The surge in ransomware attacks in the last year have spurred attempts by government officials to bolster cybersecurity defenses, and those actions advanced on multiple fronts this week.
In an op-ed piece published by CNBC, U.S. Deputy Attorney General Lisa Monaco wrote that the threat of ransomware to the country’s national security and public safety is growing and that a full-throttled response is needed from the government to protect the United States – including government agencies, private companies and citizens – from attacks.
Monaco wrote that the Department of Justice (DOJ) is doing everything it can, from helping to stop attacks and seizing ransoms to prosecuting cybercriminals and shutting down the computers used to carry out the attacks. She also urged Congress to get more involved, including “by enacting legislation to create a national standard for reporting cyber incidents that pose significant risk, including ransomware and incidents that affect critical infrastructure and their supply chains.”
At the same time, at the Aspen Cyber Summit, Monaco announced two initiatives aimed at forcing government contractors to disclose when they have been attacked and targeting the role of cryptocurrency in ransomware campaigns.
Ransomware Fight Goes Global
The new initiatives are part of a larger effort by the Biden Administration and Congress to wield the power of government to push back against a surge of ransomware attacks big and small that have included such high-profile victims as energy company Colonial Pipeline, global meat processor JBS and Kaseya, a managed services provider.
The moves are on multiple tracks, including going after bad actors and groups that are directing the attacks and forcing private entities to be more forthcoming with information when they’ve been attacked or paid a ransom. The reporting is an important piece, Monaco wrote.
“Absent prompt reporting, investigative opportunities are lost, our ability to assist other victims facing the same threats are degraded, and the government loses the full picture of the threat facing our country,” she wrote. “The current gap in reporting hinders the government’s ability to combat not just the ransomware threat, but all cybercriminal activity. It means we go at it alone, without key insights from our partners in the private sector, and it needs to change, today.”
The Biden Administration has been vocal in addressing the ransomware threat since earlier this year. Most recently, the president this month called for a conference of 30 countries to address ransomware and other cybercrime, with plans to hold a virtual meeting sometime in October. Biden has already put pressure on Russia to address cyberattacks emanating from the country and has vowed to mitigate China’s cyber efforts.
New DOJ Ransomware Initiatives
The new initiatives by the DOJ – the creation of the National Cryptocurrency Enforcement Team and the civil cyber-fraud effort – come on the heels of other actions, including the launch of the Ransomware and Digital Extortion Task Force. In July, DOJ and the Department of Homeland Security (DHS) launched a website, StopRansomware.gov, as a clearinghouse for cybersecurity resources from across the federal government.
In addition, other government agencies also have made moves to address the ransomware threat. DHS Secretary Alejandro Mayorkas announced that new TSA regulations require that major air and rail transportation companies will need to report cyberattacks to government officials. The requirement is similar to the ones put on pipeline operators after the Colonial attack, which forced the major East Coast pipeline to shut down for days. Mayorkas reportedly indicated the plan is to expand the mandate to other entities.
Congress also is beginning to act. The Senate Homeland Security Committee this week sent out the Cyber Incident Reporting Act, which would force critical infrastructure organizations like hospitals and oil and gas companies to report cyberattacks and ransom payments within 72 hours. Republican lawmakers were able to exempt SMBs from the requirement, which still needs to be approved by both chambers of Congress.
Further reading: Could You Be a Ransomware Target? Here’s What Attackers Look For
An Eye on Ransom Payments
Sen. Elizabeth Warren (D-MA) and Rep. Deborah Ross (D-NC) also this week introduced the Ransom Disclosure Act, which would give organizations 48 hours to report information about ransomware payments – including the amount of ransom paid and the type of currency used – and requires DHS to make the information public. The bill still needs to get Senate and House approval before being signed by Biden.
In a statement, Warren said the bill is important because “ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals.” She noted that the number of ransomware attacks jumped 62 percent worldwide – and 158 percent in North America – between 2019 and 2020 and that last year, victims doled out almost $350 million in ransom, quoting a number from blockchain analysis company Chainalysis.
The bill from Warren and Ross is an acknowledgement that unsecured Internet of Things (IoT) devices pose a security risk for enterprises of all sizes, according to Bud Broomhead, founder and CEO of IoT security vendor Viakoo.
“By far, hackers’ favorite targets are IoT devices because they are everywhere and easy to compromise,” Broomhead told eSecurity Planet. “Just ask Target and others whose IoT devices provided the attack surface that was breached to set up ransomware disruption and extortion.”
Cryptocurrency Needs to Be Addressed
In addition, Sens. Edward Markey of Massachusetts and Sheldon Whitehouse of Rhode Island, along with Reps. Ted Lieu of California and Jim Langevin of Rhode Island, sent a letter to the Departments of Justice, Treasury, State and Homeland Security urging them to ramp up efforts against ransomware, including addressing the role of cryptocurrencies, which are often demanded by bad actors as ransom payment. The Democratic lawmakers, the DOJ and other agencies are turning an eye to cryptocurrencies because the anonymity they afford makes it easier for attackers to stay hidden.
John Bambenek, principal threat hunter at cybersecurity vendor Netenrich, told eSecurity Planet that addressing cryptocurrency is critical to fighting back against ransomware.
“Without cryptocurrency, there would be no ransomware,” Bambenek said. “Moving money at the scale it needs to move is simply not viable for criminals using other methods.”
According to Karl Steinkamp, director of PCI product and quality assurance at cybersecurity consultancy Coalfire, regulation and compliance requirements of crypto asset exchanges and third-parties that operate in the cryptocurrency world will likely be part of the solution to protect retail and institutional investors. However, lawmakers need to make sure they know what they’re talking about.
“These efforts need to be carefully thought out and pursued in order to not stifle innovation,” Steinkamp told eSecurity Planet. “Politicians should not be including components within legislation without thoroughly understanding how the technologies work and the downstream implications.”
Kevin Dunne, president of cybersecurity vendor Pathlock, told eSecurity Planet that there are two areas where the government and private sector should collaborate. The first is around prevention, including working with platforms – such as cloud hosting providers, network companies and cryptocurrency exchanges – that could enable attacks and collecting information when accounts are initiated on the platforms to “provide the forensic information to track down stolen data and funds when attacks inevitably occur.”
The other area for collaboration addresses responses, which means working with victims and the platforms to collect information that will lead to the identification and prosecution of bad actors.
“Ensuring that there is a semblance of real risk to these attacks is essential in deterring them from happening in the first place,” Dunne said.
Further reading on ransomware protection and recovery: