A pair of U.S. lawmakers are introducing a bill designed to improve information sharing on ransomware threats by requiring organizations that pay the ransom to disclose information on the payment and attack to the Department of Homeland Security.
The bill is designed to bolster the U.S. government’s understanding of how cybercriminal enterprises like ransomware groups operate and develop a more complete picture of the ransomware threats facing U.S.-based organizations.
Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) announced the bill in a press release Wednesday, which cites several statistics about the growing threat of ransomware, including the increasing rate of ransomware attacks and the large spike in the average ransomware payment, which the legislators say is now over $300,000.
Ransomware victims are currently not required to report attacks or payments to federal authorities, and the lawmakers say that is keeping federal law enforcement in the dark about the operations, habits and other data required to fight back against ransomware operators.
Incited by that same increase in ransomware attacks, the federal government has recently stepped up its cybersecurity efforts, bolstering CISA and requiring more stringent cybersecurity defenses among the federal government. However, state and local governments, along with the private sector, are still largely on their own when it comes to fighting ransomware. Further, organizations can be hesitant to disclose ransomware attacks due to negative publicity and other considerations.
The proposed law will require organizations to disclose information about ransomware payments no later than 48 hours after the date of payment. That information includes the amount paid, type of currency used and any information about the group demanding the ransom.
The law also requires DHS to make that information public, but in a way that protects the identity of the victims.
In addition, the law proposes a DHS website through which individuals can report payment of ransoms.
Finally, the law will direct the DHS to conduct a study on commonalities among ransomware attacks, the role of cryptocurrency and provide recommendations for protecting IT systems.
In a statement, Warren said ransomware attacks are skyrocketing while federal agencies are lacking critical data to counter the attacks.
“My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them,” Warren said.