The waves of ransomware that have swept through the United States during the last year have not only become a serious menace for enterprises but have moved into the realm of a threat to national security, experts told lawmakers Wednesday.
What began as a nuisance to consumers several years ago and then evolved into perhaps the most pressing threat to enterprises at the moment, is also now a major part of the agenda in Washington as the new administration tries to get a handle on cybersecurity in general and ransomware specifically. Following last week’s release of a report from the Ransomware Task Force that recommended tighter cooperation between private sector groups, government agencies, and law enforcement, the House Committee on Homeland Security held a hearing on the ransomware threat, and the assessment the members heard from their witnesses was a dim one.
“To put it simply, we are on the cusp of a global digital pandemic driven by greed. Underlying factors are rooted in the digital dumpster fire with our seemingly pathological need to connect everything to the internet,” Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, said during the hearing.
“Cybercriminals have been allowed to run amok while governments have mainly watched from the sidelines, unclear on whether cybercrime is a national security level threat. If there was any remaining doubt on that front, let’s dispense with it now. Too many lives are at stake.”
Ransomware attacks torment enterprises and government agencies alike, and though the Department of Justice has indicted a number of foreign citizens associated with ransomware groups and the Office of Foreign Asset Control has sanctioned groups and individuals for their roles in attacks, those moves have done little to stem the tide. Adding to the problem is the cooperation between some ransomware groups and the governments of some of the countries from which they operate. In April, the Department of the Treasury formally tied the Evil Corp cybercrime and ransomware group to the Russian FSB intelligence service. The U.S. government has also tied the government of North Korea to ransomware operations and said that the operations help fund the government’s activities.
During Wednesday’s hearing, Krebs and other witnesses assured the committee members that these were not idle claims.
“To put it simply, we are on the cusp of a global digital pandemic driven by greed."
“Ransomware gangs and foreign intelligence services are working hand in glove now.Those are the linkages that we really need to explore. That for me is what tipped ransomware over into a clear national security threat,” Krebs said.
John Davis, a retired Army major general and now vice president at Palo Alto Networks, said some foreign governments view cybercrime groups as handy proxies for malicious cyber activities and disinformation campaigns.
“State actors now see an opportunity to leverage non-state entities, and it’s also useful as a way to circumvent sanctions. We have seen various states that have begun to embrace this idea to undermine democracy,” Davis said.
While the seriousness of the ransomware threat is not in question, the best way to address it is far from certain. One thing that does seem certain is the need for more funding at both the federal and state levels to upgrade technology and provide for better investigative and response capabilities when ransomware hits. Rep. Yvette Coleman (D-N.Y.), chairwoman of the Homeland Security committee, said she plans to introduce the State and Local Cybersecurity Improvement Act in the next few days, a bill that would provide $500 million in grants to state, local, tribal, and territorial governments for cybersecurity. While funding can help agencies shore up their defenses and recover if they fall victim to ransomware, removing the financial incentives for cybercrime groups to engage in ransomware attacks in the first place is another top priority for legislators.
The Ransomware Task Force’s report recommends that states amend their breach disclosure laws to require that organizations disclose ransomware payments before making them. While some legislators have advocated making ransomware payments illegal, that’s unlikely to happen. A payment-disclosure requirement, which could give law enforcement agencies a running start on tracing the payments and their recipients, seems more practical and workable.
“Payments should be made as a very last resort, and maybe they should be logged,” Krebs said.
Requiring the disclosure of payments for government agencies is a simpler task than doing so for private companies, and may be the logical place to start.