Congress Urged to Update Federal Laws to Combat RansomwareSenate Judiciary Committee Hears Testimony from DOJ, FBI, CISA
Congress needs to update and expand federal laws to combat the surge in ransomware attacks, federal cybersecurity experts told the Senate Judiciary Committee at a Tuesday hearing.
At the hearing held to address a series of ransomware attacks on critical infrastructure, including incidents targeting Colonial Pipeline Co. and meat processor JBS, senators heard from security experts at the U.S. Justice Department, FBI, Cybersecurity and Infrastructure Security Agency and Secret Service.
Congress should pass legislation that requires reporting of certain incidents to the federal government, gives law enforcement agencies additional tools to disrupt cybercriminal activity and enhances the ability of federal prosecutors to pursue prosecutions, Richard Downing, deputy assistant attorney general of the Justice Department's Criminal Division, testified.
Organizations hit by ransomware should be required to inform the federal government about the ransom demand, any payments made and the address where cryptocurrency payments are sent, Downing said. To encourage reporting, businesses should be given legal protections from prosecutions and other actions, he added.
"Such legislation would provide the federal government with a more complete view of the cyberthreat environment and the collective risk that cyberthreats pose to some of our nation's most sensitive entities and information," Downing testified. "For example, it would help authorities become better aware of when actors target critical infrastructure, export-controlled information and key biological research such as that involving COVID-19. Mandatory incident reporting would also assist federal efforts to defend the nation against cyberthreats and to pursue the actors responsible for them."
Downing also advocated changes in federal law to allow the FBI and federal prosecutors to pursue cases against those who develop, sell and rent out botnet networks that spread malware.
Under current federal law, the Justice Department has a more difficult time pursuing cases for those that rent or sell botnets compared to the creators of these malicious networks, Downing noted.
"We believe that it should be illegal to sell or rent surreptitious control over infected computers to another person, just like it is already illegal to sell or transfer computer passwords," he testified.
The Senate and House are considering numerous bills to bolster cybersecurity.
For example, Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla., have introduced a breach notification bill with provisions along the lines of what Downing endorsed (see: Senators Introduce Federal Breach Notification Bill).
Meanwhile, four members of the Senate Judiciary Committee are sponsoring the International Cybercrime Prevention Act, which also includes provisions outlined by Downing, including greater criminal penalties for groups attacking critical infrastructure as well as new tools law enforcement agencies can use to disrupt botnets (see: Lawmakers Unveil Cybersecurity Legislation).
In his opening statement, Sen. Dick Durbin, D-Ill., the committee chairman, noted federal laws might have to change because cybercriminal gangs have built a lucrative business model and are operating freely in Russia and other nations.
"Those nations are unwilling to prosecute to pursue the evildoers," Durbin said. "We need to attack this new reality, and we need new protocols for preventing and responding to ransomware attacks."
Sen. Chuck Grassley, R-Iowa, the committee's ranking member, also noted that fighting ransomware has new urgency following a White House report that some hackers associated with the Chinese government and state intelligence and security agencies are conducting ransomware attacks as a side operation (see: Can the US Curb China's Cyber Ambitions?).
Several experts testified at the hearing that there are limits to how the Justice Department, the FBI and other law enforcement agencies can pursue ransomware and other cybercriminal gangs.
One of the biggest obstacles is the international nature of these attacks and the ability for cybercriminal gangs to hide behind layers of obfuscation, such as bulletproof hosting companies, said Bryan Vorndran, the FBI's assistant cyber director.
"If an actor is in a country like Russia or China, an arrest is currently not a viable option. Even when an indicted cybercriminal is in another country, Russia, in particular, takes actions to interfere with our extraditions," Vorndran testified.
"To make things more difficult, the lines between nation-states and cybercriminal actors are blurred, and even though a foreign nation may not be directing a ransomware campaign, it may still be complicit by providing a safe haven to those malicious actors who are doing harm to the United States, our citizens and our businesses."
Several senators raised the issue of changing laws to strengthen regulations for cryptocurrencies, especially bitcoin, which is the preferred method of payment for ransomware gangs. During its investigation of the Colonial Pipeline attack, the FBI managed to claw back $2.3 million of the $4.4 million ransom paid by tracking the digital wallet used by the Russian-speaking DarkSide ransomware group (see: FBI Seeks Extra Funds to Fight Ransomware, Other Threats).
Downing testified that federal prosecutors are looking at ways to apply current laws, such as the Bank Secrecy Act.
"We definitely see this as an increasing problem, and we're looking to the laws that we already have on the books … to enforce the rules and regulations that are already applying to cryptocurrency exchanges and other actors in this space," Downing said.
Sen. Sheldon Whitehouse, D-R.I., said he wants the federal government to mandate that companies that support the nation's critical infrastructure meet cybersecurity requirements.
"I think if there's ever a moment where we have a case study of a failure of critical infrastructure from cyberattack, this is it," Whitehouse said of the Colonial Pipeline attack. "I think we're entitled to a bit of a test case here on this voluntary method [for adopting cybersecurity standards] that we followed, and how it's working because it didn't work for Colonial Pipeline."
The Department of Homeland Security recently implemented new cybersecurity regulations for oil and gas companies, but Congress could pass additional laws with more requirements, noted Eric Goldstein, the executive assistant director of CISA (see: TSA Issues Cybersecurity Requirements for Pipelines).