ANNAPOLIS, Maryland — A bill that introduces steep penalties for the perpetrators of ransomware attacks, like the one that disabled the network of several Maryland hospitals last year, is making its way through the Maryland legislature.
The bill defines ransomware attacks as felonies that would carry a penalty of up to 10 years in prison and up to a $10,000 fine. At present, ransomware attacks are covered by Maryland’s extortion statutes, the penalties for which range from a misdemeanor with a maximum $1,000 fine and up to 18 months in prison to a felony and a $25,000 fine and up to 25 years in prison.
The new bill would mean perpetrators who extort less than $1,000 using ransomware can be charged with felonies instead of misdemeanors.
The bill also allows victims to sue for damages in civil court. The bill’s sponsor, Sen. Susan Lee, D-Montgomery, said this provision is vital as it offers victims recourse without having to wait for state prosecutors to pursue their case.
Ransomware is a type of malicious software that locks or seizes control of hardware or data until a specific code is provided. Typically, victims are asked to pay a ransom ranging from hundreds to tens of thousands of dollars to get the code. However, hackers have been known to delete data and wipe machines even after their victims have paid their ransom.
The bill leaves many details up to interpretation. For example, it’s not clear whether a single attack that brings down three different computers would be treated as one count of the crime, or three counts — potentially tripling the maximum penalty for the accused. What if a different person owned each computer?
The text of the bill specifies that ransomware involves the “intent to extort money, property, or anything of value from another.”
But some ransomware has been reported that requires victims to view web pages, thereby boosting ad revenue at those sites, essentially stealing a few minutes of time. It’s unclear whether mandating a visit to a Web site would qualify as something of value.
Ransomware is such a fluid and varied form of attack that it would be difficult for a law to cover every possible permutation of the crime. Instead, Lee told Maryland’s Capital News Service, the bill concentrates on the fundamental principle of a ransomware attack — an attacker compromises a system and threatens to either deny access to or destroy data for the purpose of extortion — but that the precise implementation of the bill as law will be heavily influenced by judges and prosecutors.
Delegate Erek Barron, D-Prince George’s, said that he and Lee considered adding a provision to the bill that would introduce penalties for people found to be creating ransomware, even if they themselves did not deploy it. That provision did not make it into the final draft of the bill. Barron is co-filing the bill in the Maryland House of Delegates.
In spring 2016, a group of Maryland hospitals run by MedStar was targeted by a large ransomware attack. The attack forced the hospitals to shut down most of their computer systems for about a week. Lee called the attack “a wake-up call.”
According to Osterman Research, nearly 50 percent of organizations surveyed in the U.S. reported being victimized by a ransomware attack between June 2015 and June 2016.
That same survey found that healthcare and finance were the most-targeted industries in the U.S.
Jonathan Katz, a professor of computer science and director of the Maryland Cybersecurity Center, theorized that hospitals might be popular targets because their systems are often set up to allow quick access to vital patient information across a large network, which could make ransomware penetration easier.
Katz said that one of the challenges in dealing with ransomware, and other forms of cybercrime, is that many efforts to defend against attacks simply shift costs around.
For example, many “ransoms” are in the thousands of dollars; but improving security at a large organization or company could cost millions of dollars, or more.
When asked whether some organizations may choose to simply absorb the cost of an occasional ransomware attack rather than substantially upgrade security — calculating that the former option is more cost-effective — Katz said there is “some truth to that,” but that “it’s sort of a depressing way to view things.”
With this in mind, Katz said, governments should try to implement policies that require institutions to improve their security, but should be mindful that doing so will almost certainly pass a cost on to those institutions.
Another problem Katz pointed out is that many organizations are simply not setup to handle massive cybersecurity threats. Although steps such as training and hiring cybersecurity monitors can improve an organization’s protection, many vulnerabilities exist within commonly used software that most companies have little influence over.
“A healthcare company is not in the business of redesigning their software” Katz said.
Governments and leaders are under pressure to both protect the public from the growing threats of cybercrime and secure the largest possible slice of an industry that is rapidly expanding to meet those threats. The Bureau of Labor Statistics predicts that there will be nearly 490,000 jobs created in computer and information technology in the United States by 2024, a 12 percent increase over 2015.
To draw some of those jobs to Maryland, Gov. Larry Hogan’s 2018 budget proposal allocates $3 million for cyber-job training. The governor has also proposed a program that would offer tax credits to investors in cybersecurity startups.