Last spring, a Baltimore underwent
a grinding, long-term government shutdown after the city's systems were hijacked by ransomware. This was exacerbated by massive administrative incompetence: the city had not allocated funds for improved security, training or cyberinsurance, despite having had its emergency services network taken over by ransomware the previous hear, and five city CIOs had departed in the previous four years either through firings or forced resignations.
The ransomware itself was built using a leaked NSA cyberweapon based on a bug in Windows that the Agency had identified, but not reported, so that it could retain the capacity to attack its adversaries. Once that cyberweapon leaked, it became a weapon that could and did shut down cities, businesses, hospitals, universities and private networks across the USA.
Now, Maryland's
Senate Bill 30 attempts a belated, and ill-considered, response to the problems of ransomware. Rather than requiring cities to allocate funds for security, training or insurance, or protecting those who disclose bugs so that they can be patched before they're weaponized, the bill prohibits cybercrimes that are largely already defined in US federal statutes, and is so broadly worded that it "prohibit[s] vulnerability disclosure unless the specific systems or data accessed by the helpful security researcher were explicitly authorized ahead of time and would prohibit public disclosure if the reports were ignored," in the words of disclosure expert Katie Moussouris, creator of Microsoft's bug bounty program.
The bill would be a good response if the bug that ransomware exploited was a legal one -- that is, if using ransomware was somehow legal and that was why we were seeing so much of it. But ransomware is a crime already, and ..
Support the originator by clicking the read the rest link below.
