Cyberattacks Are on the Rise. What Can Congress Do?
A number of things may help on the margins, but experts point to deterrence as the most effective policy lever.
The past few months have revealed how disruptive ransomware attacks can be to our economy and everyday lives. In May, a Russian hacking firm attacked Colonial Pipeline, shutting it down for days. Americans endured long gas lines and closed stations and the company ended up paying $4.4 million in ransom to the hacking company, DarkSide.
On July 2, the IT firm Kaseya announced it had been targeted in an attack that ended up affecting between an estimated 800 to 1,500 companies on five different continents. Here, too, the hackers were a Russian firm: the REvil ransomware group demanded $70 million to undo the damage.
A ransomware attack even affected the day-to-day work done by congressional staff. iConstituent, a system that many offices on the Hill use to coordinate constituent services, was targeted in an attack months ago. Nearly 60 House offices were affected by the attack, making it impossible to access some constituent information for weeks, Punchbowl News reported.
Companies like DarkSide and REvil are not state actors, but experts and lawmakers say it is impossible for companies to pull off attacks like this without the Russian government knowing about it. In a call earlier this month, President Biden told Russian President Vladimir Putin that the United States “will take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge.”
Ransomware attacks are not the only cybersecurity threat the U.S. faces, and Russia is not the only country where hackers are operating with the knowledge or outright assistance of the government. The Biden administration—along with the European Union, United Kingdom, Japan, and NATO allies—officially accused China this week of carrying out a massive hack of Microsoft’s email systems earlier this year. Cyber operatives used the hack to engage in intellectual property theft of confidential business information and espionage around the globe.
In Congress, lawmakers know the current situation is untenable, and are hunting for policy solutions. Last month, Sens. Gary Peters and Rob Portman—the chair and ranking member, respectively, of the Senate Homeland Security Committee—wrote a letter to the White House requesting input on upcoming ransomware legislation to help secure U.S. systems and punish ransomware attackers.
Portman said in a statement to The Dispatch he is very concerned about the increasing number of attacks: “Recent attacks on organizations like Colonial Pipeline have shown how vulnerable companies are and the variety of real-world consequences and ramifications of ransomware attacks.”
Shane Tews, senior fellow at the American Enterprise Institute and cyber expert, told The Dispatch that the best thing Congress can do to help in the ransomware wars is offer legislation that encourages companies to report hacks as soon as possible, without being penalized for doing so.
“The cleanest thing that Congress can do is indemnify these companies for information sharing,” she said. “If we know what we’re looking for we can solve much faster for the dilemma.”
Without indemnification, companies tend not to come forward to report ransomware attacks because it leaves them open to lawsuits, Tews explained. “They will not come forward ... unless the incident is so big, they have to. You don’t want to tell someone that your back door is broken.”
Rep. John Katko of New York, ranking Republican member on the House Homeland Security Committee, joined Tews for a discussion on this problem last year. “This whole task force concept of getting everybody under the same roof, one roof, and working together and putting aside their differences and their turfs is critically important,” he said then. “It was what caused a problem with Homeland back 20 years ago when 9/11 happened—that the stovepipes created a lack of information sharing.”
Getting companies to share that type of important information is much easier said than done, however. Katko told Tews, “The rub is: How do you incentivize the private sector to tell you something that is really bad that happened in their company without them incurring liability? They just think it’s the logical inclusion.”
The Senate Intelligence Committee has offered legislation to help with this issue. The Cyber Incident Notification Act, first obtained by Politico, would require critical infrastructure operators, digital security firms, and federal contractors to report hacks to the government within 24 hours or be penalized. The penalties could be a fine or even losing a government contract completely. In addition to the stick, the bill also contains a carrot: It would offer companies that fall under the bill’s purview liability protection once a ransomware attack is reported to the government.
Another idea often floated by politicians is a simple one: banning companies from making ransomware payments. The federal government already discourages making payments as a matter of policy: If companies don’t pay the ransomware, the thinking goes, then bad actors won’t have any incentive to carry out these types of attacks.
But simply telling companies that they shouldn’t pay doesn’t always mean much, since ransomware attackers often go after businesses for whom the cost of going dark for days or weeks can be far higher than biting the bullet and forking over a ransom.
“Organized crime is a business: They want to maximize their return on investment,” Michael Hamilton, an information security expert at the Washington state-based firm Critical Insight Security, told The Dispatch last month. “They seek out victims that … are doing something so critical that you cannot stand any downtime.”
Even when companies do pay the ransom, sharing information with authorities early can pay off. In the case of the Colonial Pipeline attack, the FBI was able to recover millions of dollars in cryptocurrency worth of the payments the company made to DarkSide.
“This represents the seizure and deprivation from criminal actors of exactly what they're going after, which is criminal proceeds of their scheme. And it was swiftly done based on and thanks to the quick notification by Colonial Pipeline work with the U.S. government,” Deputy Attorney General Lisa Monaco said at a press conference announcing the seizure of funds.
All these measures only help after a company has actually been attacked. Jason Killmeyer, former Chief of Staff of Global Defense, Security & Justice at Deloitte, told The Dispatch that the U.S. government needs to do more to deter these attacks in the first place, and what we’re doing now isn’t enough.
“It can no longer be acceptable for the executive branch just to say, ‘Oh, we’ll take some actions in the shadows or behind the scenes,’” he said. “If we laid out what the public responses would be, and then if Putin believes that we would actually stick to them, that’s the way to start to build a credible deterrent.”
Killmeyer says the response to any future attacks should be strong and noticeable, but not one that could result in any deaths or global mayhem. If critical infrastructure is attacked, he said, “We should respond in kind with a real-world action that is manifest in that same sector on the other side. Ideally a non long-term damaging one, but one that shows we can respond in the exact same way.”
“You can deter Putin in two ways: via his pocketbook or his prestige,” Killmeyer said. “And we need to publicly commit to the enforcement of red lines.”