Ransomware attacks use malicious software to lock a target out of its files — until the target pays to regain access to its own computers. The extortion will continue as long as it is profitable, and today too many of those paralyzed by these intrusions fork over the cash to get back to business as usual. The Treasury Department last fall issued an advisory that paying ransom could violate sanctions laws, if the ransom is paid to a designated cybercriminal. Congress should eventually go even further and prohibit these payments altogether. Yet that’s a lot for legislators in Washington to demand of a small town, college or clinic without providing ample support for protection and resilience. These places need help, and lawmakers must ensure they get it.
The federal government already disrupts operations and disables networks of bad actors when it can. It can also assist public-sector facilities around the country in hardening their infrastructure to deprive opportunists of any opening, as well as in recovering when infiltrators take advantage of whatever vulnerabilities remain. Acting Cybersecurity and Infrastructure Security Agency director Brandon Wales said last week that blocking such extortion has become a top priority for his division in the Department of Homeland Security. Already, CISA offers resources to state, local and tribal governments. But many of those governments don’t even know that, others don’t know how best to harness the aid they’re given, and for even more these tips just aren’t enough.
Out of 11 bills mentioning ransomware last year, one lonely piece of legislation passed as a provision in the larger National Defense Authorization Act, tasking CISA with establishing state cybersecurity coordinators. That’s good, but state and local governments also need to be able to afford best practices. Homeland Security Secretary Alejandro Mayorkas recently announced an increase in the amount of money dedicated to cybersecurity in existing FEMA grants; a bill pending in the House of Representatives would create additional grants for implementing robust cybersecurity plans. Some senators, led by Gary Peters (D-Mich.) and Rob Portman (R-Ohio), seek to expand DHS’s mandate to work with states and localities on cybersecurity. These worthwhile endeavors could be modified to address ransomware explicitly. So could attempts to build out DHS’s incident response teams — essentially digital ghostbusters for crippling hacks.
Right now, the country’s most crucial services are also cybercriminals’ most tempting targets, because the criminals know three things: that we can’t live without them, that they are unprotected and that people are willing to pay to release them from attack. That first part won’t change, but the next two must.