The Iowa House recently proposed two bills to criminalize ransomware and make it easier for law enforcement to charge cybercriminals for ransom attacks.
Under the proposed legislation, all ransomware attacks would be made illegal in the state of Iowa except those conducted for security and research purposes. In addition, the bills would specify the offenses in the Iowa Code by grading the severity of ransomware attacks, with ransoms of less than $10,000 classed as an aggravated misdemeanor punishable by up to two years in prison and a fine between $855 and $8,540.
Ransoms held for between $10,000 and $50,000 would be considered a class D felony, punishable by up to five years and a fine between $1,024 and $10,245.
Higher than $50,000 is a class C felony, which has 10 years and a fine between $1,370 and $13,660.
While such attacks are already a federal felony under the Computer Fraud and Abuse Act, local cybercrime laws in Iowa do not specifically mention ransomware attacks. Experts believe the bill will help state law enforcement crack down on the growing issue.
Chris Cournoyer, a chair on the new Senate Technology Committee that proposed the bill, said the state is looking for more ways to defend against cyberattacks.
“It’s really important that we pay attention to it at the state level,” she said. “And make sure that we’re providing the [Iowa chief information officer] the resources that he needs to go out and support those local governments.”
Ransomware attacks — where software is used to disable a computer system until a sum of money is paid to the attacker — have been in the spotlight after several high-profile attacks last year.
In Iowa, the Cedar Rapids Community School District was a victim of such an attack last summer. The school district was forced to pay a ransom, but did not disclose the amount. In another instance, thousands of employees from the Linn-Mar Community School District had their Social Security numbers and names stolen in a similar attack.
Mollie Ross, the vice president of operations for the Technology Association of Iowa, supported the bills.
“Anything we can do to help prevent those attacks from happening in the first place is a good start,” she said. “Right now ransomware is technically legal in Iowa, which is pretty outrageous, I think everyone would agree.”
University of Dubuque Professor Dan Fleming told KWWL News that while Iowa is not the first state to criminalize ransomware, its focus on what constitutes an attack and the fact that it makes an exception for those who study the phenomenon set it apart, allowing law enforcement to concentrate on those actually committing the misdeeds.
“Someone like me, who wants to research it, having that software in my possession would be a crime, potentially, in Wyoming. Other places it’s a question of whether it’s legal or not to make the payments.”
However, Fleming also noted that most ransomware attacks originate overseas, so while the bills should help law enforcement in some instances, they aren’t a complete solution to the issue.