Skip to content
Naked Security Naked Security

California lawmakers want to bring down the hammer on ransomware

The proposed bill would make ransomware punishable by imprisonment in a county jail for 2-4 years and a fine not exceeding $10,000.

Ransomware: There ought to be a law against that.

Well, in the US, there sort of is: the federal Computer Fraud and Abuse Act. But if you’re a state prosecutor, you need to use laws that aren’t perfectly designed for ransomware, because it didn’t exist when many of those laws were written.

Enter the California state legislature.

California’s often pioneered new US laws that spread nationwide – for example, on energy efficiency, pollution, and privacy. Now, as reported by the Los Angeles Times, some of its legislators want to do the same for ransomware.

Senate Bill 1137 would make it a felony to:

…knowingly introduce ransomware into any computer, computer system, or computer network… punishable by imprisonment in a county jail for two, three, or four years and a fine not exceeding $10,000.

In introducing S.B. 1137, State Senator Bob Hertzberg pointed to the ransomware infection that recently shut down communications at Hollywood Presbyterian Medical Center, as well as the attack against the LA County Department of Health Services a few weeks later.

He also cited the Institute for Critical Infrastructure Technology’s claim that “2016 is the year ransomware will wreak havoc on America’s critical infrastructure.”

If you’ve ever watched that legendary Schoolhouse Rock segment on how a bill becomes a law, you know it’s a long, long journey. Still, Herzberg’s bill sailed through the State Senate 38-0, then won unanimous approval from two State Assembly Committees. Plus, it’s got the backing of major Silicon Valley lobbying organization TechNet, representing heavy hitters like Microsoft, Cisco, Google, Oracle, Facebook, and Apple.

Next step: a vote by the full State Assembly. If they say yes before they go home for the year, S.B. 1137 goes to Gov. Jerry Brown’s desk for a signature. That’s no sure thing, because he’s occasionally vetoed legislation when he thinks prosecutors already have enough tools to make their case – precisely the claim made by the bill’s few opponents.

Supporters at the LA District Attorney’s office say they need this law to eliminate loopholes in California’s Comprehensive Computer Data Access and Fraud Act, and because state extortion statutes “may not properly cover the type of harm caused by ransomware.”

That’s because the extortion laws make it a crime to “obtain property… with the individual’s consent by a wrongful use of force or fear,” but ransomware attackers don’t threaten to harm your property: they’ve already done it, and want money to undo the harm. “The difference is slight,” admits the LA DA, “but extremely important in a criminal prosecution.”

You can check out the pros and cons yourself, by reading the same independent analysis that legislators get before they vote. You can also track the bill’s progress through Sacramento’s legislative labyrinth. (Assuming those systems haven’t been attacked by ransomware, as happened to Hertzberg’s own Senate office, right after his bill was approved by the State Senate.)

Of course, S.B. 1137 raises a bigger question – how’s California going to catch ransomware attackers, when they could be anywhere on earth, and it can’t catch them now? In the LA Times, computer crime prosecutor Don Hoffman admits that’s an issue.

But he argues that ransomware tools are becoming consumerized:

The level of skills… required to launch such a campaign will not be as high, and we certainly expect attacks to be coming from more countries and within the US.

In other words: it’s going to get worse. But those local script-kiddie slobs, he might just catch. And if he does, he’ll be darned if they skateboard away on some West Coast legal loophole.

10 Comments

Great more laws Cali does not need or any state. The majority of criminals using it are outside the States and don’t give crap, especially for a single state law.

I’ve been saying this for months now, make it illegal for Advertising networks and websites to distribute malware. Heavy fines are levied on a per-computer infection basis ($50,000 per)

Anyone buying ad-space is legally responsible for every ad-campaign (no anon buying)
Ad-buyers must prove every ad they submit has no malware.
If a site/ad network is hacked to serve malware, the security and development teams would be addressed and the fines wouldn’t be quite as severe.

If it’s a really widespread infection, the owner of ad-network would be required to shut down, release all property to the regulatory acronyms. And he/she would be blacklisted/blackballed from the entire print and digital advertising industry.

If you’re not going to do it right, then you’re in no position to do it at all.
I know it’s harsh, but if you make it so bad when something goes wrong, then there will be motivation to shape up and fly right.

If ad companies want to make money, make better ads so that I don’t have to block them for security reasons.

lol Make another law that will fix it, cause criminals always ~~~
The “fine not to exceeding 10k” is all wrong, it should be not be more than 7 times the damage done…

I highly agree on the fine. “not to exceed $10k”

Won’t that merely influence supply and demand for those of us victims not protected by the Californian border?

Here in Canada, the legal maximum for punitive damages was a few years back upped from 7 to 10 times actual damages. Ontario’s Human Rights Commission has essentially a zero-tolerance policy in cases where the victim is in one way or another disabled or otherwise disadvantaged. They have gone for the 10X in every single case — and if I’m not mistaken, the courts have always agreed. And that’s *per day of the offense*, until it’s finally resolved to the complainant’s satisfaction.

The Hollywood Presbyterian caper alone netted $17,000, and they think $10,000 is a deterrent? If there is a loophole in existing laws that needs to be repaired, by all means do it, but give it some teeth!

Post a reward of say $5 million for info leading to the successful prosecution of these creeps. Let them worry for a while if someone will rat them out. They won’t be able to brag about their exploits to their circle of associates for fear of being turned in. If that doesn’t work make it $5 million dead or alive. That might get them to reassess their career choice.

This shows how clueless people in the California government really are though. They say all those years in jail yet California has been releasing criminals from jail who have done even more serious crimes. I see they say county jail though, not state prison. That way they don’t have to spend any money. This can’t be a state law or even a US law. Most of the criminals are outside the US. This must be a world law. The US Congress blew it when they opened the Internet up to the world. We needed tough laws to deal with crimes. Make all countries agree to those laws if they want on the Internet.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?