The White House is racing to finalize a government-wide strategy on how to respond to ransomware attacks that will deter companies from paying out ransoms to cybercriminals as the Biden administration grapples with yet another major attack on a US firm by criminal actors believed to be based in Russia.
For months, the National Security Council has been studying how to stop debilitating attacks on critical infrastructure entities and weighing what authorities the government can invoke to quickly respond to and mitigate them, according to officials and experts involved in the discussions.
The NSC deliberations have centered not only on how to harden companies’ cybersecurity — a key issue considering that the majority of the country’s critical infrastructure is controlled by the private sector — but also how to stop the cycle in its tracks by disincentivizing and even banning companies from paying out ransoms.
The pace of upper-level meetings on the subject at the NSC has increased in recent weeks, the sources said, as the White House nears the end of its review.
“I know they have been working around the clock to put the pieces in place,” said Megan Stifel, a co-chair of the Ransomware Task Force and founder of Silicon Harbor Consultants.
National Security Council officials have been using the Ransomware Task Force’s April report, which was written by dozens of cybersecurity experts, as a key roadmap as they think about a government-wide approach to dealing with ransomware, said the people familiar with the deliberations. The report makes nearly 50 recommendations for addressing the attacks, including that the government should mandate that organizations report ransom payments and that ransomware should be formally designated as a national security threat so that it can be prioritized by the intelligence community.
The Senate Intelligence Committee has had a number of conversations with the Biden administration about ransomware and its strategies to combat it, a committee aide said.
Following the most recent major attack on American software company Kaseya last weekend, which has impacted an estimated 800 to 1,500 businesses in the United States and globally, White House press secretary Jen Psaki announced on Tuesday that “key leaders” from the State Department, Justice Department, Department of Homeland Security and other members of the intelligence community will meet with President Joe Biden on Wednesday to discuss ransomware and “our overall strategic efforts to counter it.”
Biden feels ‘good’ about the US’ ability to respond to attacks
Biden told reporters he felt “good” about the US’ ability to respond to ransomware attacks after receiving an update from his national security team on Tuesday morning, and said he will have more to say on the subject in the coming days.
Another meeting on the subject is expected to take place next week between US and Russian officials, Psaki said. Many of the most prolific ransomware attackers are believed to be based in Russia, including the group known as REvil that is believed to have attacked both Kaseya and the meat supplier JBS, and Biden confronted Russian President Vladimir Putin about the scourge during a summit in Geneva last month.
Experts have noted that ransomware is not a problem unique to the United States, and the administration has worked to foster more coordination with allies on combating the attacks. Stifel, who also serves as the global policy officer for the nonprofit organization Global Cyber Alliance, said the Five Eyes nations—the US, UK, Canada, Australia and New Zealand, who have an intelligence-sharing partnership—have simultaneously been reviewing their strategies for countering ransomware attacks and will likely be releasing them at roughly the same time to send a strong global message. One key element that the administration and experts have been pushing with foreign partners is to urge cryptocurrency exchanges operating outside the United States to alert governments to suspicious transactions, which would allow officials to better track the payments and potentially block them.
In the meantime, though, the attacks have continued apace. In just under six months, the Biden administration has had to grapple with severe incidents that have bruised the economy, including attacks on JBS and the major gas company Colonial Pipeline. Both of those companies paid millions in ransom to the criminal actors, believed to be based in Russia, who took their systems hostage, and in both cases the US government did not know about the payments until later.
Following the Colonial hack, the Transportation Security Administration mandated that US pipeline operators strengthen their cyber defenses and JBS said they have “cybersecurity plans in place to address these types of issues.” But the latest major ransomware attack on the IT supplier Kaseya has shown that hardening a company’s defenses can only protect it so much when its supply chain suffers a single point of failure, noted one cyber insurance company executive who has advised the White House on the issue.
National security officials have begun thinking of ransomware attacks in terms of counterterrorism tactics and how the US government has long dealt with hostage-takers, according to people familiar with the discussions. Some experts the NSC has consulted on the issue believe that the best way to discourage such attacks is by refusing to negotiate with or pay the malicious actors, so one option that has been discussed is banning payments altogether — perhaps by adding more ransomware actors to the sanctions list, thereby making payments to them illegal, or penalizing companies who pay in some other way.
Some believe banning payments would be counterproductive
But others believe that an immediate blanket ban on payments would be counterproductive because it would further victimize the targets, who sometimes have little choice but to pay a ransom immediately to minimize disruption to their employees and customers. The Ransomware Task Force report did not go as far as to recommend banning payments altogether, but did suggest requiring that organizations report ransom payments and “consider alternatives before making payments.”
“Prohibiting payments immediately is not a workable strategy because it will impose too many costs on innocent victims,” said Michael Daniel, the president and CEO of the Cyber Threat Alliance who also served as a co-chair of the Ransomware Task Force. “If you want to set that as a policy goal, you need to lay down steps first and you need much more information.”
Daniel noted that without a better idea of how many ransomware victims are out there and what percentage of them end up paying their attackers, it will be hard for the government to formulate a workable strategy to deter payments. “Before imposing any kind of blanket ban, we want to encourage a lot more information sharing with the government,” he said.
A perennial issue has been whether and how to force companies to disclose to the government and law enforcement officials when they’ve been attacked and paid a ransom. Requiring such reporting could in and of itself discourage businesses from making the payments, Daniel noted. But any such reporting requirements would likely have to be enacted through legislation.
“It is absurd that we don’t yet have a reporting bill,” said Christopher Painter, the former State Department coordinator for cyber issues under President Barack Obama. “The task force could not reach a conclusion on banning ransomware payments, but at a minimum we recommended making people report the payments. The White House can do some things on that, but ultimately it will have to be through legislation.”
Senate Intelligence Committee Chairman Mark Warner (D-Va.) released a draft of such a reporting bill last month called the Cyber Incident Notification Act of 2021. The law would require federal agencies, government contractors, and critical infrastructure owners to report breaches to the Department of Homeland Security within 24 hours of an attack and has protections built in to prevent reputational and legal damage, like making such reports exempt from FOIA and preventing them from being used as evidence in civil or criminal proceedings.
“The bottom line is ransomware has gone from an economic nuisance, which is how it was perceived back in 2013 and 2014, to a national security threat and a public health and safety threat,” said Daniel. “It is no longer just a sideline cybercrime problem, but something that requires a whole of government approach to deal with. That’s why it is good that the administration is putting out a strategy focused on ransomware —that is what it is going to take to knock this problem back.”