US DHS, FBI Face Ransomware Questions from CongressDHS' Alejandro Mayorkas, FBI's Christopher Wray Discuss Ransomware Surge
U.S. FBI and Department of Homeland Security leaders fielded several cybersecurity-related questions from House lawmakers Wednesday, particularly around the surge in ransomware attacks, diplomatic efforts to curb ransomware's financial model, and the nation-states that harbor cybercriminals.
Speaking before the House Homeland Security Committee on Wednesday - in a hearing to evaluate global threats in the years since Sept. 11, 20021 - DHS Secretary Alejandro Mayorkas underscored the prominence of crypto-locking attacks. He said that in 2020, victims paid an estimated $350 million in ransoms - an increase of 311% over the prior year - with average payments exceeding $300,000. In response, DHS and other agencies have taken a whole-of-government approach to the threat, Mayorkas confirmed.
Bennie Thompson, D-Miss., chairman of the committee, noted, "Over the past year we have seen our adversaries burrow into federal networks through a sophisticated supply chain attack, exploit vulnerabilities in Microsoft Exchange Servers, and refuse to rein in cybercriminals working to extort millions of dollars from U.S. critical infrastructure owners and operators through ransomware attacks."
Similarly, John Katko, R-N.Y., the committee's ranking member, said, "The American people are facing unprecedented threats to their livelihood, their privacy and their overall way of life and this year alone, we've seen a number of high-profile attacks … leading to important conversations in Congress, around the merits of incident reporting and in identifying systemically important critical infrastructure."
This month, Katko voiced support for the Cyber Incident Reporting for Critical Infrastructure Act, introduced by Rep. Yvette Clarke, D-N.Y., which, in part, would require that cyber incidents be reported within 72 hours of discovery, versus the 24 hours proposed in the Senate version of the bill (see: House Debates Breach Notification Measure).
Mayorkas testified, "In July, DHS launched StopRansomware.gov to help private and public organizations of all sizes combat ransomware and adopt cybersecurity best practices, and our experts at [CISA] stood up the Joint Cyber Defense Collaborative to bring together partners from every level of government and the private sector to reduce cyber risks, to better protect our critical infrastructure."
The DHS secretary also highlighted two new directives from the Transportation Security Administration to strengthen the security and resilience of U.S. pipelines. "Further, we are building a top-tier cybersecurity workforce by investing in the development of diverse talent pipelines and building the expertise to keep addressing changing threats," Mayorkas said.
FBI Director Christopher Wray added, "There's no shortage of dangers to defend against. We're now investigating over 100 different types of ransomware, each of them with scores of victims. And that's on top of hundreds of other criminal and national security cyberthreats that we're working against every day."
In his line of questioning, Rep. Jim Langevin, D-R.I., a senior member of the House Committee on Homeland Security and a member of the Cyberspace Solarium Commission, sought details from Wray on remarks he had made this week before the Senate Homeland Security and Government Affairs Committee about reportedly withholding a decryption key from the July Kaseya attack that may have been able to unlock victims' systems earlier (see: FBI Director Questioned Over Kaseya Decryption Key).
"In your response [to reportedly withholding the decryptor], you emphasize the need to 'maximize impact against an adversary.' … I have to say I'm deeply concerned that the response to [Senate Committee] Chairman [Gary] Peters did not reflect the harm withholding a decryption key could do to victims."
Langevin continued, "I understand these decisions are difficult and complex and that you may not be able to discuss the specifics of the Kaseya case [due to ongoing investigations], however, I'd like to give you the opportunity now to correct the record and affirm that asset response is a critically important factor when responding to a significant cyber incident."
Wray replied, "In general, encryption keys are … one of many kinds of technical information we provide the private sector, and turning those things into decryption tools that can actually be used and not have unintended consequences is actually a lot more complicated than a lot of people realize, and that itself takes time."
He added, "But absolutely, we recognize that asset response has to go hand in hand with threat response. ... And these kinds of decisions are made in consultation with a host of interagency partners."
Andrew Garbarino, R-N.Y., took to questioning Wray on the level of cooperation the U.S. government has received from Russia in disrupting the ransomware gangs that are believed to be operating within its borders.
"Last week, FBI Deputy Director Paul Abbate said there's been no indication that the Russian government, through President Putin, have taken steps to stop the activities of cybercriminals engaging in ransomware attacks against U.S. entities," Garbarino said while referencing a Russia-linked ransomware attack by the group BlackMatter this week against NEW Cooperative Inc., an Iowa-based farm services co-op, with a ransom demand of $5.9 million (see: Ransomware Reportedly Hits Iowa Farm Services Cooperative).
"This is the exact attack that President Biden had a message to President Putin against - that this is critical infrastructure and it's off limits. … I understand the FBI is working with the State Department and the National Security Council to increase pressure on countries that failed to stop ransomware actors in their territory, like Russia. What specific steps is the FBI taking to suppress these groups?"
"What I would tell you … is that Russia has a long history of being a safe haven for cybercriminals, where the implicit understanding has been that if they avoid going after Russian targets, or victims, they can operate with near impunity, and the Russian government has long refused to extradite Russians for cybercrimes against American victims," said Wray.
"It's too soon to tell whether any of the things that are underway are having an impact but in my experience, there is a lot of room for them to show some meaningful progress if they want to on this topic," Wray added.
'Right to Respond'
Wray and Mayorkas also faced several questions about immigration, particularly from Haiti, and the resettling of Afghan refugees in the U.S. after American troops withdrew from that country in August.
In his testimony this week, Wray noted that the FBI continues to focus on cyberthreats from China, which not only include various cyber operations but also the ongoing theft of intellectual property.
During his speech before the United Nations General Assembly on Tuesday, President Joe Biden noted that the U.S. continues to make improvements in the country's cybersecurity.
"We reserve the right to respond decisively to cyberattacks that threaten our people, our allies or our interests," Biden declared.