Maryland outlaws ransomware, calls for statewide security strategy
While state and local governments have been no strangers to cyberattacks, the ransomware attacks in Baltimore pushed the issue to the top of Maryland legislators priority list. In 2019, a ransomware attack on Baltimore City in 2019 made systems unavailable for weeks, disrupting city services. In November 2020, the Baltimore County public schools’ IT systems were hit.
On Oct. 1 two new laws went into effect:
- SB623 prohibits the knowing possession of ransomware with intent to use. It also intentionally interrupting or impairing the functioning of a state agency, electricity or natural gas or other public service company, health care facility or a public school – with the exception of legitimate security researchers. Convicted persons will be subject to fines, jail time and civil suits.
- SB049 calls for the secretary of the Department of Information Technology (DoIT) to oversee a consistent cybersecurity strategy for state agencies and public universities and develop security guidance for local governments, school systems and other political subdivisions.
The two measures “go hand-in-hand,” Sen. Susan Lee, (D-Montgomery), who sponsored both bills, told the Baltimore Sun. “A lot of the ransomware attacks have been on localities and on city governments, on hospitals and critical infrastructures. At least we are taking a first step in addressing these cyberattacks against our localities.”
DoIT has already posted guidance on response and recovery planning and IT certification policies for state agencies. It also offers security awareness training and a managed firewall service for state as well as county and municipal governments.
Connect with the GCN staff on Twitter @GCNtech.