Baltimore Ransomware Attack Inspires State Legislation
In the wake of a crippling ransomware attack that froze government computers in Baltimore City last year, a Maryland lawmaker hopes to give prosecutors more tools to fight cyber attacks on municipalities and other institutions.
The legislation, Senate Bill 30, would make it a crime to possess ransomware with the intent to use it.
In the May attack against Baltimore, hackers infiltrated the city’s computer system and encrypted files, making them inoperable. They then demanded payment in exchange for the “decryption” keys, according to media reports.
State and federal officials launched a joint investigation but the perpetrators were never found.
At a Senate Judicial Proceedings Committee hearing on Tuesday, lawmakers from both parties expressed support for the measure, as did the association that represents Maryland prosecutors.
The measure’s sponsor, Sen. Susan C. Lee (D-Montgomery), told the committee that no institution with a computer network is safe from potential attack.
“Schools, hospitals and even state’s attorneys are targets, and we need to stem the tide of aggression,” she said.
Baltimore City refused to comply with the hackers’ demands, but workers were unable to access online accounts and payment systems for weeks, resulting in $18 million in restoration and repair costs, Lee said.
In 2018, a separate attack against the city’s computer-assisted 911 dispatch system rendered it inoperable for nearly 24 hours.
The lawmaker said some private institutions are more likely to give in to hackers’ demands — usually via Bitcoin payments — to avoid the embarrassment of public disclosure.
The Maryland CyberSecurity Council supports Lee’s bill, which would make possession with intent to use ransomware a misdemeanor punishable by up to 10 years in prison and/or a $10,000 fine.
That sanction struck Sen. Christopher R. West (R-Baltimore County) as too light. He called ransomware attacks “abhorrent” and “totally unacceptable.”
But Ricardo A. Flores, head of government relations for the Maryland Office of the Public Defender, said the measure isn’t needed because the law already makes ransomware a crime.
“The Baltimore City situation is already criminalized and significantly so, because it is clearly extortion,” Flores said. “The amount of money that was asked for and the actual damages that resulted would subject those individuals … to a felony of up to 25 years” behind bars.
“This bill is really just a possessory offense where no actual damage has to actually occur,” he added.
Markus Rauschecker, the director of the cybersecurity program at the University of Maryland Center for Health & Homeland Security, called ransomware “a serious and growing threat for everyone” — individuals included.
“It’s getting more serious,” he said. “More must be done to prevent these kinds of malicious attacks, [with] greater consequences for those who chose to engage in this kind of criminal activity.”
Bruce DePuyt
Reporter
Bruce DePuyt is a contributor to Maryland Matters, where he was a full-time reporter until December 2022. Previously, DePuyt spent nearly three decades on local television, including 14 years as producer and host of “NewsTalk” on NewsChannel 8 in the Washington, D.C., region. He was a reporter and anchor on “News 21” in Montgomery, where he also served as producer and host of “21 This Week.” He then became a reporter and anchor at NBC affiliate WVIR in Charlottesville, Va. He appears occasionally on WTOP (103.5 FM), WAMU (88.5 FM) and MPT.
Related Articles
Bills aiding port workers and boosting the state’s struggling horse racing industry are among the last and most significant to pass on a Sine Day that was exceedingly busy — except during the solar eclipse.
Montgomery County senator will leave the legislature in May to become executive director of the Maryland Commission for Women.
Senate president has previously said he suspected the bill would receive a full Senate vote this year. Now he appears less sure.
Creative Commons Attribution