Proposed anti-ransom bill would forever change how companies handle cybercrime

Published on

The Biden administration is eager to see a bill passed that deters the payout of ransoms to cybercriminals, and while the ultimate goal is to disincentivize these attacks, it could have serious implications for companies likely to be targeted.

The latest push is motivated by a major attack on American software company Kaseya in early July, estimated to have impacted between 800 and 1,500 businesses, according to White House representatives.

Lawmakers have long struggled with whether companies should be required to disclose to the government and law enforcement officials when they’ve been attacked and paid a ransom, and the Kaseya attack shows how damaging supply chain attacks are for small and medium-sized businesses that outsource their information technology support.

Rather than maintaining an in-house IT function, these businesses usually hire consultants known as managed service providers, who in turn operate off software built by companies like Kaseya. A breach at the top has an enormous butterfly effect.

President Joe Biden is pushing legislation that would require that any company impacted by a ransomware attack report that fact to the Internet Crime Complaint Center. Intelligence suggests that recent high-profile attacks were orchestrated by Russian-based hackers, and while previous legislative pushes for increased reporting requirements or bans on ransom payments have failed, this added foreign policy element may provide sufficient motivation to get a bill passed.

If signed into law, it would immediately and radically change the way companies respond to these cyberattacks, essentially requiring companies to hand over the keys to negotiations with hackers to the federal government.

Given the overall goal is to deter these attacks, this strategy may be the best available to stop these attacks in the aggregate—but that’s small consolation to any companies that end up in a hacker’s crosshairs in the meantime. Each of these incidents and the potential for legislation should be a reminder to all businesses, big and small, that data security must be a priority at every level of the organization.