Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters, D-Mich., along with the committee’s Democratic staffers, released a report today taking the Federal government to task for gathering insufficient data on ransomware attacks, and the use of cryptocurrencies as payments in those attacks where a ransom has been paid.
The 52-page report – which was the product of a 10-month investigation – finds that current reporting of ransomware attacks is fragmented across agencies, leaving the government unaware of the actual scale and impact of the attacks.
Sen. Peters stressed the importance of quickly implementing the Cyber Incident Reporting for Critical Infrastructure Act, which would help the Federal government to gather vital information and a consolidated view of attacks. The law requires critical infrastructure owners and operators to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and to report ransomware payments they made to attackers within 24 hours.
“Cryptocurrencies… have further enabled cybercriminals to commit disruptive ransomware attacks that threaten our national and economic security,” Sen. Peters said in a statement. “My report shows that the Federal government lacks the necessary information to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for perpetrating them.”
“My bill that was recently signed into law to require critical infrastructure to report cyberattacks and ransomware payments will be a significant step to ensuring our government has better data to understand the scope of this threat, disrupt the incentive virtual currencies provide for cybercriminals to commit attacks, and help victims quickly recover after breaches,” he added.
The report cites an estimate from CISA that as of July 2021, only about one-quarter of ransomware incidents were reported to the Federal government. State and local governments also collect “limited data on cyber incidents,” according to the report, with mandatory reporting requirements “limited to data breaches involving personally identifiable information.”
Because attack and payment data are limited, the report stresses that the government does not have “a full picture of cyber threats.” However, Sen. Peters said he is hopeful quick implementation of the cyber incident reporting law will “address the lack of understanding of the true scope of the problem and the size of the ransomware market.”
In addition to quickly implementing the new law, the report also calls on the Federal government to standardize existing data on ransomware incidents and ransom payments. Additionally, it urges Congress to establish additional public-private initiatives to investigate the ransomware economy and to support information sharing regarding ransomware attacks.