Maryland Considers Singling Out Ransomware as a CrimeLegislation Would Establish Prison Term for Specific Offenses
As ransomware attacks continue to plague organizations in healthcare and other sectors, Maryland is considering legislation specifically identifying ransomware attacks as a crime punishable with prison sentences. California and Wyoming are among the states that have enacted somewhat similar legislation.
Current Maryland state extortion laws don't specifically name ransomware attacks. And such crimes often are prosecuted as violations of federal computer laws or more general state laws.
On Feb. 15, the state's senate will hold a hearing to discuss the bill following a hearing in the state's House earlier this month.
The bill, recently introduced by Sen. Susan Lee, D-Montgomery, Md. and co-sponsored in the state house by Erek Barron, D-Prince George's - makes extortion conducted through unauthorized software a criminal offense punishable by imprisonment for up to 10 years and/or a $10,000 maximum fine.
The proposed legislation states: "A person who has the intent to unlawfully extort money, property, or anything of value from another may not knowingly create, place, or introduce without authorization software into a computer, computer system, or computer network if the software is designed to encrypt, lock or otherwise restrict access or use by authorized users of the computer/system/network."
The bill also would permit a person who has suffered a specific and direct injury as a result of the ransomware to bring a civil action in court.
Lee tells Information Security Media Group that the bill is the result of a recommendation by the state's cybersecurity council, of which she is a member.
"It makes sense to make these attacks a crime; there's been a dramatic rise in these events on hospitals, utilities and others," she says. A ransomware attack last year on MedStar Health, which operates several hospitals and other healthcare facilities in Maryland, "was pretty devastating," she says. "These attacks can cause injury and cost lives."
In an statement, Barron tells ISMG: "Maryland is a leader in the cybersecurity industry and it's appropriate that our state also set the pace as far as protecting the public by updating our criminal statutes and providing a mechanism for parties to protect themselves via civil action."
It's not yet clear when the measure will come up for a vote in both chambers, Lee says.
Last September, California amended state computer crime laws to specifically name ransomware attacks as a crime punishable by up to four years in prison.
Under California's law, "every person who, with intent to extort money or other consideration from another, introduces ransomware into any computer, computer system, or computer network is punishable ... in the same manner as if such money or other consideration were actually obtained by means of the ransomware."
Wyoming in 2014 passed legislation that included making the sending or transfer of any malware, including ransomware, with the intent to damage or cause the malfunction of the operation, a "computer trespass" felony punishable by imprisonment for not more than ten years, a fine of not more than $10,000.
However, Wyoming's Joint Judiciary Interim Committee recently sponsored a bill that would specifically make computer extortion involving ransomware a felony punishable by imprisonment for not more than 10 years, a fine of not more than $10,000, or both.
Aside from state laws specifically naming ransomware attacks as crimes, "most every state has its own computer crime statutes," says attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek. "Each state also has its own priorities in carrying out prosecutions. Some states are much more active in prosecuting cybersecurity crimes, but typically the states will cooperate with federal authorities."
At the federal level, Holtzman says, "the main weapon in the federal arsenal to combat cybercrime is the Computer Fraud and Abuse Act (CFAA) [Title 18 U.S.C. Section 1030] which criminalizes a number of types of computer activities in an effort to protect information systems from unauthorized access, intentionally damaging a computer protected under the act, trafficking in stolen passwords or threatening a protected computer with the intent of extorting money."
A "protected computer" is a device used by a financial institution, the U.S. government, or a computer used in interstate/foreign commerce or communication, Holtzman explains. "Federal law enforcement activities have also caught up to operators of exchanges where cybercriminals can deposit bitcoin extorted from victims of ransomware incidents and withdraw cash, applying laws that make it a crime to engage in wire fraud and money laundering," he adds.
Prosecution of cybercrimes is primarily at the federal level because so many of these crimes originate from outside the U.S. or require investigative resources beyond the capability of most local or state police forces, Holtzman adds. "Another consideration that states may use in favoring federal enforcement of computer crime is the expense and resources required to investigate, prosecute and imprison hackers and cybercriminals," he says.
Kirk Nahra, a privacy and security attorney at law firm Wiley Rein, notes: "For any kind of activity 'like' [ransomware], there are a wide variety of laws that are potentially applicable, and creative prosecutors have a good arsenal to attack this kind of activity."
Although it's always "simpler" for prosecutors to press charges for violation of a very specific law, such as the one being considered in Maryland, officials are "pretty good at getting at people who commit these kinds of activities - assuming they can figure out who they are," Nahra says.
Holtzman notes that ransomware incidents are just the latest in a long line of computer-related crimes. "By far the most common and greater threat is posed by insiders using their authorized access for malicious purposes," he says. "Employees, disgruntled former workers or contractors are capable of much more destructive actions or theft of sensitive information through their knowledge of the vulnerabilities of the information system or ability to cover-up their nefarious activity."