Cyberattacks Are on the Rise. What Can Congress Do?

A number of things may help on the margins, but experts point to deterrence as the most effective policy lever.

By
75

The past few months have revealed how disruptive ransomware attacks can be to our economy and everyday lives. In May, a Russian hacking firm attacked Colonial Pipeline, shutting it down for days. Americans endured long gas lines and closed stations and the company ended up paying $4.4 million in ransom to the hacking company, DarkSide. 

On July 2, the IT firm Kaseya announced it had been targeted in an attack that ended up affecting between an estimated 800 to 1,500 companies on five different continents. Here, too, the hackers were a Russian firm: the REvil ransomware group demanded $70 million to undo the damage.

A ransomware attack even affected the day-to-day work done by congressional staff. iConstituent, a system that many offices on the Hill use to coordinate constituent services, was targeted in an attack months ago. Nearly 60 House offices were affected by the attack, making it impossible to access some constituent information for weeks, Punchbowl News reported. 

Companies like DarkSide and REvil are not state actors, but experts and lawmakers say it is impossible for companies to pull off attacks like this without the Russian government knowing about it. In a call earlier this month, President Biden told Russian President Vladimir Putin that the United States “will take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge.”

Keep reading with a free account
Create a free Dispatch account to keep reading Get Started ALREADY HAVE AN ACCOUNT? SIGN IN
75
By
Comments (75)
Join The Dispatch to participate in the comments.
 
  1. Avatar photo
    Pat Riot

    By the way, it might be a good time to remind everybody that Trump once proposed we merge our county's cybersecurity efforts with Russia:

    https://www.politico.com/story/2018/07/16/trump-putin-russia-cybersecurity-689470

    Collapse
  2. Avatar photo
    Victor Clairmont

    The age of cyber piracy has long begun.

    Countries and governments have a long history of intervention against piracy, from the Barbary Wars and the Marines going to Tripoli from America, to the English sending the British fleet to hunt down and protect the East India Trading company from pirates raiding her ships. When citizens assets, taxes, and other livelihoods are taken, the government has a duty to respond.

    Eventually, like all private companies in the past realize, the continual lost and theft of assets becomes to huge and they themselves will want government intervention, as they do not have the ability beyond protecting what they have. How do you as a company stop hackers that are state sponsored?

    We will be needing an updated cyber security doctrine going forward indeed.

    Collapse
  3. Avatar photo
    David Chen

    Might need a new generation of congressmen who actually understand technology and the internet first...

    Collapse
    1. Avatar photo
      Kevin C. Smith

      Oh how cute... Suggesting we should expect "competent" elected officials... lol :P

      Collapse
      1. Avatar photo
        David Chen

        The sugary idealism is downright diabetic.

        Collapse
        1. Avatar photo
          Kevin C. Smith

          Sweet as ever!

          Collapse
  4. Avatar photo
    Man-Eating Cow

    Some good ideas here. However, there needs to be some thinking about how to deal with companies that are negligent in their cybersecurity measures. (That would be way too many of them.)

    I suspect that the most useful thing Congress can do is get out of the way of technical innovation that improves cybersecurity. Things like two-factor authentication are the sort of innovation that can greatly increase cybersecurity at a modest cost. My workplace, which deals with pretty sensitive information, requires badged or cryptocard login -- you have to have the gadget AND you have to have the pin. My impression is that this is pretty secure. It's not unreasonable to expect a major company responsible for major infrastruture to require something similar.

    Collapse
    1. Avatar photo
      Pat Riot

      I agree, but Congress has to draw the line between negligence and victimhood. Some companies did everything they knew how do do but still got hacked. Lots of attacks these days involve physical human breaches e.g. old fashion spies infiltrating key people.

      Collapse
      1. Anonymous

        Collapse
        1. Avatar photo
          Pat Riot

          I recall going through securities disclosures for a public companies wherein they explained what happened (and no, they can't lie on those things lest they wind up in the clink).

          A company can follow all of the rules and be highly diligent and still become a victim, just as the case with any other crime. Just like an airline can't be held accountable for a pilot going insane or a new kind of international terrorism, companies can't account for everything.

          I *completely* agree there's every reason to be skeptical because there are definitely examples of companies that were negligent as well.

          The problem is that the law isn't covering enough to tell the difference yet in all cases.

          Collapse
          1. Anonymous

            Collapse
      2. Avatar photo
        Victor Clairmont

        This happens a lot.

        There is only so much a company can do with White Hats or Ethical Hackers (people hired to probe online security of a company and find the weaknesses and issue reports on how to strength defenses). Imagine a company trying to counter hack a hacker, only to realize they are counter hacking the Russian or Chinese government. Suddenly you have a much bigger international issue.

        Not too mention as pointed out, some hackers actually visit these companies and get the passcodes and informations by stealing the data close by. The technology is crazy these days.

        Collapse
      3. Avatar photo
        Man-Eating Cow

        My concern is that the proposal draws the line too far on the side of victim. It may be that it's too far on the side of negligence and needs to be redrawn; a reasonable case is made for that here. But let's not err as far the other way.

        My preference would be some kind of insurance against cyberattack, with the U.S. possibly the reinsurer of last resort, accompanied by the kinds of "fire codes" found in other types of insurance. You want to be insured by us, you have to be up to snuff on your cybersecurity measures. Someone breaks in because you systematically looked other way when your employees chose "password" or "qwerty" as their password, your insurance is void.

        Personnel security is another matter. It's an older threat that we've been dealing with for millennia. The wrinkle is that insiders have another tool -- data systems -- for betraying their employer. That's not an insignificant wrinkle, and I wouldn't suggest someone who gets embezzled by a trusted employee should be blamed; but if you're allowing all your employees to have root privilege, for convenience, your insurance is void.

        I admit this is a pet peeve. I've been dealing with identity theft ever since OPM (Office of Pasturage Management) let themselves get hacked for the highly detailed personnel dossiers of thousands of government employees in sensitive positions.

        Collapse
        1. Avatar photo
          Pat Riot

          Conceptually this no different than other areas liability: was the doctor negligent when the patient died or was it just one of those things? The answer lies in the details, and in the compliance with standards and regulations.

          And while insurance companies can play a role, companies deal with *customers* who can individually sue them, so companies need regulations they can follow in exchange for not being sued...

          Collapse
  5. Avatar photo
    DougAz

    If only our CIA, FBI, NSA, NRO and all our cyberwarfare organizations were up to the task.

    Less tanks. More 18 yr old super cyber geniuses.

    Pay $2M a year and out compete Silicon Valley for our best talent.

    Collapse
    1. Avatar photo
      Mudskipper

      If I were a much much younger woman, I think I'd find the area of cyber security a fascinating area to work in. Developing that depth of expertise while trying to outsmart the bad guys would be a lot of fun

      Collapse
      1. Avatar photo
        Michael Darwin

        My question is how many would stay on the side of the good guys when they saw what the bad guys were making?

        Collapse
  6. Avatar photo
    Pat Riot

    One way to stop all of this is to make untraceable crypto currency illegal. That is what is fueling all of this crime. While it's theoretically possible for a criminal to do the same thing "suitcases full of cash", the logistics would be far more difficult (you could physically follow around the cash, etc.).

    The US did the same sort of thing with actual hard cash back in the 1970s, which made crime *much* harder to get away with (the show, "Breaking Bad" dramatizes the enormous difficulties).

    Collapse
    1. Anonymous

      Collapse
      1. Avatar photo
        Pat Riot

        Can you give me one example where ransomware was paid for in cash?

        Collapse
      2. Avatar photo
        snoball

        Part of his issue is that he doesn't know anything about how these guys operate other than what he hears on the MSM and gives way too much credit to government's ability to locate and/or actually catch these guys. Traceability means absolutely nothing if the perp resides in a country like Russia. And financial regulations have never slowed down or stopped their ability to operate (just as gun control laws have never slowed down or stopped gangland killings).

        Collapse
        1. Avatar photo
          Pat Riot

          Part of the issue with the above poster is that he hates anybody not in his tribe so much that he can't even carry on a simple rational conversation that doesn't even have anything to do with politics...

          The Bank Secrecy Act of 1970 was an absolute game-changer for law enforcement and the ability for large-scale operations to conduct their business:

          https://en.wikipedia.org/wiki/Bank_Secrecy_Act

          Nothing will remove all crime, but curtailing the criminal's use of untraceable means of money transfer is a big, big deal.


          Collapse
          1. Avatar photo
            snoball

            "Part of the issue with the above poster is that he hates anybody not in his tribe so much that he can't even carry on a simple rational conversation that doesn't even have anything to do with politics..."

            You know nothing about me. And most people here remember you from the NR days. You pretend to be some pragmatic figure, but you're not.

            And the whole thing about banning cryptocurrency has nothing to do with fighting crime and everything to do with politics.

            "The Bank Secrecy Act of 1970 was an absolute game-changer for law enforcement and the ability for large-scale operations to conduct their business:"

            Again, no it wasn't. The Bank Secrecy Act does not target modern drop accounts and the like.

            "but curtailing the criminal's use of untraceable means of money transfer is a big, big deal."

            Again, you don't know what you're talking about. Cryptocurrency isn't untraceable. This talking point is completely false.

            Collapse
    2. Avatar photo
      snoball

      That wouldn't really do anything. Cybercriminals have been doing this stuff for a long time (long before cryptocurrency was even a thing) and it wasn't like we were faring any better against them before.

      Collapse
      1. Avatar photo
        Pat Riot

        Sure, but collecting physical US paper dollars is a thousand times more complicated. If you ever watched the show Breaking Bad you would see a dramatization of this.

        Before untraceable cryptocurrency, cybercriminals engaged crimes other than direct extortion. So I guess it wouldn't stop all cybercrime, but it would surely stop the huge part of it, and what is seemingly the most dangerous from a national security perspective.

        Collapse
        1. Avatar photo
          BWG

          I don't think I'd claim expertise in something based on watching a TV show.

          Collapse
          1. Avatar photo
            Pat Riot

            Then why are all of these international extortionists using untraceable cryptocurrency? Why not use physical cash or those grocery store gift cards like another commenter mentioned? The Russians who knocked over the pipeline company would just need them to send about six million scratcher cards, um, somewhere where nobody would find out.

            Obviously Breaking Bad (and just about every other crime drama from the last 30 years) is just an example for people who haven't thought this through...

            Collapse
        2. Avatar photo
          snoball

          No it wouldn't Cybercrime is not new at all. That crowd was doing great even prior to the introduction of cryptocurrency.

          It's not like the government was successfully tracking and catching these guys until crypto came along. If anything, times were even better for them in the 1990's and 2000's.

          Collapse
          1. Avatar photo
            Pat Riot

            How were they doing cyber-extortion back then? Do you have references? I don't remember *any* of this happening back then like it is now.

            The need to collect actual physical cash slows criminals *way* down...

            Collapse
    3. Avatar photo
      Man-Eating Cow

      "Making untraceable crypto currency illegal" is a good idea that will be exceedingly hard to implement.

      Collapse
      1. Anonymous

        Collapse
        1. Avatar photo
          Pat Riot

          Bitcoin is traceable? Really? Can you explain that?

          Surely if the government has already done what I am talking about here then this conversation is moot.

          And if it's traceable, then how did these criminals get away with it? If it was a wire transfer to a Russian bank, for instance, then there would be clear international laws being broken and the bank would be immediately blackballed from international banking by the rest of the world.

          Collapse
          1. Anonymous

            Collapse
          2. Avatar photo
            snoball

            The criminals get away with it because they don't live in the US. The FBI isn't exactly going to raid some guy living in Vladivostok.

            "If it was a wire transfer to a Russian bank, for instance, then there would be clear international laws being broken and the bank would be immediately blackballed from international banking by the rest of the world."

            I think you vastly overestimate our power in this arena.

            Collapse
      2. Avatar photo
        Pat Riot

        Why? How about a law stating, "using untraceable cryptocurrency it is punishable by up to 5 years in prison"? Seems like that would do the trick. Then techno people would come up with a cryptocurrency that *is* traceable, thus complying with the law...

        Collapse
        1. Avatar photo
          snoball

          I can't see that holding up in court.

          Collapse
          1. Avatar photo
            Pat Riot

            Why not? They regulated the transfer of large amounts of physical cash in the 1970s and that held up in court just fine. Congress is within its bounds to regulate commerce between the States, which anything on the Internet surely is.

            Collapse
  7. Avatar photo
    Michael Darwin

    It seems to me the key word in "cyber attack" is "attack". If one of our oil pipelines was bombed instead of hacked, how would we respond? Every vital part of our society is in some way dependent on the internet and therefore vulnerable to attack.

    Yes, we can and should do everything to strengthen our defenses, but rest assured this is a Red Queen's Race - the hackers will adapt and keep up. We have to make the risk greater than the gain. In politics as in nature, weakness invites attack. There is a reason why predators attack bunnies over skunks and porcupines. When we are attacked, we need to hit back and hit back hard, and stop pretending thuggish governments don't know what's going inside their own borders.

    Collapse