ANNAPOLIS, MARYLAND — State lawmakers heard arguments Tuesday on a bill that seeks to add criminal penalties for knowingly possessing ransomware with the intent to use it in a malicious way.
Ransomware is a type of malware that can impede the use of a computer or computer network indefinitely until a ransom is paid. It is already a crime in Maryland to use the malicious technology in a way that costs victims money — this bill would criminalize mere possession of the software.
Senate Bill 30, which was heard before the Senate Judicial Proceedings Committee this week, would label the possession and intent to use ransomware in a malicious manner as a misdemeanor that would carry a penalty of up to 10 years imprisonment and/or a fine of up to $10,000.
Researchers who possess ransomware are, however, exempt from this criminal penalty, according to a state analysis.
Senator Susan Lee, D-Montgomery, is sponsoring this bill and was its lead sponsor in 2019. She told Capital News Service that she has worked to clean up the bill ahead of Maryland’s 2020 legislative session.
“It’s important to establish so criminals know it’s a crime,” Sen. Lee said. “(The bill) gives prosecutors tools to charge offenders.”
Markus Rauschecker, the Cybersecurity Program director of the University of Maryland Center for Health & Homeland Security, testified on Tuesday about why this bill matters.
“It’s important to send that signal (to perpetrators),” Rauschecker told Capital News Service. “(This bill) highlights the threat and how big it is.”
Rauschecker also noted how other states — such as Michigan and Wyoming, among others — have already made the possession of ransomware a criminal offense, and while there is no official research on their success, he said, deterrence is the key.
The topic of ransomware has been popping up around the state of Maryland in the past few years, with both Baltimore City and the Salisbury Police Department being victims in separate hackings.
Most recently, Baltimore had its core computing system attacked in May of 2019 by the use of the RobbinHood ransomware, according to Mayor Bernard C. “Jack” Young’s office.
The city’s budget office estimated the cost of the attack to be around $18 million, according to a state analysis, which includes the cost to restore or repair systems, as well as lost or delayed revenues.
“First, we were advised by both the FBI and Secret Service not to pay the ransom,” Young’s office posted in a FAQ about the attack. “Second, that is not how the City of Baltimore operates; we do not reward criminal behavior. Also, paying the ransom does not make the recovery process cheaper or faster. Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment.”
Under current law, committing a cyber attack that results in an aggregate loss of over $10,000 is a felony that is subject to 10 years in prison and/or up to a $10,000 fine, while an aggregate loss less than $10,000 results in a misdemeanor with penalties up to five years in prison and/or a fine up to $5,000.
In the 2019 versions of this legislation, there was a focus on potential attacks against health care facilities within the state, and the bills ultimately never made it through their committees.
On Tuesday, members of the Maryland Senate Judicial Proceedings Committee, which was revamped ahead of the 2020 legislative session, expressed their desire to potentially change this crime to a felony due to the magnitude of its impact.
The 2020 ransomware bill represents a compromise based on arguments last session, according to Lee, with the ultimate goal of moving forward in the legislative process.
Delegates Erek Barron, D-Prince George’s and Wanika Fisher, D-Prince George’s, who co-sponsored the 2019 bill in the House of Delegates, cross-filed the new version of the legislation, House Bill 215 on Thursday. A hearing is scheduled for that bill on Jan. 28 in a House committee.