Will Ransomware Attacks Push Congress to Enact Regs?Recent Congressional Hearings Highlight Need for Greater Cybersecurity Oversight
After hearings in the Senate and House on a spate of ransomware attacks that have put the nation's critical infrastructure in danger, some security experts say Congress may be poised to take action to create greater regulatory oversight of cybersecurity within certain industries.
For example, two hearings that featured testimony from Colonial Pipeline Co. CEO John Blount concerning the May 7 ransomware attack that led his company to suspend operations of a 5,500-mile oil and gas pipeline for nearly a week highlighted the need to improve the cybersecurity of critical infrastructure.
"These attacks on our critical infrastructure are happening right in front of our eyes. The next steps that we take … should be a mix of short-term tactical and longer-term national policy shifts," said John Katko, R-N.Y., the ranking member of the House Committee on Homeland Security. "The next step the government will need to take is to lead in certain areas, and other responsibilities will be on industries. Through all of this, we must work together."
During his confirmation hearing on his nomination to serve as U.S. cyber director, John "Chris" Inglis echoed similar concerns.
"There are generally three ways that [cyber] standards can come about. One is enlightened self-interest - that's apparently not working. The second is market forces - that's apparently not working. And the third is some imposition of standards or regulations," Inglis said at the hearing.
Jen Easterly, who has been nominated for director of the U.S. Cybersecurity and Infrastructure Security Agency, echoed those sentiments at the same hearing: "Voluntary standards are probably not getting the job done. ... There probably is some sort of role for making some of these standards mandatory."
Identifying Critical Infrastructure
Greg Touhill, a retired U.S. Air Force brigadier general who served as the country's first federal CISO, notes that if Congress decides to regulate more of the nation's critical infrastructure as a way to help counter ransomware attacks, lawmakers need to first clearly define what's included in that infrastructure.
Under Presidential Policy Directive 21, CISA lists 16 sectors that are considered critical infrastructure. Touhill notes that nearly every business in the U.S. could be included as critical under this criteria, so Congress needs to provide more specifics - as well as clarify what kinds of security incidents should be reported.
"It's very important to be precise as to define what constitutes a cybersecurity incident," says Touhill, who's now the director of the CERT division of the Software Engineering Institute at Carnegie Mellon University. "And then what is the timing for notification and to whom? Do you report an incident to the sector-specific agency? For example, if you're in the energy sector, do you make your notification to CISA? Or do you make it to [Department of Energy]? And if you do report to the sector-specific agency, what are they supposed to do with it? And then who are they supposed to notify? All of these mechanics come into play. But the toughest thing to define is what constitutes an incident and what is reportable."
Touhill suggests that Congress and lawmakers look to the financial sector, which is already regulated by agencies such as the Securities and Exchange Commission, which requires some reporting of cyber incidents affecting certain financial documents.
"The financial services sector already has playbooks for cybersecurity and has clear definitions of what is meant by incidents and notifications and all that," Touhill says.
Since the ransomware attack on Colonial Pipeline in May, the U.S. Department of Homeland Security, through its Transportation Security Administration and CISA, has added cybersecurity requirements for the oil and gas industry (see: DHS Unveils New Cybersecurity Requirements for Pipelines).
Phil Reitinger, a former director of the National Cyber Security Center within the U.S. Department of Homeland Security, says that while these are important first steps, Congress needs to consider other measures, including giving DHS additional authority to ensure that critical infrastructure is protected.
"I hope we are at least stumbling toward the idea that some cybersecurity requirements for critical infrastructure must be in place," says Reitinger, who is now president and CEO of the Global Cyber Alliance. "So far, we mostly just have new rules for pipelines. While that is a necessary response, focusing on pipelines is reactive and insufficient. DHS needs to be given more authority to set requirements for the most critical infrastructure."
Since the Colonial Pipeline attack, lawmakers from both parties have proposed bills to address specific issues within the oil and gas industry. Senators Gary Peters, D-Mich., and Rob Portman, R-Ohio, have sent a letter to the Biden administration to ask for specific information about cybersecurity as they prepare to craft new legislation to address issues of ransomware, according to The Washington Post.
While Congress debates legislation, the FBI and other law enforcement agencies are taking action in an attempt to interrupt the virtual currency payments that make the ransomware model work.
On June 7, the Department of Justice announced it had recovered $2.3 million of the $4.4 million that Colonial Pipeline paid to the DarkSide gang to obtain what turned out to be a faulty decryptor. That recovery demonstrated federal authorities can track bitcoin through the blockchain (see: How Did FBI Recover Colonial Pipeline's DarkSide Bitcoins?).
Tom Kellermann, head of cybersecurity strategy for VMware and a member of the Cyber Investigations Advisory Board for the U.S. Secret Service, says he would like to see lawmakers ban ransomware payments made with cryptocurrency.
"It is also my sincere hope that seized virtual currencies are used to fund cybersecurity across critical infrastructures via grants issued by CISA," Kellermann says.
Focusing on disrupting illegal cryptocurrency payments was a recommendation included in a framework published by the Institute for Security and Technology's Ransomware Task Force in April. That framework also called for creating laws and regulations in the U.S. and elsewhere to regulate cryptocurrency and help deprive cybercriminals of funds (see: Fighting Ransomware: A Call for Cryptocurrency Regulation).
Meanwhile, the FBI and other agencies have devised ways to track cryptocurrency used to help facilitate cybercrime. In November 2020, for example, the Internal Revenue Service's criminal investigation unit used a firm to track bitcoin transactions associated with the now-defunct Silk Road darknet market to recover nearly $1 billion in cryptocurrency (see: DOJ Seizes $1 Billion Worth of Bitcoin Linked to Silk Road).
Touhill says, however, that cybercriminals will continue to find ways to collect funds until the entire ransomware business model is disrupted.
"When it comes to criminals, they are going to figure out a way, and law enforcement is going to figure out a way around that," Touhill says. "So bravo to the FBI, who did a great job recovering a portion of the ransoms, but it's a drop in the bucket compared to a billion-dollar ransomware industry right now. But it's encouraging to see them do this."