It’s now against the law for cities to pay ransomware demands
This is the first article of a small series written to address the new cybersecurity laws that went into effect July 1st, 2022 affecting Florida municipalities and counties.
Effective July 1st, 2022, the Florida Legislature is now prohibiting cities and counties from paying any ransomware demands. Ransomware is a common attack method used by hackers where they lock the organization’s files and can only be unlocked by a specialized key. The attackers then ask for money in exchange for the decryption key.
The exact statute is sparse on details and does not specify penalties, but it’s still a big move that will make the story of the City of Lake City’s attack and payment a relic of the past. In that specific case, the Florida city paid over $450,000 to the attackers and yet still had systems that remained encrypted. In an earlier case in South Florida, Riviera Beach paid $600,000 for a similar attack. Under the new law, both of these cities would have been barred from making any ransom payments.
So the question remains to be asked: will stopping payments stop the attacks?
Maybe.
Imagine the following scenario. An attack group infiltrates a Florida city’s network. As most ransomware deployments are automated, the attackers wouldn’t aren’t spending much time studying the network, let alone spending time to determine which state the victim municipality is in. In fact, if they are using their persistent foothold to dig deep into the contents of the network, they’ll likely use a different method to make money, such as harvesting banking or other personal information. They’d likely do this since they know their ransomware demands will produce no monetary reward for them.
I don’t think the law is a bad thing, but it just doesn’t offer any real protection. So what does it do?
It forces municipalities to take cyber security more seriously, because we all now know paying the demand isn’t an option. And as long as the Legislature continues to support cities and towns in this journey of actual, non-gimmick hardening of our networks, I think this is a great first in a series of moves for Florida to be more secure. As a bonus, I can only imagine this will start to attract even more security talent to Florida as well.
All in all, I’d say this is a great move.
If you’re a Florida municipality and want to ensure you’re prepared from a cybersecurity perspective, get in touch with us today.
