CISA Leader: 'We've Not Seen a Change' in Ransomware AttacksIn Hearing, DHS Cyber Officials Outline Counter-Ransomware Efforts
Several key federal cybersecurity leaders in the U.S. on Wednesday outlined the Biden administration's approach to countering ransomware, which they called a national security issue. The leaders are backing incident reporting legislation and assessing Russia's progress in curbing attacks conducted within its borders.
"Based upon the reporting made to the federal government at this time, we've not seen a change in the amount of ransomware targeting [the U.S.]," said Brandon Wales, executive director of the U.S. Cybersecurity and Infrastructure Security Agency.
"It seems to me [then], that Russia has broken its promise," Rep. Ritchie Torres, D-N.Y., responded.
Robert Silvers, Department of Homeland Security undersecretary for the Office of Strategy, Policy, and Plans, and Jeremy Sheridan, assistant director of investigations for the Secret Service, also outlined executive-level efforts to combat ransomware - including the continuation of international law enforcement actions, indictment of known cybercriminals and seizure of operators' cryptocurrency proceeds.
'Safe Havens in Russia and China'
In this House Homeland Security Committee session, entitled "A Whole-of-Government Approach to Combating Ransomware: Examining DHS' Role," Rep. Elissa Slotkin, D-Mich., chairwoman of the Intelligence and Counterterrorism Subcommittee, said, "I'm pleased that we're strengthening [efforts] against ransomware and I'm glad that it's bipartisan - that's an extremely important thing. And we know DHS is a key federal player in this whole conversation."
"The criminals behind these attacks are emboldened not only by the large sums that they command for the ransoms, but also the relative anonymity that they are able to maintain," said Rep. August Pfluger, R-Texas. "Those groups launch their attacks from safe havens in Russia and China. And they operate because of the blind eye and even encouragement that these countries offer. [But recent U.S. actions] should serve as a warning to every cybercriminal that the U.S. will bring them to justice, no matter where they're located."
The chair of the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee, Rep. Yvette Clarke, D-N.Y., said in her remarks that she is pleased Congress is "stepping up" to provide the authorities and resources "necessary to combat ransomware." In particular, she highlighted the recently passed Infrastructure Investment and Jobs Act, which provides some $1 billion in cybersecurity preparedness grants to state, local, tribal and territorial governments. She also pointed to the new $100 million Cyber Response and Recovery Fund that will now provide state and local governments "alternatives to making ransom payments" (see: Infrastructure Bill Features $1.9 Billion in Cyber Funding).
"Together, these new resources will help make ransomware a higher-cost, lower-reward endeavor," Clarke said. She also voiced support for the mandatory incident reporting legislation being considered through Congress' annual National Defense Authorization Act.
DHS' Silvers said the administration is "taking the fight to" those carrying out ransomware attacks - done in part by the Treasury Department's first-ever sanctions against cryptocurrency exchanges allegedly tied to ransomware transactions - the Russia-based Suex and Chatex platforms, and Department of Justice's efforts to claw back millions of dollars in cryptocurrency from actors behind prominent attacks.
Awareness Efforts Within CISA
CISA's Wales, who formerly served as interim director prior to Jen Easterly taking office in July, said that "strengthening resilience to withstand ransomware attacks is arguably the most difficult element of our collective efforts, as it ultimately relies on changing certain steps - such as spotting phishing attempts and implementing multifactor authentication.
"Every organization that wants to avoid being a victim of ransomware must invest in the practices that keep their customers, systems and data protected."
The CISA leader said the agency is working to raise awareness about cyber hygiene across tens of thousands of businesses and government agencies, to raise the "collective baseline." He said DHS' "StopRansomware.gov" site now has more than 450,000 page views and its readiness tools have been downloaded some 50,000 times. Wales also pointed to this month's mandate requiring federal agencies to patch known vulnerabilities (see: CISA Directs Federal Agencies to Patch Known Vulnerabilities).
He said CISA receives information on "only a fraction" of incidents, "hampering our ability to conduct critical analysis, spot adversary campaigns, release mitigation guidance and provide timely response. That is unacceptable. … I urge Congress to move quickly on this urgent priority and adopt incident notification legislation."
Secret Service Efforts
The Secret Service's Sheridan told Congress that its investigative teams across 100-plus global offices have responded to over 700 network intrusions, prevented $2 billion in financial losses and returned over $54 million to victims through asset forfeitures.
"While technology has rapidly evolved, our investigative approach has remained the same: We follow the money," he told lawmakers. "In doing so, we develop detailed evidence on transnational cybercrime networks by working with our partners around the globe, and use this evidence to ensure the most significant criminals are apprehended and face justice. Extraditing cybercriminals to the U.S. disrupts, deters and prevents future criminal activity."
He called on Congress for "continued support" around the Secret Service's international operations.
Asked about classifying crypto-locking attacks, the witnesses did not label them as "terrorism," but Silvers called crypto-locking "a heinous crime that is not just ordinary - and raises to the national security level." Wales said, "These are crimes that are designed to inflict terror on their victims.
"As long as ransomware is a viable tool to raise money, and as long as [the attackers] continue to be paid, people will continue to flock to this."
When asked about the spread of ransomware to Southeast Asia and sub-Saharan Africa, Silvers noted: "We do see ransomware emanating from a variety of different countries, and that is why one of the most important pillars of this administration's ransomware strategy has been a diplomatic effort to link arms" (see: US Convenes Global Ransomware Summit Without Russia).
'Minor Security Lapses'
Elsewhere in Congress this week, the House Oversight and Reform Committee issued a staff memo that said recent high-profile ransomware attacks "took advantage of relatively minor security lapses, such as a single user account controlled by a weak password, to launch enormously costly attacks."
The memo summarizes a monthslong panel investigation into attacks against Colonial Pipeline - which paid a $4.4 million ransom, a portion of which was later recovered by the DOJ; meat supplier JBS USA - $11 million ransom; and insurance group CNA Financial Corp. - $40 million ransom. "Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack."
The committee also found that the organizations faced immediate pressure to pay from attackers, and that, according to the memo, "Depending on their industry, companies were confronted with a patchwork of federal agencies to engage regarding the attacks they faced."