Warren & Ross Introduce Bill to Require Disclosures of Ransomware Payments
United States Senator Elizabeth Warren (D-Mass.) and Representative Deborah Ross (D-N.C.) introduced the bicameral Ransom Disclosure Act. The bill provides the Department of Homeland Security (DHS) with critical data on ransomware payments in order to bolster our understanding of how cybercriminal enterprises operate and develop a fuller picture of the ransomware threat.
“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” said Senator Warren. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them.”
“Ransomware attacks are becoming more common every year, threatening our national security, economy, and critical infrastructure,” said Congresswoman Ross. “Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions. I’m proud to introduce this legislation with Senator Warren which will implement important reporting requirements, including the amount of ransom demanded and paid, and the type of currency used. The U.S. cannot continue to fight ransomware attacks with one hand tied behind our back. The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation.”
Ransomware attacks pose a significant national security threat, impacting critical infrastructure and military facilities, hospitals and medical centers, small and large businesses, schools and universities, and municipal governments. Between 2019 and 2020, ransomware attacks rose by 62% worldwide and 158% in North America. In 2020, the FBI received nearly 2,500 ransomware complaints, up 20% from 2019, which identified losses of over $29 million. According to one cybersecurity firm, victims worldwide paid nearly $350 million in ransom in 2020 – a more than 300% increase over the previous year – with the average payment increasing by 170% to $312,000.
The Ransom Disclosure Act will:
- Require ransomware victims (excluding individuals) to disclose information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom;
- Require DHS to make public the information disclosed during the previous year, excluding identifying information about the entities that paid ransoms;
- Require DHS to establish a website through which individuals can voluntarily report payment of ransoms;
- Direct the Secretary of Homeland Security to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity.