Two New York state senators proposed bills to ban local governments from paying ransomware with taxpayer money.
The bills, S7246 and S7289, are virtually the same except S7246 proposes to create a state fund to help municipalities strengthen their cyber-security. This is the first time states have proposed such a law.
Why is this happening?
In 2019 alone, there have been over 100 reported ransomware attacks across the U.S. in government entities and municipalities.
Texas suffered from 9 separate attacks. Florida had 8 and New York, Connecticut, and North Carolina each had 6 reported attacks.
Moreover, 37 of the 104 ransomware attacks, or 35.5%, were committed against schools. This isn’t surprising considering the fact that schools are particularly easy targets.
The reasons for this are simple: schools lack security. They lack security because they have limited budgets.
Neglecting cyber security has been a practice for both businesses and governments alike and now the consequences are being felt. In fact, school ransomware attacks are so problematic, the United States Senate also introduced a bill in December that would mandate bolstering they cyber security and infrastructure of schools.
The problems aren’t just the schools, however. Six figure payments have been made to hackers freezing stolen data from other government facilities in cities like Riviera Beach, Fla., New Orleans and 22 separate municipalities in Texas.
In New York specifically, Albany County Airport authority chose to pay out a ransom demand and two school districts within a two month period were infected by ransomware.
Last July, the US Conference of Mayors adopted a resolution declaring they would not pay ransom demands after an attack and presented their cyber security plans, but the resolution was informal and toothless.
The bill indicates something Cyber security experts have been saying for years: If our society doesn’t prepare itself for the digital age it will cost everyone. Luckily for governments, they were able to rely on tax money to pay a ransom. The question is, what about a small, private business with no cyber security plan in place?
Who Really Pays?
The main point is, this type of negligence always costs. An article released by the New York Times stated in 2019, 205,280 organizations turned in files that were eventually hacked in a ransomware attack.
Furthermore, the average payment to went up to $84,116 towards the end of 2019.
Ransomware attacks have led to the shutdown of numerous businesses as well. The Heritage Company was forced to send more than 300 employees home after their IT department failed to recover last October.
The Heritage Company is by no means an isolated case. In fact, one in five businesses are forced to shut down after a ransomware attack according to a report by the security firm Malwarebytes.
All of the experts warn that cyber-attacks are becoming more sophisticated, targeted and costly.
Ransomware is the most damaging from of cyberattack because both businesses and governments haven’t kept up with security.
It’s as if someone invented a buzz saw and banks kept all of their money behind a wooden door.
They’re Getting Away With IT
As for the robbers, tracking them down has proven difficult because they ask for ransom in the form of bitcoin. Bitcoin is untraceable and can be encrypted to ensure anonymity.
Riviera Beach Fla., another victim of ransomware, agreed to pay over $600,000 to criminals and they still haven’t been identified. With payouts like those ransomware attacks are not going away.
The F.B.I. said it received nearly 1,500 ransomware reports in 2018 and the agency acknowledges all report numbers are under-reported. In other words, the problem is even bigger than anyone knows.
What New York is doing only begins to scratch the surface of this epidemic.
Cities, like Lake City,Fla., are rushing to improve and strengthen their back up systems and infrastructure. It’s even adopted a cloud-based back up system that cost $60,000 a year.
Then again, what would you pay to protect your business?