A pair of new laws in Michigan will toughen the state’s stance on ransomware, a type of malware that has caused $2.6 million in damages to the state in 2017, according to FBI statistics.
PA 95 and 96 were signed into law by Michigan Gov. Rick Snyder on Monday, closing a loophole in Michigan code that allowed cybercriminals in the state to legally possess ransomware. Even if the state police suspected that a cybercriminal was planning a cyberattack with ransomware, they couldn’t act until the ransomware was used.
Prior to the new laws, Michigan state police had no recourse to charge cybercriminals that had ransomware on their computer if they didn’t actually use it. In other words, bill sponsor Rep. Brandt Iden told StateScoop, “It didn’t allow you to go after someone who possessed ransomware software with the intent to use. The law just said: ‘If you used ransomware, then we could come after you.'”
Iden told StateScoop that state police had numerous cases in the past that were restricted by the loophole, which effectively protected cybercriminals from law enforcement until after the crime had been committed.
They criminalize “possession of ransomware” with the intent to use or employ that ransomware or the purpose of introduction into the computer, computer data, computer system, or computer network of another person, without authorization of the other person.”
“This gives us the tools necessary to go after these individuals,” Iden said. “We didn’t have the laws on the books before, and I think that by having it now — I’m not sure that it’s going to deter people — but what it is going to do is … continue to tell those folks that Michigan is not a state you want to play in if you’re interested in committing cybercrimes.”
There were more than 1,300 reported cases of ransomware attacks in Michigan in 2017, according to FBI statistics. A ransomware attack on Lansing Power and Light in 2016 cost nearly $2 million. Rep. Iden says it was that incident that made ransomware law reform a primary issue for the state legislature.
Iden said he originally proposed a 10-year maximum sentence for the felony punishment outlined in HB 5258, the bill introduced by Rep. James Lower, but it was reduced to three years during the legislative process.
Michigan is now one of a number of states that have similar laws specific to ransomware and computer extortion, including California, Wyoming, Texas and Connecticut.
Michigan is the latest state to tackle cybercrime on the state-level following Georgia’s recent “unauthorized access” computer crime bill. Security researchers and white- and gray-hat hackers have expressed deep concerns over that legislation, which stakeholders say could effectively outlaw much of the business of cybersecurity in Georgia.
PA 95 and 96 appear to be more carefully constructed than Georgia’s SB 315 law, but still might present headaches for Michigan’s community of cybersecurity researchers , University of Michigan computer science professor Kang Shin told StateScoop.
Shin said that even with the “intent” provision requiring prosecutors to prove malicious desires, security researchers who study ransomware and require samples of it will still probably be fearful of having to prove innocence every time they experiment.
“It creates an extra step or additional effort, because you have to prove that you’re not going to use [the ransomware] for a malicious purpose,” Shin said.
Iden and Shin were both optimistic about the chance for a procedure or form that ransomware researchers could use to avoid suspicion.