Countering Cyberthreats: 2 Legislative Proposals IntroducedOne Measure Calls for Sanctions Against Nations Tolerating Ransomware Gangs
Two bipartisan bills introduced in Congress this week seek to address cyberthreats. One calls for imposing sanctions against countries that allow ransomware gangs to operate within their borders. Another would require law enforcement agencies to better track cybercrime statistics to identify trends.
On Thursday, Sen. Marco Rubio, R-Fla., who is the ranking member of the Senate Intelligence Committee, and Sen. Dianne Feinstein, D-Calif., the senior member of the committee, introduced the Sanction and Stop Ransomware Act.
In addition to calling for sanctions against governments that allow cybercriminals to operate, the bill would establish cybersecurity standards for critical infrastructure and create new regulations for cryptocurrency exchanges.
"The most important part of this bill is the sections highlighting the fact that ransomware groups are operating with impunity in locations owned by governments that are providing a safe harbor from international law enforcement and the direction to develop regulatory actions around cryptocurrency," says Austin Berglas, who formerly was an assistant special agent in charge of cyber investigations at the FBI's New York office.
Berglas, now the global head of professional services at cybersecurity firm BlueVoyant, also notes that the part of the bill that calls for cryptocurrency exchanges to better monitor suspicious transactions and adhere to know-your-customer standards would help the FBI and other law enforcement agencies track virtual currency used in ransomware extortion attempts.
Meanwhile, a bipartisan group of lawmakers in the House and the Senate has introduced legislation called the Better Cybercrime Metrics Act, which would require the Justice Department and the FBI to compile more detailed statistics about cybercrime as well as develop a taxonomy to help contextualize and sort this data.
"What we do not measure, we cannot fix. By improving reporting on cybercrime, this bill is the first step toward fighting back against a massive scourge afflicting consumers, communities and our economy," says Sen. Richard Blumenthal, D-Conn., one of several senators co-sponsoring the bill.
Congress is already considering several other proposals to help counter cyberthreats that have been introduced in the aftermath of the supply chain attack against SolarWinds, intrusions against vulnerable Microsoft Exchange servers conducted by groups connected to China and ransomware attacks that targeted critical infrastructure, such as the attack on Colonial Pipeline Co.
For example, a federal breach notification bill sponsored by Rubio and Sen. Mark Warner, D-Va., would require certain organizations to report cyberattacks within 24 hours or a face a penalty (see: Senators Introduce Federal Breach Notification Bill).
Meanwhile, the Biden administration issued sanctions against Russia for its alleged role in the SolarWinds attacks. And this week, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, left open the possibility of levying sanctions against China over the Exchange attacks (see: Anne Neuberger on Why No Sanctions Issued Against China Yet).
Speaking at the Black Hat 2021 conference on Thursday, Alejandro Mayorkas, the secretary of the U.S. Department of Homeland Security, noted that actions by Russia and China threaten the stability of the global internet.
"We are competing between two visions - one from countries like Russia, China and Iran who want to limit access and maximize control, and another from the United States and our allies who want to build and protect a free, open and secure internet," Mayorkas said.
State Sponsors of Ransomware
The bill that Rubio and Feinstein introduced this week would allow the secretary of state, in consultation with the Office of the Director of National Intelligence, to designate a foreign government as a "state sponsor of ransomware" when a country allows a cybercriminal gang to operate freely within its borders. The measure would require the president to issue sanctions against these countries.
"Our bipartisan bill provides the tools necessary to help safeguard critical infrastructure while discouraging and disrupting these criminal organizations, including the regimes who harbor them," Rubio says.
The bill also would require the operators of cryptocurrency exchanges to report suspicious activity, such as virtual currency used as part of a ransomware extortion scheme, to regulators. And it would create cybersecurity standards for agencies and businesses that oversee critical infrastructure.
Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council, says some of the bill's provisions may be redundant.
"The State Department already has a reward available for information that will tie a ransomware gang to a supportive government," says Hamilton, now the CISO for Critical Insight. "We already have the capability to sanction bad actors, and legislation has been previously introduced to mandate reporting of ransomware events."
Gathering Cyber Stats
The second bill under consideration would require the FBI to integrate cybercrime statistics into the bureau's various reporting mechanisms. It would also require state and local law enforcement officials, as well as other federal law enforcement agencies, to report cybercrime numbers from their jurisdictions to the FBI.
The bill also would require the Justice Department to work with the National Academy of Sciences to create a taxonomy to help researchers better study statistics related to cybercrime. Plus, the measure would require the Government Accountability Office to produce a report on the effectiveness and shortcomings of reporting cybercrime statistics.
While the Uniform Federal Crime Reporting Act of 1988 requires federal agencies to report property crime to the FBI, reporting of cybercrime to the bureau from federal and local law enforcement agencies is inconsistent, says Rep. Abigail Spanberger, D-Va., who is one of the co-sponsors of the House version of the bill. The measures would make those reporting standards more uniform and centralized, she says.