Ransomware and Federal Law: Cybercrime and Cybersecurity

"Ransomware attacks—the use of malicious software to deny users access to data and information systems to extort ransom payments from victims—are prevalent. A recent notable example is the May 2021 ransomware attack that temporarily shut down the Colonial Pipeline Company’s network, affecting gasoline availability and prices. This attack is but one of many; in 2020 alone, the Federal Bureau of Investigation (FBI) received nearly 2,500 ransomware complaints with losses exceeding $29 million.

Federal law provides several potential approaches to combat ransomware attacks. First, federal criminal laws, such as the Computer Fraud and Abuse Act (CFAA), can be used to prosecute those who perpetrate ransomware attacks. These laws and others, such as the statutes criminalizing conspiracy and aiding and abetting, might also be used to prosecute individuals who help to develop ransomware that is ultimately used by others. Victims who pay ransoms might also be subject to criminal or civil penalties in some cases—for example, where a ransom payment is made knowingly to an entity either designated as a foreign terrorist organization or subject to sanctions by the Department of the Treasury. Nevertheless, policy considerations, mitigating factors, and prosecutorial discretion may weigh against enforcement in such instances.

Second, federal cybersecurity laws play an important role in both preventing and responding to ransomware attacks. Cyber preparedness laws require federal agencies to secure their networks and authorize the Cybersecurity and Infrastructure Security Agency (CISA) and Office of Personnel Management (OPM) to establish federal network security requirements. Other cyber preparedness laws authorize federal agencies to assist private entities operating in critical infrastructure sectors in securing their systems. Moreover, many data protection laws include requirements for covered entities to safeguard customer or consumer data. If a ransomware attack or other cyber incident occurs, federal law requires CISA and other federal agencies to work together to mitigate harm to federal networks and authorizes them to assist private entities in incident response and damage mitigation.."
Ransomware