Baltimore Ransomware Attack Inspires State Legislation

Sen. Susan C. Lee (D-Montgomery) explains her ransomware legislation at a hearing Tuesday while Markus Rauschecker, the director of the cybersecurity program at the University of Maryland Center for Health & Homeland Security (center) and Steven Kroll, executive director of the Maryland State’s Attorney’s Association, listen. Photo by Bruce DePuyt

In the wake of a crippling ransomware attack that froze government computers in Baltimore City last year, a Maryland lawmaker hopes to give prosecutors more tools to fight cyber attacks on municipalities and other institutions.

The legislation, Senate Bill 30, would make it a crime to possess ransomware with the intent to use it.

In the May attack against Baltimore, hackers infiltrated the city’s computer system and encrypted files, making them inoperable. They then demanded payment in exchange for  the “decryption” keys, according to media reports.

State and federal officials launched a joint investigation but the perpetrators were never found.

At a Senate Judicial Proceedings Committee hearing on Tuesday, lawmakers from both parties expressed support for the measure, as did the association that represents Maryland prosecutors.

The measure’s sponsor, Sen. Susan C. Lee (D-Montgomery), told the committee that no institution with a computer network is safe from potential attack.

“Schools, hospitals and even state’s attorneys are targets, and we need to stem the tide of aggression,” she said.

Baltimore City refused to comply with the hackers’ demands, but workers were unable to access online accounts and payment systems for weeks, resulting in $18 million in restoration and repair costs, Lee said.

In 2018, a separate attack against the city’s computer-assisted 911 dispatch system rendered it inoperable for nearly 24 hours.

The lawmaker said some private institutions are more likely to give in to hackers’ demands — usually via Bitcoin payments — to avoid the embarrassment of public disclosure.

The Maryland CyberSecurity Council supports Lee’s bill, which would make possession with intent to use ransomware a misdemeanor punishable by up to 10 years in prison and/or a $10,000 fine.

That sanction struck Sen. Christopher R. West (R-Baltimore County) as too light. He called ransomware attacks “abhorrent” and “totally unacceptable.”

But Ricardo A. Flores, head of government relations for the Maryland Office of the Public Defender, said the measure isn’t needed because the law already makes ransomware a crime.

“The Baltimore City situation is already criminalized and significantly so, because it is clearly extortion,” Flores said. “The amount of money that was asked for and the actual damages that resulted would subject those individuals … to a felony of up to 25 years” behind bars.

“This bill is really just a possessory offense where no actual damage has to actually occur,” he added.

Markus Rauschecker, the director of the cybersecurity program at the University of Maryland Center for Health & Homeland Security, called ransomware “a serious and growing threat for everyone” — individuals included.

“It’s getting more serious,” he said. “More must be done to prevent these kinds of malicious attacks, [with] greater consequences for those who chose to engage in this kind of criminal activity.”

[email protected]