After ransomware took Baltimore hostage, Maryland introduces legislation that bans disclosing the bugs ransomware exploits

Last spring, a Baltimore underwent a grinding, long-term government shutdown after the city's systems were hijacked by ransomware. This was exacerbated by massive administrative incompetence: the city had not allocated funds for improved security, training or cyberinsurance, despite having had its emergency services network taken over by ransomware the previous hear, and five city CIOs had departed in the previous four years either through firings or forced resignations.

The ransomware itself was built using a leaked NSA cyberweapon based on a bug in Windows that the Agency had identified, but not reported, so that it could retain the capacity to attack its adversaries. Once that cyberweapon leaked, it became a weapon that could and did shut down cities, businesses, hospitals, universities and private networks across the USA.

Now, Maryland's Senate Bill 30 attempts a belated, and ill-considered, response to the problems of ransomware. Rather than requiring cities to allocate funds for security, training or insurance, or protecting those who disclose bugs so that they can be patched before they're weaponized, the bill prohibits cybercrimes that are largely already defined in US federal statutes, and is so broadly worded that it "prohibit[s] vulnerability disclosure unless the specific systems or data accessed by the helpful security researcher were explicitly authorized ahead of time and would prohibit public disclosure if the reports were ignored," in the words of disclosure expert Katie Moussouris, creator of Microsoft's bug bounty program.

The bill would be a good response if the bug that ransomware exploited was a legal one — that is, if using ransomware was somehow legal and that was why we were seeing so much of it. But ransomware is a crime already, and thus the problem is technical and institutional, erupting from the fracture line where poor quality software meets poor security practices. Regrettably, Maryland SB 30 makes software worse (by banning third-party disclosures without permission, effectively giving companies a veto over those who can truthfully reveal that their products are defective) and does nothing to improve security practices within city governments or other public institutions.

Additionally, the bill would outlaw unauthorized intentional access or attempts to access "all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed." It also would criminalize under Maryland law any act intended to "cause the malfunction or interrupt the operation of all or any part" of a network, the computers on it, or their software and data, or "possess, identify, or attempt to identify a valid access code; or publicize or distribute a valid access code to an unauthorized person."

Maryland bill would outlaw ransomware, keep researchers from reporting bugs [Sean Gallagher/Ars Technica]