The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Ransomware has thrust cybersecurity into the spotlight

with Aaron Schaffer

The Biden administration is responding to the growing threat of ransomware attacks with a vigor and seriousness unparalleled in the government’s decades-long battle against hacking.

FBI Director Christopher A. Wray captured the scope of the new effort, comparing it to the government-wide response to the Sept. 11, 2001, terrorist attacks. “The scale of this problem is one that I think the country has to come to terms with,” he told the Wall Street Journal.

The response to the wave of costly and disruptive attacks — in which hackers lock up victims' computers and demand payment to free them — involves nearly every facet of the federal government. It was spurred most recently by high-profile ransomware attacks against the energy and food sectors but also by a drip, drip series of hits on schools, hospitals and local governments that collectively demonstrate an unacceptable level of vulnerability across the nation’s vital infrastructure. 

Here’s a rundown of what the federal government is doing:

The Justice Department has elevated ransomware investigations to the same level as terrorism probes. The White House has begun issuing a raft of new cybersecurity requirements for gas pipelines. And President Biden has pledged to confront Russian President Vladimir Putin during their summit this month about ransomware gangs operating on Russian territory and to rally U.S. allies to address the problem. 

In light of recent ransomware attacks, politicians made the case for different approaches to cybersecurity on June 6. (Video: Blair Guild/The Washington Post)

Top government officials are also bluntly warning companies they must increase their digital protections to prevent a wave of similar attacks and pushing them to level with the government when they do pay hackers ransoms. 

The government effort is far broader than previous responses to major hacks, even to blockbuster ones such as the Kremlin-linked SolarWinds breach that compromised a slew of government agencies or the Office of Personnel Management hack that compromised personnel records of more than 20 million federal employees and typically is attributed to China. 

It reflects a shift from treating ransomware as a pesky criminal problem to one of vital national security. 

Indeed, White House officials are increasingly arguing that ransomware attacks against critical industries could become so disruptive they have global implications, Ellen Nakashima, Hamza Shaban and Rachel Lerman report

Among their efforts, officials are trying to convince U.S. allies to force more transparency from cryptocurrency exchanges operating on their territory and that process ransomware payments, a senior administration official told my colleagues. 

The goal is to force those exchanges to reveal the recipients of especially large exchanges of cryptocurrency, making it easier for law enforcement to track likely ransom recipients. 

“There are cryptocurrency exchanges all around the world, and we want to ensure that there’s a common threshold of ‘know your customer’ rules, which are in place and implemented so there aren’t places to hide funds,” the official said.

The Justice Department also is urging U.S. companies to proactively tell the government when they pay ransoms — even as they urge companies not to pay those ransoms if at all possible. 

On NBC’s Meet the Press, Senate Intelligence Committee Chairman Mark Warner (D-Va.) pushed for legislation mandating that companies tell the government when they pay ransoms. He stopped short of endorsing a ban on ransomware payments, which some cybersecurity experts have promoted.

“There's going to be a debate about whether these companies should pay ransomware,” he said. “But there ought to be more transparency, if a company does pay, so we can go after the bad guys.”

The keys

U.S. authorities announced the first charges under the banner of a new Ransomware and Digital Extortion Task Force.

Prosecutors say Alla Witte, also known as “Max,” helped develop Trickbot malware, which they say infected millions of computers, stole banking credentials and delivered ransomware. She was arrested in February, according to the Justice Department. Witte was born in Russia and had been living in Latvia, officials said. 

“These charges serve as a warning to would-be cybercriminals that the Department of Justice will use all the tools at our disposal to disrupt the cybercriminal ecosystem,” Deputy Attorney General Lisa Monaco said.

Trump and Giuliani personally pushed for a partisan Arizona audit investigating baseless election fraud claims.

Former president Donald Trump and his lawyer Rudolph W. Giuliani personally contacted Republican lawmakers in Arizona to urge them to conduct the partisan audit in Maricopa County, Amy B Wang reports. The machinations were revealed in emails sent to and from Arizona lawmakers that were obtained by American Oversight, a nonprofit legal watchdog group.

“The more we learn, the more it becomes clear that this is not an audit, it’s a sham partisan crusade carried out by some of the most cynical actors our democracy has ever known,” said Austin Evers, the group’s executive director.

In a separate development, new evidence is emerging about the pressure former White House chief of staff Mark Meadows put on acting attorney general Jeffrey Rosen to investigate unfounded fraud claims as Trump’s presidency wound down, Karoun Demirjian and Josh Dawsey report. Meadows asked Rosen to look into fraud claims in New Mexico and baseless theories that the election was stolen from Trump, including one that votes were switched by people in Italy manipulating satellites, according to portions of the emails obtained by the New York Times.

The Supreme Court handed a major victory to cybersecurity researchers in its biggest ruling to date in a hacking case.  

The ruling places limits on what counts as hacking under the government’s main anti-hacking law, the 1986 Computer Fraud and Abuse Act. Under the court’s interpretation, the law still would criminalize breaking into a computer or database by stealing a password. But prosecutors generally could not use the law to pursue people who simply break the rules for a computer system, such as violating a website’s terms of service or a workplace's rules. 

A majority of justices said the government’s “breathtaking” interpretation of the statute could make criminals of “millions of otherwise law-abiding citizens,” Robert Barnes reports. The decision was also notable because the three justices nominated by former president Donald Trump joined with the three liberals on the court to form the majority.

The ruling was welcomed by cybersecurity researchers who frequently fell afoul of the law when searching for bugs in digital consumer products. Digital rights and civil liberties groups also praised the ruling.

“Although the high court did not narrow the CFAA as much as EFF would have likedit provided good language that should help protect researchers, investigative journalists, and others,” the Electronic Frontier Foundation said.

The ACLU agreed. “The Supreme Court’s decision will allow researchers and journalists to use common investigative techniques online without fear of CFAA liability,” Esha Bhandari, the deputy director of the ACLU’s Speech, Privacy and Technology Project, said.

Chat room

Here's a deep dive on the high court's ruling from University of California-Berkeley School of Law professor Orin Kerr:

Government scan

The Biden administration expanded a ban on U.S. investment in Chinese companies to those in the surveillance sector.

The executive order issued Thursday “prevents U.S. investment from supporting the Chinese defense sector, while also expanding the U.S. government’s ability to address the threat of Chinese surveillance technology firms that contribute — both inside and outside China — to the surveillance of religious or ethnic minorities or otherwise facilitate repression and serious human rights abuses,” according to a White House fact sheet.

The order also moves the authority for the ban from the Pentagon to the Treasury Department, Jeanne Whalen and Ellen Nakashima report

Industry report

TikTok just gave itself permission to collect biometric data on US users, including ‘faceprints and voiceprints’ (TechCrunch)

Global cyberspace

Kazakhstan rebuffs talk of joint sanctions response with Russia (Reuters)

Cyber insecurity

Are We Waiting for Everyone to Get Hacked? (New York Times)

Senate sergeant at arms says cyberattack more worrisome than repeat of Jan. 6 insurrection (The Hill)

German cooperative banks hit by DDoS hack attack on IT provider (Reuters)

Securing the ballot

How the national push by Trump allies to audit 2020 ballots started quietly in Pennsylvania (Rosalind S. Helderman)


  • Colonial Pipeline CEO Joseph Blount testifies before the Senate Homeland Security and Governmental Affairs Committee on Tuesday at 10 a.m.
  • Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, and former FBI deputy director Sean Joyce discuss ransomware at an Aspen Institute event on Tuesday at noon.
  • The Middle East Institute hosts its annual cyber conference on Wednesday.
  • Quinn Carman, the director of operations of the NSA’s Red Team, speaks at the Silicon Valley Cyber Security Summit on Wednesday at 10:50 a.m.  
  • The Senate Intelligence Committee holds a confirmation hearing for Christine Abizaid, President Biden’s pick to lead the National Counterterrorism Center, and Robin Ashton, who he nominated to be the CIA’s inspector general, on Wednesday at 2:30 p.m.
  • Colonial Pipeline CEO Joseph Blount testifies before the House Homeland Security Committee on Wednesday at noon. 
  • Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, discusses cybersecurity at an American Enterprise Institute event on Friday at 10 a.m.
  • Gen. Paul Nakasone, the director of the National Security Agency and commander of U.S. Cyber Command, testifies before a House Armed Services Committee panel alongside the director of the Defense Intelligence Agency, Lt. Gen. Scott Berrier, and Undersecretary of Defense for Intelligence & Security Ronald Moultrie on Friday at 11 a.m.

Secure log off