RALEIGH, N.C. (WNCN) – Amid the concerns over the ransomware attack targeting Colonial Pipeline, North Carolina lawmakers want to make clear that state and local governments will not pay ransoms to hackers.
A bill the House of Representatives passed unanimously Wednesday would prohibit state agencies, local governments, school systems, and community colleges from making those payments or communicating with the people demanding the ransom.
“They then become less of a target. The whole purpose is to hold software hostage for money. So, if we take away that incentive, hopefully, the move on to something else,” said Rep. Jason Saine (R-Lincoln). “What’s happening with the pipeline right now just highlights the situation and how bad it can be.”
Ransomware attacks have targeted government agencies for years, including in Chatham County late last year. County officials said an attack last October caused them to lose the use of computers, internet access, office phones, and voicemail.
County officials did not pay the ransom demand of 50 Bitcoin, valued at about $670,000 at the time.
“Paying the ransom just encourages this kind of behavior,” County Manager Dan LaMontagne told CBS 17 in February. “If you pay the ransom, they would unencrypt our files. All the remnants of the software that they put in our system would still be there.”
The FBI has told local officials that it “does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data.”
Saine said he thinks it’s important to put that position into state law in an effort to try to deter attacks.
“Part of the problem is you’re essentially negotiating with terrorists anyway. There’s no guarantee that once the money’s released that you’ll get your data back or they won’t at a later time release that same information,” he said.
The bill also clarifies the requirements for agencies to report these kinds of attacks to the state Department of Information Technology.
There have been 37 ransomware attacks reported to that agency since 2016 targeting state agencies, local governments, K-12 schools and community colleges.
Current law requires local governments to report cyber incidents under certain circumstances such as when they impact critical infrastructure or result in a significant loss of data.
Saine said by making the reporting requirement clearer, the state would have better data about how common the issue actually is.
“We don’t really know from a state government perspective how many attacks we have,” he said.
The vote came days after a ransomware attack impacting Colonial Pipeline. Though state and federal officials have encouraged people not to buy gas unless they actually need it, gas stations across North Carolina have had long lines with many running out of fuel to sell in the last couple of days.
Saine’s bill does not require private entities to report cyber incidents to DIT but encourages them to do so.
“It’s a concern, but again it’s one of those things where best practices and industries should be doing that,” he said.
Cybersecurity expert Craig Petronella, who owns Petronella Cybersecurity and Digital Forensics said the incident should serve as a “wake-up call” to companies.
“They need to know where they stand and what their risks are and fill those gaps as quickly as possible because this will not be the last attack on our infrastructure,” he said. “There needs to be a long list of remediation items that shore up and make sure the attackers don’t hit them again because oftentimes they don’t hit just one time.”