California lawmakers want to bring down the hammer on ransomware

Ransomware: There ought to be a law against that.

Well, in the US, there sort of is: the federal Computer Fraud and Abuse Act. But if you’re a state prosecutor, you need to use laws that aren’t perfectly designed for ransomware, because it didn’t exist when many of those laws were written.

Enter the California state legislature.

California’s often pioneered new US laws that spread nationwide – for example, on energy efficiency, pollution, and privacy. Now, as reported by the Los Angeles Times, some of its legislators want to do the same for ransomware.

Senate Bill 1137 would make it a felony to:

…knowingly introduce ransomware into any computer, computer system, or computer network… punishable by imprisonment in a county jail for two, three, or four years and a fine not exceeding $10,000.

In introducing S.B. 1137, State Senator Bob Hertzberg pointed to the ransomware infection that recently shut down communications at Hollywood Presbyterian Medical Center, as well as the attack against the LA County Department of Health Services a few weeks later.

He also cited the Institute for Critical Infrastructure Technology’s claim that “2016 is the year ransomware will wreak havoc on America’s critical infrastructure.”

If you’ve ever watched that legendary Schoolhouse Rock segment on how a bill becomes a law, you know it’s a long, long journey. Still, Herzberg’s bill sailed through the State Senate 38-0, then won unanimous approval from two State Assembly Committees. Plus, it’s got the backing of major Silicon Valley lobbying organization TechNet, representing heavy hitters like Microsoft, Cisco, Google, Oracle, Facebook, and Apple.

Next step: a vote by the full State Assembly. If they say yes before they go home for the year, S.B. 1137 goes to Gov. Jerry Brown’s desk for a signature. That’s no sure thing, because he’s occasionally vetoed legislation when he thinks prosecutors already have enough tools to make their case – precisely the claim made by the bill’s few opponents.

Supporters at the LA District Attorney’s office say they need this law to eliminate loopholes in California’s Comprehensive Computer Data Access and Fraud Act, and because state extortion statutes “may not properly cover the type of harm caused by ransomware.”

That’s because the extortion laws make it a crime to “obtain property… with the individual’s consent by a wrongful use of force or fear,” but ransomware attackers don’t threaten to harm your property: they’ve already done it, and want money to undo the harm. “The difference is slight,” admits the LA DA, “but extremely important in a criminal prosecution.”

You can check out the pros and cons yourself, by reading the same independent analysis that legislators get before they vote. You can also track the bill’s progress through Sacramento’s legislative labyrinth. (Assuming those systems haven’t been attacked by ransomware, as happened to Hertzberg’s own Senate office, right after his bill was approved by the State Senate.)

Of course, S.B. 1137 raises a bigger question – how’s California going to catch ransomware attackers, when they could be anywhere on earth, and it can’t catch them now? In the LA Times, computer crime prosecutor Don Hoffman admits that’s an issue.

But he argues that ransomware tools are becoming consumerized:

The level of skills… required to launch such a campaign will not be as high, and we certainly expect attacks to be coming from more countries and within the US.

In other words: it’s going to get worse. But those local script-kiddie slobs, he might just catch. And if he does, he’ll be darned if they skateboard away on some West Coast legal loophole.