This one may surprise you.
In most U.S. states, it is not a crime to possess ransomware—even if you plan to use it in a cyberattack.
Store the code on your laptop, carry it around on a thumb drive, save it to your cloud account; legally speaking, you're good.
Now, one state at a time, this appears to be changing. But some wonder, is the change necessary?
Which state is now trying to create a new law against ransomware?
Maryland State Senator Susan Lee recently introduced SB0030, which has bipartisan support. The bill is specifically aimed at inserting the following paragraph into state law (all caps is the format of the bill):
"A PERSON MAY NOT KNOWINGLY POSSESS RANSOMWARE
WITH THE INTENT TO USE THE RANSOMWARE FOR THE PURPOSE OF INTRODUCTION INTO THE COMPUTER, COMPUTER NETWORK, OR COMPUTER SYSTEM OF ANOTHER PERSON WITHOUT THE AUTHORIZATION OF THE OTHER PERSON."
What kind of punishment would the ransomware law create?
Under the Maryland proposal, someone convicted of knowingly possessing ransomware with the intent to use it in a cyberattack would face a misdemeanor charge and the following punishment:
- up to 10 years in jail
- up to a $10,000 fine, or both
Will security researchers be charged under the ransomware law?
Laws often create unintended consequences.
For example, if security researchers could be charged under such a law, they would be much less likely to possess strains of ransomware. It would cause a significant chilling effect.
These researchers often do things like reverse engineer an attack to advise which kinds of vulnerabilities the attack might be using, which can lead to patches or best practices for defending against a cyberattack.
Thankfully, white hat hackers and security researchers have a specific exemption in this Maryland law:
"THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES."
Are new ransomware laws necessary?
On the face of it, it seems like legal codes that outlaw the possession of ransomware for a cyberattack are common sense.
Wyoming apparently thought so, when it became the first state to criminalize ransomware. California has since followed suit.
However, we ran across a very interesting perspective on this proposal on the Maryland Matters digital news site.
Ricardo A. Flores, head of government relations for the Maryland Office of the Public Defender, said the measure isn't needed because the law already makes ransomware a crime.
"The Baltimore City situation is already criminalized and significantly so, because it is clearly extortion," Flores said. "The amount of money that was asked for and the actual damages that resulted would subject those individuals… to a felony of up to 25 years" behind bars.
He's referring to the devastating ransomware attack against Baltimore which made global headlines last year. For more on that situation, read our previous coverage: $18 Million Later: Why We Didn't Pay the Ransom.
If using ransomware is a crime, do we need to criminalize possessing it? That's a good question.
Cybersecurity and privacy laws evolving rapidly
State legislators are not just taking aim at cybercriminals when it comes to ransomware laws or other types of cyberattacks.
They are also passing an incredible amount of cybersecurity and privacy legislation that impacts businesses and government entities.
We interviewed cyberlaw attorney Jordan Fischer about this after her session at our SecureWorld New York conference.
"The biggest challenge is 'I have a moving target and multiple different targets' at the same time. And that's a challenge for any company to hit.
One of the things we always advise companies is that knowledge is power.
The first step is what are you doing currently, right? If you don't know where your data is stored, if you don't know what data you're collecting, if you don't know what your security is, you're behind the eight ball in every single regulatory environment. You are never going to be able to even make the analysis of what should I do next, if you don't know where you stand right now."
If your organization is wondering how to approach this shifting landscape most effectively, listen to our podcast interview with Fischer:
You can hear The SecureWorld Sessions weekly on your podcast platform of choice.