New legislation would boost the FTC’s role in fighting ransomware

Congress is looking for ways to help agencies take on the growing threat.
Image showing the Colonial Pipeline Houston Station facility in Pasadena, Texas (Photo by Francois PICARD / AFP) (Photo by FRANCOIS PICARD/AFP via Getty Images)

A new bill could direct the Federal Trade Commission’s international efforts towards taking on ransomware.

Rep. Gus Bilirakis (R-Fla.), the top Republican on the House Energy and Commerce consumer protection subcommittee, filed legislation Tuesday that would require the agency to report the number of ransomware and cyberattack-related complaints it receives, and how it cooperated with international law enforcement to respond to those issues.

The new text would update a 2006 law enabling the agency to work with foreign law enforcement agencies on consumer protection issues. Under the amended law, the FTC would also be charged with providing recommendations for legislation and best practices to mitigate and defend against ransomware.

The FTC has always played a role in trying to mitigate data breaches and online fraud, including the enforcement of privacy policies and pursuing companies like Equifax for failing to take basic security precautions. It has in the past also offered resources to small businesses on how to prevent ransomware attacks.


But unlike the Justice Department and FBI, the FTC focuses on civil, not criminal cases. Until now, its international cooperation has largely focused on consumer protection efforts against call fraud and online scams. The new legislation could tilt those resources more heavily towards ransomware.

The proposal is just one of several lawmakers are pushing to help boost the resources of executive agencies to address the rise in ransomware attacks against U.S. companies, schools, local governments and hospitals. Since May, U.S. officials have faced three high profile ransomware attacks against fuel provider Colonial Pipeline, meat supply company JBS, and most recently Florida IT company Kaseya.

Other legislation to fortify the federal response to ransomware includes a bill introduced by Sen. Mark Warner (D-Va.) Wednesday that would require critical infrastructure owners, federal contractors and cyber response firms to notify the Department of Homeland Security’s cybersecurity agency within 24 hours of a cyber incident. Legislation that would give the Department of Energy more authority to coordinate responses to cybersecurity threats to fuel pipelines and natural gas has also been introduced.

An interagency task force convened by the White House is also pursuing an array of policy measures, including enforcing regulations against the digital currencies that cybercriminals use to collect extortion payments. A senior White House official said that agencies are exploring what they can do within existing regulations and mandates but that additional authorities aren’t out of the question.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts