With ransomware continuing to be a major issue in the early months of 2020, the state of Maryland is taking steps to make it scarce. According to the official website of the Maryland General Assembly, a bill has been introduced to make possession of ransomware illegal. The bill is SB 30 and is sponsored by Democratic State Sen. Susan C. Lee, who serves the 16th district and the county of Montgomery. The bill was pre-filed in May 2019 and had first reading judicial proceedings carried out in early January 2020.
SB 30 is summarized by the Maryland General Assembly as seeking to do the following:
Prohibiting a person from knowingly possessing certain ransomware with the intent to use that ransomware for introduction into the computer, computer network, or computer system of another person without the authorization of the other person; establishing that a person who violates the Act is guilty of a misdemeanor and on conviction is subject to imprisonment not exceeding 10 years or a fine not exceeding $10,000 or both; applying the Act prospectively; etc.
The bill is worded specifically so that it will not affect cybersecurity researchers who study ransomware, and as such, they will not be arrested for possessing it. While it seems like a no-brainer that possession of ransomware should be illegal, only a handful of U.S. states, like Wyoming and California, have made it so. Making ransomware illegal really won’t, in and of itself, deter attacks. Sen. Lee understands this and in a statement to the press, as quoted by CBS Baltimore affiliate WJZ13, says that SB 30 “gives prosecutors tools to charge offenders.”
SB 30 is obviously in its early stages, and as anyone with a background in civics knows, bills are a laborious undertaking to get passed as a law. Even if it passes as a law, there will still be ransomware attacks. This would be true even if all 50 states and territories of the United States made ransomware possession illegal. The most prudent course of action against ransomware still remains up-to-date security protocols, educating en masse about ransomware and its infection tactics, and for cybersecurity professionals to continue their research.