Two New York state senators have proposed two bills last week to ban local municipalities and other government entities from using taxpayer money for paying ransomware demands.
The first bill (S7246) was proposed by Republican NY Senator Phil Boyle on January 14. The second bill (S7289) was introduced by Democrat NY Senator David Carlucci, two days later, on January 16.
Both bills are under discussion in committee, and is unclear which will move forward to a vote on the Senate floor.
Both S7246 and S7289 have similar texts. The only difference between the two is that S7246 also proposes the creation of a state fund to help local municipalities improve their cyber-security posture.
"The Cyber Security Enhancement Fund that will make available grants and financial assistance to villages, towns, and cities with a population of one million or less for the purpose of upgrading the cyber security of their local government," the text of the S746 bill reads.
First of its kind
Across the US, this is the first time that state authorities have proposed a law that explicitly forbids paying the ransom following a ransomware attack.
"We are supportive of this legislation as it creates a debate and raises awareness to this problem," said Bill Siegel, CEO and co-founder of Coverware, a cyber-security company that helps victims recover from ransomware attacks and sometimes negotiates payments on behalf of the victims.
"I do not think it will staunch attacks on NY based municipal organizations in the short term, it may even increase them as ransomware distributors may try to test the resolve of these organizations," Siegel told ZDNet.
"If a state where to pass a bill making payment of ransoms unlawful, then two large issues should be heavily considered. 1) What happens if a NY based municipal hospital is attacked, and the downtime causes the loss of life that could have been avoided if they were allowed to pay? 2) Are the state's municipal organizations adequately staffed and budgeted with DR [disaster recovery] plans, backup systems, and security programs to effectively repel and recover from an attack without creating material interruption to civic operations?," Siegel added.
The office of NY Senator Boyle could not be reached for comment. The office of NY Senator Carlucci did not return a request for comment before this article's publication.
The Coveware CEO said he couldn't disclose if his company helped any New York state government organizations, due to confidentiality agreements.
However, Siegel said that they assisted municipal organizations in the majority of US states recover from ransomware attacks.
"On a quarterly basis, they are generally about 10% of the cases we handle," he said.
Ransomware attacks in New York state
According to antivirus vendor Emsisoft, 113 US state and municipal governments and agencies were hit by ransomware in 2019. While we don't have exact numbers for the state of New York, there have been several major ransomware incidents reported last year and in 2020 in the state of New York.