Is Congress finally ready to pass meaningful ransomware legislation?

During the entire last two-year session of Congress, lawmakers only got one bill signed into law that mentioned the word “ransomware.”

With the epidemic of digital extortion showing no signs of abating, though, and as ransomware attacks claim ever more victims across all parts of the U.S., evidence is mounting that the next two years could bring a more concerted push for legitlation.

“I think it will be a focus because essentially every congressional district has had some kind of ransomware incident, whether public or not,” said Michael Garcia, a senior policy adviser in the national security program at Third Way, a center-left think tank. “Just look at the number of hospitals getting hit, of schools being hit.”

In one recent incident, a Mississippi public school system revealed it had paid $300,000 to ransomware attacks, while a U.S. medical company, Universal Health Services, said it lost $67 million as a result of a similar breach.

Democrats on the House Homeland Security Committee led by Chairman Bennie Thompson of Mississippi have placed ransomware second in line on the cybersecurity front. They’re prioritizing reintroduction of a bill to provide state and local cybersecurity grants, which could have indirect benefits to cities battling ransomware attacks — but after that, said a panel aide, the plan would be to “focus on ransomware, if we get companion support in the Senate.”

New York Rep. John Katko, who sits atop the panel’s GOP side, said he’s devoted to working across the aisle on measures to boost the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency in its own battle against ransomware.

“Ensuring CISA has the resources, workforce, and authorities it needs to carry out its mission is critical to the fight against ransomware and other cyber attacks,” he said.

On the Senate side, Homeland Security Chairman Gary Peters, D-Mich., plans to reintroduce three bills from last year that could offer general help on cyberattacks to state and local governments, small businesses and K-12 schools that could also assist in defending against ransomware, a committee aide said.

And Sen. Maggie Hassan, who leads the Homeland Security Subcommittee on Emerging Threats and Spending Oversight, also has legislative and additional hearing plans that are meant to coincide with Biden administration ransomware-related initiatives.

“These efforts will help to prevent and mitigate the impact of cyber threats across the board, including ransomware attacks that have been especially devastating to local schools, businesses, and hospitals in the pandemic,” said Hassan, a New Hampshire Democrat.

Done, and left undone

In the last session of Congress, a total of 11 bills mentioned ransomware.

That one that became law was the mammoth annual defense policy bill, which included legislation Hassan introduced to establish cybersecurity coordinators in each state. Those coordinators’ responsibilities, according to the bill, include “supporting training, exercises, and planning for continuity of operations to expedite recovery from cybersecurity incidents, including ransomware.”

Other bills that didn’t become law included one that contained a commandment that the Justice Department produce a report estimating the financial damages to U.S. citizens from ransomware and other kinds of cyber fraud, or some that mention the threat of ransomware in the “findings” sections of the bill text that explain the motivation for a piece of legislation.

To some extent, Garcia said, Congress might not yet have figured out what ransomware-specific legislation would look like, as many bills Congress might pass on cybersecurity would address ransomware simply because it’s one kind of threat.

But some state legislatures have indicated directions Congress could go, such as defining criminal penalties for ransomware specifically, or prohibiting certain categories of victims from paying the extortionists.

And some forthcoming proposals like the House Homeland Security panel’s grant legislation might answer state and local government pleas to address the ransomware threat as part of a broader solution to cyber threats.

Atlanta Mayor Keisha Bottoms said at a hearing on ransomware in 2019 — the year after cleanup for a ransomware attack cost the city millions — that additional federal funding “would not only accelerate responsiveness and restoration but would also result in fewer municipalities paying ransoms and ultimately decrease the occurrence of local governments as targets.”

As one solution, the National Association of Counties is pressing Congress for direct, flexible cyber and IT funding for counties rather than sending only to states that filter the money down to the local level, said Rita Reynolds, chief information officer for the group. Her group and other national organizations representing local governments are working on a range of other proposals in the coming months to present to Congress on cyber as a unified push.

The Cyberspace Solarium Commission, created by Congress, has some cybercrime recommendations that lawmakers have not yet enacted and that could resurface in this session of Congress. For example, the commission urged lawmakers to pass provisions from a bill from 2018 intended to give prosecutors more tools to combat botnets, sometimes used to deploy ransomware.

The Chamber of Commerce, the biggest business lobbying group in the U.S., plans to give Congress a nudge, too.

“The Chamber agrees with the Cyberspace Solarium Commission’s call for action against cybercrime and ransomware, which exploit people and organizations for illicit gain,” said Matthew Eggers, the Chamber’s vice President of cybersecurity policy and cyber, intelligence and supply chain security division. “The Chamber will continue to work with the Commission, lawmakers, and other policymakers on ways to prudently push back against ransomware and related cybercriminal activities.”

It might take Congress some time to start revving up its work on ransomware, however.

Garcia said that lawmakers have been preoccupied with other matters so far this year, like the impeachment of former President Donald Trump and vetting Biden administration nominees. Furthermore, the SolarWinds breach has consumed much of lawmakers’ attention on cybersecurity.

But like Garcia, Reynolds sees promise for congressional action on ransomware, too.

“I am as optimistic as I have ever been, if not more so,” said Reynolds. “I think that if ever it is going to happen from a consistent and sustainable perspective, now is the time. And it’s a coupling: The pandemic itself was like the catalyst, and these major breaches have catapulted it forward even more.”