Agencies more control over the banks then others.
Also, Ban porn at work. (Score:2, Insightful)
Want to stop this crap, block porn sites at work.
You know that old saying about internet companies, that if you aren't paying then you aren't the customer? Think about that. Who is paying the porn sites? No one, they give everything away for free. Maybe it's advertisers... to other porn sites? All that bandwidth and paying their actresses is expensive. Who is paying?
Eastern European hackers that fill the sites with traps. That's who.
Re: (Score:1)
If I remember the news correctly, it's porn AND religious sites that are the biggest risk factors.
Re: (Score:2)
Citation, please.
My understanding was it was porn sites and pirated content sites that carried the biggest risk. Where was it mentioned that religious content was just as risky?
Re: (Score:2)
Me saying I read it in the news should imply I take it with a grain of salt. It should also imply the claim is such great clickbait that you can't swing a dead cat without getting it in an even remotely appropriate search.
But here's an article that actually bothers to link to its source material: https://www.pcworld.com/articl... [pcworld.com]
Also a later study about how various industry websites are bigger threats than porn sites:
https://www.makeuseof.com/tag/... [makeuseof.com]
Re: Also, Ban porn at work. (Score:2)
Just saying it is so much easier than backing it up.
Re: (Score:2)
From a Symantec report
https://www.pcworld.com/articl... [pcworld.com]
Religious and ideological websites can carry three times more malware threats than pornography sites, according to research from security firm Symantec.
Re: (Score:2)
Re: Also, Ban porn at work. (Score:2)
I'm good with that.
Re: (Score:2)
Where the heck do you work? At my work, it is already effectively blocked, and if someone was to figure a way around it and someone caught them, immediate termination, that afternoon, you are gone. It may also be against the law, depending on where you work (and what you are working on, particularly, government contracts).
Re: (Score:2)
it should be illegal to pay ransomware (Score:2)
In theory this should make them not be targets (Score:3)
If the government target was truly prohibited from paying you, then targeting them is a waste of your time.
Re: (Score:2)
Re: (Score:2)
It would only be a waste of time if the direct payout was the primary objective.
is it all bad? (Score:3)
These attacks aren't the worse threats. They are just the visible ones. Far worse is for government systems to be penetrated and quietly used for intelligence gathering or manipulated in ways not easily caught.
But, these highly visible attacks are the ones that ignite action and cause systems to become better protected.
Given all that, it might be interesting to limit the payouts to something like $500 and a requirement that the attack vector be divulged. Even better, publish a payload for the attackers to place on the system in lieu of actually encrypting the drives. The payload could notify administrators of the payout requirement and how it got put there. The black hats would be turned into de facto white hats.
Ransomeware should be treated.. (Score:2)
..exactly like hardware failure
Restore from backup
If you have no backup, you have learned an important lesson
How does this still happen? (Score:2)
How can govâ(TM)t and major corporations fall prey to ransom-ware?
They should have a plan in place to recover their machines and data. And, they should test that plan regularly to ensure the plan and backups work.
It only takes one successful attack to demonstrate the value of hiring well-trained and competent IT and security professionals.