Should state governments ban ransomware payments?

In 2021, North Carolina became the first state to ban public ransomware payments, even going so far as to prohibit negotiations with cybercriminals. It was a groundbreaking move. Florida followed suit in 2022, but its legislation took a less stringent approach, covering a smaller number of entities and omitting some of the more restrictive provisions in North Carolina law.

The North Carolina and Florida bans are the only ones in place at the state level, but they have sparked a nationwide conversation about how best to combat this ubiquitous cyber threat. Years later, experts still haven’t reached a clear conclusion about whether this is the right approach.

At the heart of the matter lies a moral and fiscal dilemma: Should governments refuse to fund criminal enterprises, even if the alternative would mean crippling disruptions to essential services like hospitals, schools, and public safety? What if the “high road” of refusing to pay ends up costing taxpayers more in the long run, through service outages, recovery efforts, and the potential for further attacks?

Law enforcement agencies like the FBI are adamantly opposed to paying ransoms, fearing that it only emboldens cybercriminals. However, some organizations feel they have no choice but to pay.

Meredith Ward, deputy director of the National Association of State Chief Information Officers (NASCIO), acknowledges the complexity of the issue: “There’s no opposing view, just a few different points of view.” She emphasizes that NASCIO, as a national organization, does not take a formal position on whether agencies should ban payments, recognizing the varying needs and circumstances of individual states. Ultimately, NASCIO believes that states should decide whether payment bans are the right approach for them.

Is a nationwide ban or state bans on ransomware payments the answer? The jury is still out.

THE DATA DILEMMA: UNCLEAR IMPACT OF EXISTING PROHIBITIONS

When weighing the pros and cons of payment bans in ransomware, a crucial question arises: do they actually work?

North Carolina Chief Information Officer James Weaver said it’s difficult to measure success with the data currently available. While the state requires local governments to report all significant cyber incidents, it’s hard to isolate the ban’s effect from other factors that influence attack rates.

“The intent is really to take an option off the table,” Weaver said, emphasizing that agencies are now being directed to immediately focus on recovery and remediation rather than negotiating with cybercriminals.

According to data from the North Carolina Attorney General’s Office, the number of ransomware attacks, after steadily increasing, decreased slightly between 2022 and 2023. However, attacks still number in the hundreds: In 2023, North Carolina experienced 843 ransomware data breaches across both public and private organizations.

Weaver said the ban on public ransomware payments “has not eliminated these types of attacks,” adding that it’s also challenging to establish a baseline to measure the true impact of the legislation. “I can’t necessarily say it’s reduced anything.”

However, he hopes that the tide will eventually turn in a measurable way.

“You would hope that the fact that we’re not paying for ransomware events — that the funding stream that a lot of these bad actors are counting on isn’t available to them — would somehow lead to an outcome,” he said. But he acknowledged that some attacks are motivated by factors beyond financial gain, such as a desire to cause disruption or gain influence in what is becoming a crowded field of hackers.

He believes that the legislation would have more impact if it were universal.

“If we do that collectively, at the end of the day, it’s not profitable for anyone to sit here and do ransomware attacks for money,” Weaver said. “Everyone has to do their part. If we could do something like that nationwide, that would be fantastic.”

HIGH STAKES

The impact of ransomware attacks is not just financial or operational; they can also have devastating consequences for residents.

Attacks have crippled 911 call centers, slowing emergency response times. They have crippled power grids, leaving people without the resources they need to survive. The ripple effects of such attacks can be catastrophic, upending the lives of vulnerable residents.

“A ban sounds good until it happens to you,” says Mark Weatherford, a senior fellow at the Center for Digital Government.* “Now you’re staring down the barrel of a gun and you have to make that decision.”

Weatherford argued that a universal ban could have been effective years ago, but the situation has become too dire and criminals understand the stakes. He said a more effective solution would be for the world, including countries like China and Russia, to tackle crime by holding bad actors accountable.

“As a global community, we need to say, ‘We’re going to hunt you down, we’re going to knock on your door, and we’re going to drag you out, kicking and screaming,'” he said. “We need to treat it as a capital crime, not just because people are dying, but there are serious implications to ransomware, depending on the organization.”

PAYING THE PRICE, SOMEHOW

In 2024, data is no longer just ones and zeros—it is the lifeblood of modern government.

The financial consequences of a ransomware attack, both now and in the years to come, could be astronomical if the data is never recovered.

“We can say, ‘We didn’t pay,’ and then the public pays a different price,” said Alan Shark, executive director and CEO of Public Technology Institute (PTI). “It’s really huge to freeze local government from serving citizens. You can see why there’s resistance.”

The cost of rebuilding compromised systems isn’t the only consideration for agencies. They may also foot the bill for failing to protect stolen data.

“There is an obligation, not written but implied, that the government has to do something,” Shark said. “That could mean credit monitoring for a year or two, (but) when you start thinking about thousands of citizens, if not millions, in some places that can be really expensive.”

Meanwhile, the demand from wallet criminals is also increasing. The first ransomware attack, in 1989, when an attack was launched against floppy disks, came with a demand for a few hundred dollars to release the encrypted files. In today’s climate, data is king, so it’s not unheard of for a ransomware gang to ask for millions of dollars.

Adding to the complexity, there is no guarantee that paying the ransom will result in the release of encrypted data. The rise of “ransomware as a service” has democratized cybercrime, allowing even novice hackers to launch sophisticated attacks.

Shark noted that established ransomware gangs once adhered to a code of conduct, but the influx of new players who can pay to play has undermined that trust.

A report from cybersecurity firm Sophos’ intelligence agency found that more than a dozen ransomware variants were posted for sale on online forums by would-be hackers, with prices ranging from a modest $50 to $1,000 per month for a subscription.

Shark said there was no evidence in the past that ransomware activists did not adhere to their agreements, but that aspiring lone wolves (the black market for those subscriptions) do not always adhere to the same code of conduct.

“Anyone can become a criminal overnight,” Shark said. “What’s happening now in some cases is people are careless, the code is gone. There have been cases where someone has paid and their files haven’t been released.”

This new “blanket of uncertainty” makes the decision to pay the ransom even more difficult, especially for government agencies of all sizes. Shark concludes that a blanket ban on payments may be too simplistic an approach to the complex reality of ransomware.

“A law prohibiting payments is well-intentioned, but too flawed to be taken seriously,” Shark said.

CYBER INSURANCE: A COMPLICATING FACTOR

Cybersecurity insurance is often kept secret by authorities for fear of attracting cybercriminals. This is an additional dimension in the debate about the ban on payments via ransomware.

Obtaining cyber insurance coverage has become increasingly difficult, with many businesses demanding robust security measures before issuing policies. Furthermore, insurance contracts often require immediate notification in the event of an attack, potentially impacting how agencies respond to ransomware claims.

According to North Carolina’s Weaver, the implementation of the payment ban has led to a shift in how people interact with insurance companies.

“There are times when cyber insurance companies want the ability to negotiate, and we’re going to have to remind them that that’s not an option for the state of North Carolina,” Weaver said. “We’re telling them the focus needs to be on fixing it.”

While controversial, cybersecurity insurance can play a role in limiting the financial impact of ransomware attacks. Weatherford pointed out that insurance companies have been known to successfully negotiate lower ransom payments.

“Sometimes bad guys feel more comfortable negotiating with an insurance company because it’s a business-to-business affair,” Weatherford said.

However, Shark questions whether it is ethical for insurance companies to pay ransoms on behalf of government agencies.

“It’s one thing for a local government to take money out of its own coffers,” he said, suggesting that using private insurance funds blurs the lines between public and private responsibility. “It’s no longer public money, it’s coming from insurance — like car insurance.”

Shark believes that if insurance companies knew that paying for ransomware was not possible, it could have crippling consequences for the cyber insurance market.

Despite the ongoing debate, NASCIO’s Ward notes that she doesn’t expect to see more states enact similar legislation this year, especially now that election season has begun. However, she acknowledges that the unpredictable nature of cybersecurity threats means that anything is possible.

“It only takes one high-profile incident,” Ward said. “You never know what’s going to motivate a state to put something in place and really go after it.”

The question of whether to ban ransomware payments continues to evolve — it’s not just a question of right or wrong. It’s a balancing act between competing priorities, a search for the least damaging path in a high-stakes game.

This story originally appeared in the September/October 2024 issue of Government technology magazine. Click here to view the full digital edition online.