The Washington PostDemocracy Dies in Darkness

Many ransomware attacks go unreported. The FBI and Congress want to change that.

An Exxon station in Washington after a cyberattack crippled the biggest fuel pipeline in the country. (Yuri Gripas/Reuters)

Congress, urged on by the nation’s top law enforcement agencies, is pushing to require companies to report ransomware attacks in an effort to help the government understand the scope of the threat.

At a Senate Judiciary Committee hearing on Tuesday, representatives of the Justice Department, FBI, Secret Service and the Cybersecurity and Infrastructure Security Agency all said Congress should consider passing a bill forcing companies that have been hit by a cyberattack to tell the government.

“The government and Congress does not have a full picture of the threat facing companies. Congress should enact legislation to require victims to report,” Richard Downing, a deputy assistant attorney general at Justice, said during the hearing.

The anatomy of a ransomware attack

Official knowledge of the scale of ransomware attacks is so murky that the government can’t say for sure whether China and Russia are cracking down on hackers operating out of their countries, said Eric Goldstein, executive assistant director at CISA, an agency created in 2018 to protect the United States from cyberattacks.

“We believe that only about a quarter of ransomware intrusions are actually reported,” he said. “It certainly could be the case that some ransomware actors have changed behavior for a variety of reasons; we simply don’t have the data to be able to answer that question.”

Ransomware attacks have emerged in the past few months as a major risk for American companies and institutions such as schools, hospitals and even city governments. Hackers can use methods as simple as a phishing email attack to steal data and lock the computer owner out of their system, then demand a ransom. Recent high-profile attacks on the Colonial Pipeline system that prompted a run on gasoline all along the East Coast in May and another hit on meat producer JBS have put pressure on politicians to respond.

Don’t be that employee: How to avoid ransomware attacks at work

Many of the attacks come from large, well-organized gangs that operate almost like businesses, negotiating ransoms with victims and then restoring access. They are mostly based in countries including Russia, Belarus and other Eastern European nations, according to security researchers. During a summit in June, President Biden told Russian President Vladimir Putin that the United States will take “any necessary action” to defend U.S. infrastructure, according to the White House.

Some laws already require companies to notify consumers if their data was leaked, but if an attacker is simply asking for money to restore access to a computer network, companies are generally off the hook for disclosure.

Politicians from both parties have already gotten together to propose legislation that would force companies in some sectors to report attacks.

In June, Sens. Mark R. Warner (D-Va.), Marco Rubio (R-Fla.) and Susan Collins (R-Maine) proposed a bill that would require companies that operate “critical infrastructure” such as emergency services, telecommunications networks and water utilities to tell the Department of Homeland Security within 24 hours of being hit. The bill would build on an order the Transportation Security Administration sent after the Colonial hack ordering pipeline companies to disclose future intrusions to the government.

Another bill in the works, from Sen. Gary Peters (D-Mich.), would require companies to share information on hacks with the government while also trying to assist them in dealing with the fallout, according to Jay Bhargava, a spokesman for the senator.

The race is on to make hacked companies more accountable to government

Additional bills seek to target other elements of cybercrime, showing that U.S. politicians are focusing on the issue. A June bill from Sens. Sheldon Whitehouse (D-R.I.), Lindsey O. Graham (R-SC), Richard Blumenthal (D-Conn.) and Thom Tillis (R-N.C.) aims to increase criminal penalties for targeting critical infrastructure such as dams and hospitals. Whitehouse and Sen. Steve Daines (R-Mont.) also presented a bill in June asking DHS to study ways to strike back at hackers.

Companies are often reluctant to come forward when they’ve been hit because of the risk of casting a shadow over their brand, said Kurtis Minder, a ransomware negotiator and founder of the cybersecurity firm GroupSense. In his position he speaks to dozens of companies that have been hit by ransomware attacks.

“The main concern would be reputational damage and loss of revenue as a result,” Minder said. “If the government made these disclosures — to the extent that a breach disclosure is not already required by law — confidential, it would help. Bonus would be if the government actively assisted in the recovery.”

‘Holy moly!’: Inside Texas’ fight against a ransomware hack

Industry groups have opposed cybersecurity regulations in the past. In 2012, an effort by the Obama administration to set standards for security in critical industries was voted down by Republicans supported by the U.S. Chamber of Commerce and other trade groups.

On Tuesday, Whitehouse said it is time to overhaul security rules to protect against hacks.

“Over and over again, groups like the U.S. Chamber of Commerce have said ‘Don’t regulate us,’ ” he said at the hearing. “If you’re critical infrastructure, we should no longer tolerate this voluntary regime.”

A Chamber of Commerce spokesperson did not respond to a request for comment.