INDIANAPOLIS — Hackers who break into computer systems and demand at least $50,000 in a ransom could be charged with a Level 5 felony under a bill in the Indiana House.
But tracking and catching the culprits may prove to be difficult, officials say.
Indiana already has a law that makes unauthorized access of computers a misdemeanor crime of computer trespass.
Under House Bill 1444, the charge could become a Level 6 felony, which is the lowest level of felonies in Indiana, if the hacker prevents the owner of the computer system from accessing the computer or any files. The penalty grows to a Level 5 if the owner suffers a loss of at least $50,000.
The bill, which passed the House and is to be heard Tuesday in the Senate Corrections and Criminal Law Committee, comes in the wake of attacks on municipal computer networks.
Last November, Madison County government records were held for ransom. A hacker was able to get into the computer system and encrypted files and demanded a ransom.
The cyberattack affected property records, court documents and jail logs, along with other county government records. It delayed the online posting of Nov. 8 election results.
That same month, about 76,000 Howard County government files were encrypted in a ransomware attack.
Two emails, disguised as a FedEx message, were opened by county employees two days apart, one in a work email, the other a personal account. The emails told recipients that a package was undeliverable and provided an attachment for an invoice or certificate.
Ransomware is a form of malware that encrypts files on infected systems and forces users to pay a ransom to obtain a decrypt key, or password, for the undamaged files. Payment is usually sought with the hard-to-trace cryptocurrency Bitcoin.
Upon recommendation from the insurance carrier, Madison County agreed to pay nearly $21,000 to gain back access. The payment was untraceable. But the attack reportedly cost the county nearly $200,000 to repair. The county began storing its file offsite.
Howard County did not pay since it used backup systems, which gave it nearly 100 percent recovery of its files.
The bill developed at the suggestion of the owner of a law firm who contacted Rep. Christopher Judy, R-Fort Wayne. He then attended a Statehouse cybersecurity meeting where increasing the penalty for ransomware attacks was also recommended.
“There’s still some questions about it. How do we address this if the perpetrator’s overseas?” Judy said. “And one of the big questions is how do we identify these individuals that are sending that ransomware out? … But we will have something in place if are able to.”
Tracking hackers is extremely difficult for municipalities.
Even tougher may be bringing many of them to trial, Madison County Prosecutor Rodney Cummings said.
“I think many of the hackers are not even in this country,” he said. “It’s a nice feel-good piece of legislation but I’m not sure it’s going to be effective.”
Judy acknowledged that state legislators will need to adjust laws as computer technology rapidly changes.
“Technology in the past 20 years is infinitely changing," he said. "I don’t think as legislators we can truly stay even with it. We’ve just got to adapt with what technology comes out.”
In its fiscal analysis of the bill, the Indiana Legislative Services Agency reported that in the 54 counties that use the public Odyssey court case management system, the Indiana Supreme Court found nine people had been charged with computer trespass as a Class A misdemeanor. That was the least serious offense for which the defendant could be charged.
The Indiana attorney general’s office is monitoring progress of the bill but has not stated a position on it, a spokesman said.