As states look to legal frameworks to deter the rising tide of cyberattacks against state and local governments, Maryland is seeking to criminalize the possession of the tools that make them possible.
Coming on the heels of Baltimore's catastrophic cyberattack last year, a new bill in Maryland would criminalize the possession of ransomware if a person intends to use it maliciously.
Senate Bill 30, introduced in January by Sen. Susan C. Lee, D-Montgomery, would make possession of the malware a misdemeanor, punishable by up to 10 years in prison and a $10,000 fine. The bill makes exceptions for researchers who may be using the malware to better understand how it works.
The bill, which has the full support of the Maryland Cybersecurity Council, had been introduced in "various forms" in the past, but has failed to advance due to "minor technical concerns," said Lee, during the bill's recent Judicial Proceedings Committee hearing. The most recent legislation has been re-drafted to address those earlier concerns, she added.
One advocate of the newly proposed law is Markus Rauschecker, a cyberprofessional who sits on the state's Cybersecurity Council alongside Lee. Rauschecker told Government Technology that explicitly making use of ransomware illegal will hopefully deter future criminal behavior.
"A bill like this one just provides very clear, straightforward language on what that crime is and what the punishment for it is... and it's another powerful tool that prosecutors and law enforcement [can] have," Rauschecker said.
However, given the anonymous nature of most cybercrime, there are some very obvious limitations to what this law could actually accomplish. Ransomware — which is already illegal to possess in a number of states, including Michigan, Wyoming and California — ravaged cities and towns across the country last year, but in most cases the culprits never went to prison or were even publicly identified.
Computer crime laws aren't exactly new, either. In some senses, this newest law could be viewed as partially redundant — given that Maryland already has laws against hacking into computers, databases and networks, and that current law already makes a cyberattack resultant in over $10,000 in losses a felony.
Furthermore, new legal frameworks are just one part of what states and cities need to do to better protect themselves, Rauschecker added. Laws need to be paired with robust response plans and security coordination between state, local, federal and private entities.
"Fundamentally what's important is to have a [cyberincident response] plan in place and to know exactly what you're going to do if you are affected by some sort of incident," he said. "These plans should be "continuously tested and improved upon," he added.
Looking to the future, Rauschecker said that collaboration in cybersecurity efforts will have to cross international lines.
"At an even higher level, you're going to need nation states collaborating with each other because these cybercriminals are all over the world and nation states need to be able to work together to identify where they are located, apprehend them and then extradite them to where they caused the harm," he said.