The Ransom Disclosure Act would give victims 48 hours to report payments
Victims of ransomware attacks in the United States may soon have to report any payments to hackers within 48 hours, according to a new legislation proposal titled the ‘Ransom Disclosure Act’.
The bill was drafted by U.S. Senator Elizabeth Warren and Representative Deborah Ross, and its goal is to strengthen DHS’s (Department of Homeland Security) understanding of how cybercriminal gangs operate.
As the Senator stated, ransomware attacks are on the rise despite the multi-faceted efforts to tackle the problem, so getting to learn more about how money circulates in the underground may help the authorities develop and implement more effective disruption and prevention strategies.
Also Read: 7 Principles of Personal Data Processing
The four main points of the Ransom Disclosure Act are the following:
- Require ransomware victims (excluding individuals) to disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom;
- Require DHS to make public the information disclosed during the previous year, excluding identifying information about the entities that paid ransoms;
- Require DHS to establish a website through which individuals can voluntarily report payment of ransoms;
- Direct the Secretary of Homeland Security to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity.
The approach of forcing victims to disclose payments to hackers has always been met with controversy, as many believe that it would merely result in making ransomware attack repercussions more severe.
This strategy could lead to occasions where the business disruption would be lengthened and restoration of normal operations would be delayed due to the additional scrutiny.
The case becomes particularly complicated when the ransom payment ends up in the pockets of an entity that is sanctioned in the U.S.
The Treasury Department has recently updated its advisory to American companies, to emphasize that they are prohibited from paying actors in embargoed countries and entities in the SDN List. In many cases, this alone could deadlock a victimized company.
It is expected that a stricter legal context will push firms to adopt more robust security practices, following better backup strategies, and generally upgrading their stance against ransomware actors.
However, eliminating the risk completely is practically impossible, so in many cases, the Ransom Disclosure Act will just play the role of an additional burden. If this “weight” will end up having positive effects in the long term, as Senator Warren believes, it remains to be seen.
Of course, for all that to take effect, the bill will first have to pass through a Senate voting, then the House of Representatives, and finally to be signed by U.S. President Joe Biden.