The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Biden wants to make it harder to pay ransomware hackers

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! Congratulations to the Emmy winners — especially Hacks, which isn't about cyber, but perfectly captures the absolute monotony of Las Vegas. 

Below: There's another twist in the partisan audit in Maricopa County, Ariz. and a possible cyberattack hit a political primary in Hungary. 

The administration is cracking down on ransomware payments

The Biden administration is making swift progress on its master strategy to combat ransomware. 

But any reduction in attacks may still be far off. 

The administration plans to move as early as this week to place sanctions on financial exchanges that facilitate ransomware payments, as Ellen Nakashima reports

The big goal: To disrupt the current ecosystem in which it's exceptionally easy for victims to pay ransoms to hackers that lock up their computers — and exceedingly difficult to track those payments once they're made. 

Most ransomware payments are made using cryptocurrency, which is traded through a series of private wallets and public exchanges and is notoriously difficult to track from its origin to its recipient. 

Treasury officials did not say which organizations the sanctions will target, but the new sanctions will likely mark the most significant counterpunch to date against the criminal hacking groups that have bled hundreds of millions of dollars from U.S. companies and threatened national security. 

There's more

The other major pillars of the White House's ransomware strategy will be more difficult to bring to bear

 Those pillars, which the White House announced in July, are:

  • Make U.S. institutions more resilient against hacking
  • Urge international cooperation to combat ransomware

Improving the cyber defenses of U.S. companies and other organizations will likely be a generational challenge.

The government has been pushing for such improvements for roughly the past decade. But during that time, hacks have only become more damaging. 

The Biden administration mandated minimum cyber protections for pipelines in July, and officials have openly speculated about imposing such standards for other critical industries. 

But even White House officials warn any changes will be a long time coming. “This is a problem that's built up over a number of years and it's not something that will be solved in a moment,” an official said when announcing the strategy.

But Putin

International cooperation against ransomware faces one big challenge: Russia

The most damaging and prolific criminal ransomware gangs operate on Russian territory and with the Kremlin's tacit approval, U.S. officials say. Russia has joined the United States and other nations in agreeing to abide by a series of cybersecurity rules of the road over the years but done little to change its actual behavior. 

President Biden demanded that Russian President Vladimir Putin rein in Russian ransomware gangs and threatened retaliation if they hit 16 vital U.S. sectors during a summit in June. But U.S. officials say there's no evidence of a change in Russian behavior. 

To pay or not to pay

Even the new sanctions may come with some drawbacks

At least in the short run, they may hurt some U.S. companies as much as they hurt hackers if those companies are unable to pay ransoms. 

The FBI and other U.S. government agencies consistently urge ransomware victims not to pay up. They warn that ransom payments can be used to fund other cyberattacks or even more damaging crimes. But officials acknowledge that not paying a ransom could sometimes be far more damaging for a company than paying. 

The city of Baltimore, for example, paid more than $18 million to recover from a 2019 ransomware attack and suffered through weeks of hobbled services — all to avoid paying a ransom of less than $100,000. For companies that haven't sufficiently backed up their data, a ransomware attack could force them out of business. 

There could be broader societal impacts, too

Two of the most prominent ransomware attacks of recent years targeted pipeline operator Colonial Pipeline and meat processor JBS, which threatened to seriously disrupt U.S. gas and meat supplies. Both companies paid ransoms to regain access to their computers and restart operations. If they hadn't, the impacts could have been far more damaging. 

Implementation will also be tricky

The Treasury Department's Office of Foreign Assets Control issued guidance in October saying companies that facilitate ransomware payments may be violating its regulations. But the notice drew complaints from organizations that weren't sure how to remain in compliance or if the rules even applied to them.

If this new initiative clarifies the guidance, it will be a “welcome” step, Megan Stifel, global policy officer at the Global Cyber Alliance, told Ellen.

“There are lots of organizations that want to do the right thing” but aren’t sure how to comply, she said.

The keys

Maricopa County says a new agreement will limit cybersecurity damage from a partisan election audit

Under the agreement, the Arizona county won’t have to turn over routers demanded by the Arizona Senate. The county argued doing so would have risked exposing sensitive government information, including law enforcement data. Instead, former Congressman John Shadegg (R) will examine the routers on behalf of contractors running the partisan audit, the Associated Press’ Bob Christie reports. The county will have to pay the cost of Shadegg’s operation.

The county will also be on the hook for the roughly $2.8 million cost of replacing voting machines that were deemed insecure as a result of the audit, according to the agreement. Arizona Senate President Karen Fann (R) had earlier agreed the state would shoulder that cost. 

The results of the review are expected to be published Sept. 24 after a lengthy series of delays, a lawyer representing Arizona’s Republican-controlled state Senate told a judge. 

Hungary’s opposition parties suspended their first primaries after a suspected cyberattack

Opposition leaders blamed the “mass load of currently unknown origin” on Prime Minister Viktor Orban. Voting will restart today, according to Gergely Hajdu, whose organization, aHang, is handling the technical aspects of voting, Agence France-Presse reports. The primaries come in the run up to April elections in the country.

Orban’s party denied responsibility for the apparent cyberattack and told the opposition not to “blame your incompetence on others."

Hajdu, meanwhile, said the cyberattack was “most probably from abroad” and is still being investigated. “There is no evidence yet that the government or any foreign forces wanted to hack the whole system,” he said.

More than 250 candidates are running in the primaries, which are partly being conducted partly online. Election security experts consistently warn there's no way to ensure online voting is protected against from hacking.

Hungary’s government has a history of questionable actions in cyberspace. NSO Group’s Pegasus spyware infected at least two Hungarian journalists’ phones and likely infected the phones of activists and others in the country, according to an investigation by The Washington Post and 15 media partners. A former NSO employee said Hungary was a client of the cybersurveillance company. The hacks stood out because Hungary is a member of the European Union, where privacy is considered a fundamental right.

U.S. government agencies are divided on whether to blacklist a former Huawei subsidiary

Career officials at the Pentagon and the departments of Energy, State and Commerce deadlocked on whether smartphone maker Honor presents a significant risk to U.S. national security and should be put on a Commerce Department blacklist, Ellen Nakashima and Jeanne Whalen report

Placement on the list would bar U.S. companies from exporting technology to Honor without a special license.

The disagreement comes as a Senate committee prepares to take up the nomination of Alan Estevez to lead the Commerce Department's Bureau of Industry and Security, which administers the blacklist.

Hill happenings

A major government workers union opposes easing job requirements for certain cyber workers

The fight centers on a National Digital Reserve Corps and Civilian Cyber Reserve that wouldn’t be bound by normal government hiring rules, FCW's Natalie Alms reports.

American Federation of Government Employees AFL-CIO National President Everett B. Kelley urged lawmakers to strip the programs from the final version of a major defense bill that often includes significant cyber provisions. Kelley wrote that looser rules for the corps and reserve workers would be “highly disruptive to the permanent workforce.”

Cyber insecurity

Hackers linked to India’s government probably developed hacking tools with the unwitting help of a U.S. company

The hackers probably weaponized a running list of software vulnerabilities sold by Austin-based Exodus Intelligence to target the government and telecom sectors of China and Pakistan, Forbes’ Thomas Brewster reports. The Indian government purchased the list, which is designed to help customers defend themselves. But then it allegedly developed a hacking tool that exploited one of those vulnerabilities. 

Exodus cut off India from buying new research in April, the company's CEO Logan Brown said.

Exodus doesn’t officially limit what its customers do with the list, but draws the line at “if you’re going to be … shotgun blasting Pakistan and China,” Brown said.

Global cyberspace

Quad leaders to call for securing chip supply chain (Nikkei)


  • Microsoft President and Vice Chair Brad Smith participates in a Washington Post Live event today at 11:30 a.m.
  • Former Undersecretary of State Keith Krach and former U.S. Agency for International Development deputy administrator Bonnie Glick speak at a Center for Tech Diplomacy at Purdue event on semiconductors and supply chains on Tuesday at 9:10 a.m.
  • Homeland Security Secretary Alejandro Mayorkas, FBI Director Christopher A. Wray and National Counterterrorism Center Director Christine Abizaid testify at a Senate Homeland Security and Governmental Affairs Committee hearing on homeland security threats since Sept. 11, 2001, on Tuesday at 9:30 a.m.
  • Mayorkas, Wray and Abizaid testify before the House Homeland Security Committee on Wednesday at 9 a.m.
  • National Cyber Director Chris Inglis, CISA Director Jen Easterly and Federal Chief Information Security Officer Chris DeRusha testify before the Homeland Security and Governmental Affairs Committee on Thursday at 10:15 a.m.

Secure log off

What a wonderful crowd. Thanks for reading. See you tomorrow.