The North Carolina House of Representatives on Wednesday unanimously passed legislation that would prohibit state and local agencies from paying ransomware demands or communicating with criminal actors who attempt to encrypt government networks or steal data.
The ban, introduced by state Rep. Jason Saine, would also apply to schools, state universities and community colleges throughout North Carolina. It would also increase the reporting requirements for covered organizations in informing the state Department of Information Technology that they’ve been the victim of a ransomware incident.
Saine introduced his bill May 4, just days before Colonial Pipeline, the largest fuel transporter in the eastern United States, shut down its 5,500-mile network because of a ransomware infection, prompting people in several states — including North Carolina — to panic-buy gasoline. At one point, as many as 70% of gas stations in North Carolina reported being completely sold out, according to GasBuddy, a mobile app that helps people find cheap gas.
The FBI has attributed the incident to a malware group known as DarkSide, and President Joe Biden this week signed an executive order aimed at improving the federal government’s insight into cyberattacks that target the private sector.
And while the FBI routinely advises victims to never pay, many do. But Saine’s bill also aims to bar even negotiating with ransomware actors. “No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident,” it reads.
“Part of the problem is you’re essentially negotiating with terrorists anyway,” Saine told WCNC, an NBC affiliate in Charlotte. “There’s no guarantee that once the money’s released that you’ll get your data back or they won’t at a later time release that same information.”
Bloomberg News reported that Colonial paid a $5 million ransom before restarting its operations. And a separate group of ransomware actors released about 250 gigabytes’ worth of data from the Washington, D.C., Metropolitan Police Department — including detailed personnel files — after rejecting a $100,000 payment offer.
According to North Carolina state data, at least 37 ransomware attacks have been reported to NCDIT since 2016. That includes Saine’s home of Lincoln County, outside Charlotte, which suffered a pair of breaches last August. (The county did not pay.)
NCDIT already has cyberattack regulations that require state and local agencies to report incidents that “result in a significant loss of data, system availability or control of systems” or affect critical infrastructure systems, among other symptoms within 24 hours of discovery. The department also employs a joint task force comprised of law enforcement, emergency management personnel and the state National Guard to help respond to attacks and breaches.
While ransomware payments are broadly discouraged, there’s little consensus on whether they should be banned outright, despite the North Carolina House’s unanimous vote. A Ransomware Task Force made up of more than 60 industry experts stopped short of calling for a payment ban when it issued a detailed framework for combatting the threat, writing that doing so could provoke financially motivated criminal actors to simply look for other victims.
“Were a government to take a hardline approach on non-payment, perhaps even offering to shore up victims in their jurisdiction in some manner, attackers will look for other potential targets before moving to new sources of revenue,” the report read.
But payment bans could be phased in gradually, the task force suggested, to give sectors, such as government, time to set up victim-protection and recovery services. “Thus, a prohibition statute should establish milestones or conditions that would need to be met before the prohibition would go into effect,” the group said.