“Ransomware attacks threaten the health and safety of countless Americans,” Rubio said. “Our bipartisan bill provides the tools necessary to help safeguard critical infrastructure while discouraging and disrupting these criminal organizations, including the regimes who harbor them. It is time for the United States to take strong, decisive action to protect American businesses, infrastructure, and government institutions.”
“Cybercriminals don’t discriminate – they target small companies, large corporations and government agencies using ransomware,” Feinstein said. “Congress must do more to support all organizations and companies struggling to deal with these escalating attacks. Our bill will help the private and public sectors avoid ransomware attacks, reduce incentives to pay ransoms and hold foreign governments accountable if they provide a safe haven for ransomware perpetrators.”
The Sanction and Stop Ransomware Act would:
Critical Infrastructure Standards. Require the development of cybersecurity standards for critical infrastructure entities, consistent with existing federal regulations and existing NIST standards.
Cryptocurrency Regulations. Require the development of regulations for cryptocurrency exchanges operating to reduce anonymity of accounts and users suspected of ransomware activity and make records available to the U.S. Government in connection with ransomware incidents.
State Sponsor of Ransomware Designation. Direct the Secretary of State, in consultation with the DNI, to designate as a state sponsor of ransomware any country the government of which the Secretary has determined has provided support for ransomware demand schemes, including by providing safe haven for individuals or groups.
Sanction Authority. Require the President to impose sanctions and penalties on each state designated as a state sponsor of ransomware, consistent with sanctions and penalties levied on and against state sponsors of terrorism.
Ransomware Reporting Requirement. Require federal agencies, government contractors, and critical infrastructure owners and operators to report the discovery of ransomware operations within 24 hours, consistent with the Rubio-Warner-Collins Cyber Incident Notification Act.
A full section-by-section is available here.