Members of a key House cybersecurity subcommittee and a panel of expert witnesses agreed at a May 5 hearing on the pressing need to disrupt ransomware-driven cyber attacks, and aired a variety of strategies to more toward that goal.
Over the last year, the rate and severity of ransomware attacks have jumped dramatically for both the public and private sectors, and the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation subcommittee hearing aimed at finding solutions to the crisis.
Subcommittee Chairwoman Yvette Clarke, D-N.Y., stressed that while ransomware is by no means a new phenomenon, the COVID-19 pandemic has made the impact of ransomware attacks worse.
“As the COVID-19 pandemic forced governments and businesses to shift to remote work, thousands found themselves locked out of their networks as cybercriminals demanded ransom payments,” Rep. Clarke said. “These attacks are more than a mere inconvenience – they are a national security threat. It is time for bold action rooted in robust partnerships between the Federal government and its state, local, and private sector partners.”
Stop Paying Ransoms
Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA) and now a partner at Krebs Stamos Group, stressed that the U.S. must work to disrupt the lucrative ransomware business model.
He argued that ransomware victims must stop paying ransoms to their attackers. The former CISA head reasoned that paying ransoms only validates the business model and amounts to “essentially making a capital contribution to the criminal, allowing them to hire more developers, more customer service, and upgrade delivery infrastructure. And, most worrisome, go on to the next victim.”
To that end, Krebs encouraged Congress to better fund Federal agencies so they can properly investigate, disrupt, and apprehend cyber criminals.
To gain a better understanding of the ransomware economy, Krebs argued in favor of government policy mandating that anyone who pays a ransom – which he says should only be done as a last resort – notify the government and provide specific details. He also offered up another model where ransomware victims would have to seek a license or permission from the government before paying the ransom.
Krebs also said that to disrupt the business model, the United States needs to do more to understand the ransomware economy. He zeroed in on cryptocurrency, saying that “at the points where cryptocurrency intersects with the traditional economy, we need to take action to provide more information, more transparency, and comply with the laws that are already on the books.”
Better SLG Funding
Denis Goulet, CIO for the state of New Hampshire, and president of the National Association of State Chief Information Officers, stressed the importance of Federal funding for state, local, and tribal governments to help boost cybersecurity.
Goulet specifically addressed the State and Local Cybersecurity Improvement Act, which is sponsored by Rep. Clarke. The legislation would authorize $500 million in annual Federal grants to state, local, territorial, and tribal governments to strengthen their cybersecurity. As part of the legislation, grant recipients would be required to have comprehensive cybersecurity plans. The bill also would allow state and local governments to invest in fraud detection technologies, identity and access management technologies, and implement advanced cybersecurity frameworks such as zero trust.
“Passage of the State and Local Cybersecurity Improvement Act would provide vital resources for state IT agencies, meaning my fellow CIOs and I would not have to compete against other agencies and states,” he said. “Ultimately, a specific cybersecurity grant program would allow us to better assist our local government partners and address threats from well-funded nation-states and criminal actors that continue to grow in sophistication.”
Task Force Report
During the hearing, Homeland Security Committee Chairman Bennie G. Thompson, D-Miss., praised a new report from the Ransomware Task Force, saying it provides “numerous recommendations on how we can develop a cohesive approach to combatting ransomware.”
Krebs also praised the task force’s report, saying the group has “identified where the real policy and operational gaps lie.” Those gaps, he said, illuminate “the need for prioritization across the national security structure, for greater ransomware-focused operational public-private collaboration, chokepoints in the crypto payments kill chain, and in addressing the challenges facing the cyber insurance industry.”
Krebs said that for the task force’s recommendations to “really take hold,” the Federal government needs to “start putting together a legislative package to enable the additional authorities and appropriations recommended by the group.” Pointing to another high-profile group focused on improving the U.S. cybersecurity posture, Krebs added, “There is a clear roadmap for cyber-related law, recently trail blazed by the Cyberspace Solarium Commission.”