New York Set to Stop Government Agencies Using Taxpayer Dollars to Pay Ransomware Demands

Two New York state senators have proposed bills that prevent municipalities and government agencies using taxpayer dollars to pay ransomware demands.

The first bill - S7246 - was proposed by Senator Phil Boyle on January 14 and "Creates a cyber security enhancement fund to be used for the purpose of upgrading cyber security in local governments ... and restricts the use of taxpayer moneys in paying ransoms in response to ransomware attacks."

The second bill - S7289 - was introduced by Senator David Carlucci on January 16 and "Prohibits any municipal corporation or other government entity from paying ransom in the event of a cyber-attack against such municipal corporation's or government entity's critical infrastructure."

It's not surprising the bills have been proposed. The number of US cities attacked by ransomware have constantly been on the rise, from 38 in 2017 to 53 in 2018, and then to more than 70 in 2019.

Cities prove to be easy targets. Many have lax cyber security methods in place, such as the much-attacked city of Baltimore, where the city auditor found that employees were only saving files to their computer hard drive, instead of using more reliable methods such as cloud storage.

Cities are also willing to pay attackers in order to get services up and running ASAP to avoid costly delays. When Riviera Beach, Florida, was attacked in May, 2019, affected services included those processing payments and operating water utility pump stations. Even the city's 911 dispatchers had to record call information by hand (the city paid hackers a $600,000 ransom).

The proposed bills aren't the first time a stand against ransomware attacks has been taken by authorities. At the US Conference of Mayors annual meeting in mid-2019, 227 mayors signed a resolution agreeing not to pay ransoms to hackers (the US Conference of Mayors represents 1,400+ cities). One of the mayors attending was Baltimore Mayor Bernard C. 'Jack' Young, who sponsored the resolution.

Resolutions aren't law and, if these bills are passed, other states will no doubt follow. After what was uncovered in Baltimore (and other cities), politics at all levels will have to take a good look at their cyber security. In a world where the public purse strings are already stretched to the limit, voters won't take kindly to 'forking out' their hard-earned tax dollars in the shape of ransom demands.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.