A proposed California legislation imposing specific penalties for ransomware took a step forward yesterday when the state senate's Public Safety Committee passed the bill at a hearing that featured testimony from Hollywood Presbyterian Medical Center (HPMC) — a notable victim of the ongoing ransomware epidemic.
The legislation, Senate Bill 1137, would amend California's penal code making it a crime to knowingly introduce ransomware into a computer or network, with penalties punishable by as much as four years and a $10,000 fine. The law would not preclude prosecuting attorneys from pursuing additional charges under older statutes.
California State Senator Bob Hertzberg, who introduced the bill this past February, testified before the Committee in support of its passing. “It's responsible as we begin to continue to modernize the law to make sure we have an up-to-date law that works practically in the system of justice to deal with” this new ransomware threat, Hertzberg testified.
But perhaps the most compelling testimony came from bill supporter Steve Giles, CIO of HPMC, who recounted the night of Feb. 5, 2016, when ransomware virtually shut down the hospital. “Every system within the medical center became inaccessible. This created panic to some degree within the nursing and physicians staff,” said Giles, especially as fears arose that the shutdown could impact patient care. (Giles stated that medical care was not adversely affected.)
The crisis reached its next phase when the hospital received a pair of ransom demands that amounted to $17,000 in untraceable bitcoins, with a five-day deadline. Faced with the possibility of being permanently denied its files, the hospital paid up.
“We had to finally go to an ATM in a vape shop carrying…$17,000 in cash,” said Giles, “and having it transferred into bitcoin.” Even after the payment, there was much work to be done. “We received the decryption codes—900 decryption codes. One decryption code, unique, per device. There was no magic wand of a single decryption code to alleviate the problem. We had to deal with 900 codes to go server by server by server, device by device,” Giles recalled.
Coincidentally, Hertzberg was finalizing this legislation when news of the HPMC ransomware attack broke. Subsequent to that incident, additional hospitals in southern California also fell victim to ransomware attacks.
Under Hertzberg's proposed law, criminals responsible for propagating ransomware would be subject to prison time and/or fines, the severity of which would be contingent upon whether the crime was a first-time offense, as well as the extent of the victim's financial injury. Moreover, criminals may incur additional punitive or exemplary damages if the court chooses to award them.
Los Angeles attorney Michael Overly, a partner at Foley & Lardner LLP, was not optimistic about the legislation's prospects for deterring cybercriminals. “In all honestly, I think this is a fabulous way to create a headline for a senator,” Overly told SCMagazine.com. “We already have reasonably good federal and state computer crime laws.”
Overly, who specializes in privacy and information security law, noted that cybercriminals are difficult to identify and even harder to prosecute, as most base their operations out of foreign countries. Overly opined that encouraging and incentivizing businesses to prevent ransomware attacks is a far more effective tactic than doling out stiffer punishments to those responsible for them.
Hertzberg acknowledged during his testimony that current California extortion law reasonably covers ransomware attacks already. But he also believes that the growing use of digital technology to carry out extortion plots merits an update to an otherwise dated penal code. Hertzberg underscored his point, citing an FBI statistic that ransomware has already extorted $209 million from U.S.-based victims in the first three months of 2015—far exceeding the $25 million stolen in all of 2015.
The bill must next pass California's Senate Appropriations Committee before being taken under consideration by both legislative houses.