[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
RESPONDING TO RANSOMWARE: EXPLORING POLICY SOLUTIONS TO A CYBERSECURITY
CRISIS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND INNOVATION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
FIRST SESSION
__________
MAY 5, 2021
__________
Serial No. 117-12
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
44-930 PDF WASHINGTON : 2021
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas John Katko, New York
James R. Langevin, Rhode Island Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey Clay Higgins, Louisiana
J. Luis Correa, California Michael Guest, Mississippi
Elissa Slotkin, Michigan Dan Bishop, North Carolina
Emanuel Cleaver, Missouri Jefferson Van Drew, New Jersey
Al Green, Texas Ralph Norman, South Carolina
Yvette D. Clarke, New York Mariannette Miller-Meeks, Iowa
Eric Swalwell, California Diana Harshbarger, Tennessee
Dina Titus, Nevada Andrew S. Clyde, Georgia
Bonnie Watson Coleman, New Jersey Carlos A. Gimenez, Florida
Kathleen M. Rice, New York Jake LaTurner, Kansas
Val Butler Demings, Florida Peter Meijer, Michigan
Nanette Diaz Barragan, California Kat Cammack, Florida
Josh Gottheimer, New Jersey August Pfluger, Texas
Elaine G. Luria, Virginia Andrew R. Garbarino, New York
Tom Malinowski, New Jersey
Ritchie Torres, New York
Hope Goins, Staff Director
Daniel Kroese, Minority Staff Director
Natalie Nixon, Clerk
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND
INNOVATION
Yvette D. Clarke, New York, Chairwoman
Sheila Jackson Lee, Texas Andrew R. Garbarino, New York,
James R. Langevin, Rhode Island Ranking Member
Elissa Slotkin, Michigan Ralph Norman, South Carolina
Kathleen M. Rice, New York Diana Harshbarger, Tennessee
Ritchie Torres, New York Andrew Clyde, Georgia
Bennie G. Thompson, Mississippi (ex Jake LaTurner, Kansas
officio) John Katko, New York (ex officio)
Moira Bergin, Subcommittee Staff Director
Austin Agrella, Minority Subcommittee Staff Director
Mariah Harding, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Chairwoman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable Andrew R. Garbarino, a Representative in Congress
From the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 3
Prepared Statement............................................. 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Prepared Statement............................................. 7
The Honorable John Katko, a Representative in Congress From the
State of New York, and Ranking Member, Committee on Homeland
Security:
Oral Statement................................................. 5
Prepared Statement............................................. 6
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas:
Prepared Statement............................................. 8
Witnesses
Major General John A. Davis, U.S. Army (Retired), Vice President,
Public Sector, Palo Alto Networks:
Oral Statement................................................. 12
Prepared Statement............................................. 13
Ms. Megan H. Stifel, Executive Director, Americas, Global Cyber
Alliance:
Oral Statement................................................. 16
Prepared Statement............................................. 18
Mr. Denis Goulet, Commissioner, Department of Information
Technology, and Chief Information Officer, State of New
Hampshire, and President, National Association of Chief
Information Officers, Testifying on Behalf of the National
Association of Chief Information Officers:
Oral Statement................................................. 21
Prepared Statement............................................. 23
Mr. Christopher C. Krebs, Private Citizen, Former Director of the
Cybersecurity and Infrastructure Security Agency, U.S.
Department of Homeland Security:
Oral Statement................................................. 27
Prepared Statement............................................. 28
RESPONDING TO RANSOMWARE: EXPLORING POLICY SOLUTIONS TO A CYBERSECURITY
CRISIS
----------
Wednesday, May 5, 2021
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity,
Infrastructure Protection,
and Innovation,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:30 p.m., via
Webex, Hon. Yvette Clarke [Chairwoman of the Subcommittee]
presiding.
Present: Representatives Clarke, Jackson Lee, Langevin,
Rice, Torres, Garbarino, Norman, Harshbarger, and Clyde.
Also present: Representative Katko.
Chairwoman Clarke. The Subcommittee on Cybersecurity,
Infrastructure Protection, and Innovation will come to order.
Without objection, the Chair is authorized to declare the
subcommittee--oops, excuse me. Let me move forward.
Good afternoon and thank you to our witnesses for joining
us today to discuss how we can respond to the ransomware
crisis.
You know, I first chaired this subcommittee over 10 years
ago. While ransomware is not a new problem, the number of cases
and the financial impact has skyrocketed since then. That is
why I wanted to focus on ransomware at our first subcommittee
hearing this year. We must understand the problem we are
facing, learn more about how the Federal Government should
respond, and do something.
Estimates show that ransomware victims paid $350 million in
ransom payments last year. Among those victims were 2,400 U.S.-
based governments, health care facilities, and schools. As the
COVID-19 pandemic forced governments and businesses to shift to
remote work, thousands found themselves locked out of their
networks as cyber criminals demanded ransom payments. These
attacks are more than a mere inconvenience. They are a National
security threat. It is time for bold action rooted in robust
partnerships between the Federal Government and its State,
local, and private-sector partners.
In the coming days, I will introduce the State and Local
Cybersecurity Improvement Act, which will authorize $500
million in annual grants to State, local, territorial, and
Tribal governments to strengthen their cybersecurity. As the
ever-increasing number of ransomware attacks on State and local
governments demonstrates, adequate treatment in cybersecurity
has been lacking and more resources are needed.
Just last week we saw some ransomware attacks that released
sensitive law enforcement information from police departments
in Washington, DC, and Presque Isle, Maine, showing that
cities, large and small, are vulnerable to this type of cyber
crime. This legislation would ensure funding is available while
insisting State and local governments step up to prioritize
cybersecurity in their own budgets.
I am proud of the bipartisan support this bill has received
on this committee and look forward to working with Ranking
Member Garbarino along with Chairman Thompson and Ranking
Member Katko to get this critical bill enacted. I hope this
hearing will give us an opportunity to learn more about the
challenges State chief information officers face under current
funding constraints and how they would be able to use
additional resources to strengthen their defenses to
ransomware.
While State and local governments are some of the most
notable victims of ransomware, this crisis affects many private
businesses in the United States and around the world.
Combatting this threat will require coordination between the
public and private sectors and all levels of government.
The Ransomware Task Force report released last week
provided 48 recommendations on what Government and industry can
do to address this crisis in the coming months and years. I am
excited to have 2 of those co-chairs of the task force here
today to share more information on the recommendations.
As Secretary Mayorkas has made clear in announcing that
addressing ransomware would be the first of DHS's 60-day sprint
on pressing cybersecurity challenges, responding to ransomware
is a priority for his administration. It is definitely a
priority for this committee and many in Congress.
So, I hope that this hearing will help further the
conversation on how the private sector, Congress, the Executive
branch, and State and local governments can collaborate to
address this crisis head-on. In particular, I am interested to
learn how other committee priorities, including developing a
cyber incident reporting framework, could improve our
understanding of ransomware trends and how to defend against
such attacks.
Relatedly, I am interested to hear how CISA can play an
important role in information sharing and coordinating this
response. As the agency that works closely with governments at
all levels and the private sector on cybersecurity matters, I
know it will have a significant role on this issue going
forward.
[The statement of Chairwoman Clarke follows:]
Statement of Chairwoman Yvette D. Clarke
May 5, 2021
Good afternoon and thank you to our witnesses for joining us today
to discuss how we can respond to the ransomware crisis.
I first chaired this subcommittee over 10 years ago. While
ransomware is not a new problem, the number of cases and the financial
impact has skyrocketed since then. That's why I wanted to focus on
ransomware at our first subcommittee hearing of the year. We must
understand the problem we're facing and learn more about how the
Federal Government should respond.
Estimates show that ransomware victims paid $350 million in ransom
payments last year. Among those victims were 2,400 U.S.-based
governments, health care facilities, and schools. As the COVID-19
pandemic forced governments and businesses to shift to remote work,
thousands found themselves locked out of their networks as cyber
criminals demanded ransom payments. These attacks are more than a mere
inconvenience--they are a National security threat. It is time for bold
action rooted in robust partnerships between the Federal Government and
its State, local, and private-sector partners.
In the coming days, I will introduce the State and Local
Cybersecurity Improvement Act, which would authorize $500 million in
annual grants to State, local, territorial, and Tribal governments to
strengthen their cybersecurity. As the ever-increasing number of
ransomware attacks on State and local governments demonstrates,
adequate investment in cybersecurity has been lacking, and more
resources are needed. Just last week, we saw ransomware attacks that
released sensitive law enforcement information from police departments
in Washington, DC and Presque Isle, Maine, showing that cities large
and small are vulnerable to this kind of cyber crime.
This legislation would ensure funding is available, while insisting
State and local governments step up to prioritize cybersecurity in
their own budgets. I am proud of the bipartisan support this bill has
received on this committee and look forward to working with Ranking
Member Garbarino, along with Chairman Thompson and Ranking Member
Katko, to get this critical bill enacted. I hope this hearing will give
us an opportunity to learn more about the challenges State chief
information officers face under current funding constraints and how
they would be able to use additional resources to strengthen their
defenses to ransomware.
While State and local governments are some of the most notable
victims of ransomware, this crisis affects many private businesses in
the United States and around the world. Combatting this threat will
require coordination between the public and private sector and all
levels of government. The Ransomware Task Force Report released last
week provided 48 recommendations on what Government and industry can do
to address this crisis in the coming months and years. I am excited to
have 2 of the co-chairs of the Task Force here today to share more
information on the recommendations.
As Secretary Mayorkas has made clear in announcing that addressing
ransomware would be the first of DHS's 60-day sprints on pressing
cybersecurity challenges, responding to ransomware is a priority for
this administration. And it is definitely a priority for this committee
and many in Congress. So, I hope that this hearing will help further
the conversation on how the private sector, Congress, the Executive
branch, and State and local governments can collaborate to address this
crisis. In particular, I am interested to learn how other committee
priorities--including developing a cyber incident reporting framework--
could improve our understanding of ransomware trends and how to defend
against such attacks. Relatedly, I am interested to hear how CISA can
play an important role in information sharing and coordinating this
response. As the agency that works closely with governments at all
levels and the private sector on cybersecurity matters, I know it will
have a significant role on this issue going forward.
With that, I would like to again thank the witnesses for being
here.
Chairwoman Clarke. With that, I would like to again thank
the witnesses for being here. The Chair now recognizes the
Ranking Member of the subcommittee, Mr. Garbarino from New
York, for an opening statement.
Mr. Garbarino. Thank you, Chairwoman. Thank you very much.
Thank you to the witnesses for being here today. This is a very
important issue.
The global cost of ransomware has risen to $20 billion a
year. Over the past several years ransomware attacks have
increased at an alarming rate. Attacks like NotPetya and
WannaCry have had devastating impacts to critical sectors
across the globe. Just a few months ago, both the Bay Shore and
Lindenhurst School Districts on Long Island in my district were
hit with cyber attacks.
I am determined to work with hospitals, schools, and small
businesses in New York's Second District and across the country
to improve their cybersecurity posture in the wake of
increasing threats. I believe it now more important than ever
to work with agencies like CISA, the Secret Service, and the
Treasury Department to combat malicious cyber actors from
targeting our struggling small businesses, health care
institutions, and State and local governments. We must think of
new, innovative ways to interrupt cyber criminals' ability to
see this as a financially viable way of doing business.
It should come as a surprise to no one in this hearing that
these ransomware attacks have devastating real-world
consequences for Americans. Every minute that a hospital goes
down is a minute of missed critical care. The same goes for
almost every industry. We must work to put a stop to this. We
need to double down on ensuring State and local entities and
small businesses are prepared and adopt basic cybersecurity
best practices to mitigate cyber risks. These practices can
include two-factor authentication, strong passwords, retaining
backups, developing a response plan, and updating software.
CISA, in partnership with the Multi-State Information
Sharing and Analysis Center, also covers several no-cost
services across the Nation that should be leveraged by State
and locals and the private sector. This includes the Joint
Ransomware Guide developed both by CISA and the MS-ISAC that
includes industry best practices and serves as consolidated
resources for SLTT and the private sector.
I am a proud original cosponsor of the Chairwoman's State
and Local Cybersecurity Improvement Act. While we all can agree
more resources for our State and local governments are
necessary, we must also ensure these funds are spent
responsibly and effectuate meaningful impacts on risk
reduction.
This important bill is a tremendous step forward in our
fight, but we cannot stop there. While somewhere near only 2
percent of all cryptocurrency payments are nefarious, we know
that most, if not all, ransomware payments utilize the
anonymity of cryptocurrencies. We must adopt an all-of-the-
above approach to dealing with this scourge. There is no single
silver bullet.
I look forward to hearing from our witnesses today about
the innovative solutions Congress should consider as we work to
degrade and ultimately eliminate the viability of ransomware.
Thank you, Madam Chairwoman, for bringing this important
issue before us today. I yield back.
[The statement of Ranking Member Garbarino follows:]
Statement of Ranking Member Andrew R. Garbarino
The global cost of ransomware has risen to $20 billion a year.
Over the past several years ransomware attacks have increased at an
alarming rate. Attacks like NotPetya and WannaCry have had devastating
impacts to critical sectors across the globe.
Just a few months ago, both the Bay Shore and Lindenhurst school
districts on Long Island were hit with cyber attacks. I am determined
to work with hospitals, schools, and small businesses in New York's 2d
district and across the country to improve their cybersecurity posture
in the wake of increasing threats.
I believe it is now more important than ever to work with agencies
like CISA, the Secret Service, and the Treasury Department to combat
malicious cyber actors from targeting our struggling small businesses,
health care institutions, and State and local governments.
We must think of new innovative ways to interrupt cyber criminals'
ability to see this as financially viable way of doing business.
It should come as a surprise to no one in this hearing that these
ransomware attacks have devastating real-world consequences for
Americans. Every minute that a hospital goes down is a minute of missed
critical care. The same goes for almost every industry.
We must work to put a stop to this.
We need to double down on ensuring State and local entities and
small businesses are prepared and adopt basic cybersecurity best
practices to mitigate cyber risks. These practices can include: Two-
factor authentication, strong passwords, retaining backups, developing
a response plan, and updating software.
CISA, in partnership with the Multi-State Information Sharing and
Analysis Center (MS-ISAC), also offers several no-cost services across
the Nation that should be leveraged by State and locals and the private
sector. This includes the Joint Ransomware Guide, developed by both
CISA and the MS-ISAC that includes industry best practices and serves
as a consolidated resource for SLTT and the private sector.
I am a proud original cosponsor of the Chairwoman's State and Local
Cybersecurity Improvement Act. While we all can agree more resources
for our State and local governments are necessary, we must also ensure
these funds are spent responsibly, and effectuate meaningful impacts on
risk reduction. This important bill is a tremendous step forward in our
fight, but we can't stop there.
While somewhere near only 2 percent of all cryptocurrency payments
are nefarious, we know that most, if not all ransomware payments
utilize the anonymity of cryptocurrencies.
We must adopt an ``all of the above'' approach to dealing with this
scourge. There is no single silver bullet.
I look forward to hearing from our witnesses today about the
innovative solutions Congress should consider as we work to degrade,
and ultimately eliminate the viability of ransomware.
Thank you, Madam Chair, for bringing this important issue before us
today.
Chairwoman Clarke. I thank the Ranking Member. Members are
also reminded that the committees will operate according to the
guideline laid out by the Chairman and Ranking Member in their
February 3 colloquy regarding remote procedures.
The Chair now recognizes the Ranking Member of the full
committee, the gentlemen from New York, another gentleman from
New York, Mr. Katko, for an opening statement.
Mr. Katko. Thank you, Chairwoman, from the great State of
New York. I appreciate it. Ranking Member Garbarino, thank you
for holding this important hearing.
Mr. Krebs, it is always good to see you. It has been 24
hours since we were in a meeting together, so nice to see you
again.
In 2020, we witnessed one of the worst years on record for
ransomware attacks and it could not have come at a more tenuous
time for our society. With the onset of the pandemic, the
Nation drastically shifted to remote work and services. While
this yielded great benefits, it also provided a more expansive
attack surface for cyber criminals. As COVID-19 cases
increased, so did the number of devastating ransomware attacks.
This trend represents an acceleration of what has impacted
communities all across America for the past several years. In
my district, for example, the Syracuse City School District and
Onondaga County Library System previously fell victim to
ransomware attacks that shut down their systems and halted the
critical services that they provide.
I cannot emphasize this strongly enough: State and local
governments and small businesses should leverage free services
that CISA offers to help prevent and mitigate the scourge of
ransomware attacks. CISA's guidance and services can help SLTT
and small businesses take meaningful steps to increase the
cyber-secured posture of their networks. These preventative
actions can make the difference between a devastating cyber
event and business as usual.
We also must ensure CISA has the resources and capabilities
to go toe-to-toe with sophisticated cyber criminals. CISA has
made great strides to keep pace with the evolving threat, but
there is must more that needs to be done.
The Fiscal Year 2021 National Defense Authorization Act
provided important authorities that I advocated for that would
ultimately allow CISA to rise to the challenge. But these must
be met with resources to implement them. As I have continued to
say, Congress needs to put CISA on a path to being a $5 billion
agency.
I have been pleased to see CISA leveraging some of its
newly established authorities, including State cybersecurity
coordinators. These coordinators will be CISA's main point of
contact embedded in each State government and be particularly
important to ensuring it has a strong understanding of the
needs of our local governments.
Additionally, I am happy to see CISA is fully leveraging
its new authority provided by the DOTGOV Act to administer the
top-level domain to provide secure and trustworthy dot-gov
domains to State and local governments at no cost. CISA should
also be doubling down on its efforts to stand up the Joint
Cyber Planning Office to widen and streamline channels of
communication between the Federal Government and industry.
We must think outside the box when it comes to slowing the
rapid expansion of ransomware. Equipping State and local
governments with the resources to bolster their defenses is an
important first step. I am looking forward to working with
Subcommittee Chairwoman Clarke and Chairman Thompson on the
State and Local Cybersecurity Improvement Act to achieve that
goal, but we can't stop there.
I look forward to hearing testimony from our witnesses on
approaches that Congress should consider as we strive to tackle
this problem once and for all. Recommendations from the
Ransomware Task Force are a great place to start. But let us
keep the pedal to the metal because we have a long way to go.
With that, Madam Chairwoman, I yield back.
[The statement of Ranking Member Katko follows:]
Statement of Ranking Member John Katko
Thank you, Chairwoman Clarke, and Ranking Member Garbarino for
holding this important hearing.
In 2020 we witnessed one of the worst years on record for
ransomware attacks, and it could not have come at a more tenuous time
for our society. With the onset of the pandemic, the Nation drastically
shifted to remote work and services. While this yielded great benefits,
it also provided a more expansive attack surface for cyber criminals.
As COVID-19 cases increased, so did the number of devastating
ransomware attacks. This trend represents an acceleration of what has
impacted communities all across America for the past several years. In
my district, the Syracuse City School District and Onondaga County
Library System previously fell victim to ransomware attacks that shut
down their systems and halted the critical services they provide.
I cannot emphasize this strongly enough: State and local
governments and small businesses should leverage the free services the
Cybersecurity and Infrastructure Security Agency (CISA) offers to help
prevent and mitigate the scourge of ransomware attacks. CISA's guidance
and services can help SLTT, and small businesses take meaningful steps
to increase the cybersecurity posture of their networks. These left-of-
attack preventative actions can make the difference between a
devastating cyber event and business as usual.
We also must ensure CISA has the resources and capabilities to go
toe-to-toe with sophisticated cyber criminals. CISA has made strides to
keep pace with the evolving threat, but there's more to be done. The
Fiscal Year 2021 National Defense Authorization Act provided important
authorities that I advocated for that will ultimately allow CISA to
rise to the challenge, but these must be met with resources to
implement them. As I have continued to say, Congress needs to put CISA
on a path to being a $5 billion agency.
I have been pleased to see CISA leveraging some of its newly-
established authorities including State cybersecurity coordinators.
These coordinators will be CISA's main point of contact embedded in
each State government and be critically important to ensuring it has a
strong understanding of the needs of our State and local governments.
Additionally, I am happy to see CISA is fully leveraging its new
authority provided by the DOTGOV Act to administer the top-level domain
to provide secure and trustworthy .gov domains to State and local
governments at no cost. CISA should also be doubling down on its
efforts to stand up the Joint Cyber Planning Office to widen and
streamline channels of communication between the Federal Government and
industry.
We must think outside the box when it comes to slowing the rapid
expansion of ransomware. Equipping State and local governments with the
resources to bolster their defenses is an important step, and I'm
looking forward to working with Subcommittee Chairwoman Clarke and
Chairman Thompson on the State and Local Cybersecurity Improvement Act
to achieve that goal. But we can't stop there. I look forward to
hearing testimony from our witnesses on the innovative approaches that
Congress should consider as we strive to tackle this problem once and
for all. The recommendations from the Ransomware Task Force are a great
place to start, but let's keep the pedal to the metal.
Chairwoman Clarke. I thank you, Mr. Ranking Member, for
your statement. Additional statements may be submitted for the
record.
[The statements of Chairman Thompson and Honorable Jackson
Lee follows:]
Statement of Chairman Bennie G. Thompson
May 5, 2021
Good afternoon. I want to thank Chairwoman Clarke for holding this
important hearing on the ransomware crisis facing our country.
Last fall, in my district, the Yazoo County School District paid
$300,000 to a cybersecurity firm to recover data that was encrypted in
a ransomware attack.
For a county of fewer than 30,000 people, that is a lot of money.
In fact, that is 1.5 percent of the school district's annual budget
that had to be spent on just one incident.
Unfortunately, Yazoo County is not alone. School districts across
the country have been forced to respond to ransomware attacks in the
midst of the unprecedented challenges they have faced during this
pandemic, where access to technology has been more important than ever.
To be clear, this is a National security issue.
We cannot expect school districts like Yazoo County to defend
themselves alone when these attacks are coming from sophisticated
criminal gangs based overseas that frequently have the tacit or even
direct support of adversaries like Russia or North Korea.
And the harms these communities face are frequently not just
financial.
Ransomware attacks have led to canceled school days, delayed
medical procedures, and disruptions to emergency response services.
For these reasons, it is essential that we pass Chairwoman Clarke's
State and Local Cybersecurity Improvement Act to ensure State, local,
territorial, and Tribal governments get the assistance they need to
defend their networks.
I am proud to be a cosponsor of this important legislation and look
forward to working with Chairwoman Clarke and the bill's bipartisan
group of supporters to get it enacted into law.
We cannot afford to wait any longer to provide the funding
necessary to protect our State and local governments.
Fortunately, it is clear that the Biden administration has made
addressing ransomware a priority.
From Secretary Mayorkas announcing DHS's 60-day sprint on
ransomware to the Justice Department's new task force, the Executive
branch is now demonstrating the coordinated approach that reflects the
gravity of this threat.
This committee stands ready to work with them to ensure the
resources and authorities are there to fulfill this critical mission.
The recently released Ransomware Task Force report provides
numerous recommendations on how we can develop a cohesive approach to
combatting ransomware.
I appreciate the hard work of the members of the Task Force in
putting together this comprehensive document in just the last 3 months,
reflecting the urgency of this growing crisis.
The report makes clear that despite the many challenges presented
by cryptocurrencies and foreign adversaries that help disguise and
protect ransomware criminals, there are important steps the Government
can take to enhance defenses, improve information sharing, and
collaborate with partners in the private sector and internationally to
tack this problem.
These proposals have given Congress much to consider, and we are
committed to ensuring that this issue remain a priority for Congress,
so we can take meaningful action.
I am eager to hear more from the witnesses on these recommendations
and how they envision DHS's role in implementing them.
I thank the witnesses for being here and again thank Chairwoman
Clarke for her leadership on this issue and congratulate her on
returning to chairing this important this subcommittee.
I look forward to continuing to work with her, along with the new
subcommittee Ranking Member, Mr. Garbarino, on important cybersecurity
issues like this one.
I yield back.
______
Statement of Honorable Sheila Jackson Lee
May 5, 2021
Chairwoman Yvette Clarke, and Ranking Member Andrew Garbarino,
thank you for convening today's hearing on ``Responding to Ransomware:
Exploring Policy Solutions to a Cybersecurity Crisis.''
I thank today's witnesses:
Maj. Gen. John Davis (Ret.), vice president and Federal
chief security officer at Palo Alto Networks;
Ms. Megan Stifel, executive director, Americas at the Global
Cyber Alliance;
Mr. Denis Goulet, commissioner, Department of Information
Technology and chief information officer, State of New
Hampshire (on behalf of the National Association of State Chief
Information Officers); and
Mr. Chris Krebs, former director, Cybersecurity and
Infrastructure Security Agency, U.S. Department of Homeland
Security.
I especially want to extend my thanks and appreciation to Mr.
Christopher Krebs who has appeared before this committee on the topic
of cybersecurity as the first director of the Department of Homeland
Security's Cybersecurity and Infrastructure Security Agency (CISA).
Your service to our Nation at a time when Russia worked to
undermine the security of the 2020 election, just as it had done in the
2016 election was exemplary.
I regret that your work as head of CISA ended over your firm belief
in being truthful to the American people regarding the cybersecurity of
the election that Joe Biden won with over 7 million more votes than his
opponent Donald J. Trump.
Cybersecurity is not something you can see or actively prove--it is
established by each moment of each day that a network or computing
device remains free of breaches by adversaries.
This hearing will provide Members the opportunity to engage with
subject-matter experts on the problem of ransomware attacks.
The purpose of this hearing is to explore emerging trends in
ransomware attacks and how the Government and private sector are
working together to improve network defense.
In particular, the hearing will provide an opportunity to evaluate
the recommendations made by the Ransomware Task Force report, released
on Thursday of last week, which includes 48 recommendations directed at
Federal agencies, State and local governments, private-sector entities,
and the international community to develop a comprehensive approach to
confronting ransomware.
We know from our work on this committee that determined adversaries
will spare little to succeed in breaching U.S. networks.
The goal of cybersecurity throughout the Federal Government must be
to block adversaries when it is possible, detect and eradicate them
quickly when it is not, and impose consequences to raise the costs and
deter malicious behavior in cyber space.
For 4 years, Federal efforts to raise the National cybersecurity
posture--across Federal networks, State and local governments, and the
private sector--were stunted by a lack of steady, consistent leadership
from the White House, leaving agencies to pursue piece-meal approaches
to cybersecurity.
Congressional efforts to address the weaknesses in Federal
cybersecurity include several Jackson Lee bills that include following
measures introduced in the 117th Congress:
H.R. 119--Cyber Defense National Guard Act, which requires the
Office of the Director of National Intelligence to report to Congress
regarding the feasibility of establishing a Cyber Defense National
Guard that may be activated during emergencies that affect the
cybersecurity of the Nation or critical infrastructure.
H.R. 118--Cyber Vulnerability Disclosure Reporting Act, requires
the Department of Homeland Security to submit a report describing the
policies and procedures developed to coordinate the disclosure of cyber
vulnerabilities. The report shall describe instances when these
policies and procedures were used to disclose cyber vulnerabilities in
the previous year. Further, the report shall mention the degree to
which the disclosed information was acted upon by stakeholders.
H.R. 57, the DHS Cybersecurity Asset Protection of Infrastructure
under Terrorist Attack Logistical Structure Act or the CAPITALS Act,
which requires the Department of Homeland Security (DHS) to report to
Congress on the feasibility of establishing a DHS Civilian Cyber
Defense National Resource.
The goals of the Jackson Lee legislative efforts during the 116th
Congress were to raise the baseline cybersecurity posture across the
Federal and work with the private sector to reduce avoidable,
opportunistic attacks and to refocus talent, time, and resources on
preventing, detecting, and eliminating more sophisticated attacks.
The Raising the Nation's baseline cybersecurity posture will
require a systemic, whole-of-Government approach to cybersecurity.
the need to take action
Ransomware is a form of cyber crime where criminal actors
compromise a victim's computer systems, preventing access or
threatening to release sensitive information if the victim does not
provide a ransom payment.
In recent years, the number of ransomware attacks has increased
significantly, affecting school districts, police departments,
hospitals, and numerous businesses, among others.
In 2020, an estimated 2,400 governments, hospitals, and school
districts were victims of ransomware attacks in the United States.
Victims made an estimated $350 million in ransomware payments in
2020, with an average payment of $312,493.
In the first quarter of 2021, the average monetary demand
associated with a ransomware attack increased to $220,298, up 43
percent from the previous quarter.
While many businesses suffer significant losses due to disruptions
from ransomware and the cost of remediation or making ransom payments,
when criminals groups target Government entities or other critical
infrastructure, the effects can pose significant risks to public
safety.
For example, there were 560 ransomware attacks on U.S. health care
facilities in 2020, in some cases causing delays in treatment for
serious illnesses.
In a growing number of ransomware attacks, the perpetrators engage
in ``double extortion'' where they threaten to release sensitive data
publicly if a ransom payment is not made.
Last week, the Washington, DC police department was hit by a
ransomware attack that included the release of detailed background
reports on 5 current or former police officers and the threat to
release files publicly.
Ransomware can be delivered in various ways, the majority of which
utilize email. Ransomware are real, but computers aren't infected just
by opening emails anymore.
Just opening an email to view it is safe now--although attachments
& links in the email can still be dangerous to open.
Phishing is one of the most common methods of delivering
ransomware. When a user downloads a malicious attachment within a
phishing email which contains ransomware, all of the user's files are
encrypted and made inaccessible until ransom is paid.
While it is not always possible to prevent a successful attack,
engaging in general security best practices and implementing effective
email protection can drastically reduce your risk.
This is why I introduce an amendment to last year's National
Defense Authorization Act that implements a recommendation made by the
Cyberspace Solarium Commission to require the Secretary of Homeland
Security to develop a strategy to implement Domain-based Message
Authentication, Reporting, and Conformance (DMARC) standard across
U.S.-based email providers.
I thank my Colleagues Congressmen Langevin, Gallagher, Katko, and
Joyce for joining this bipartisan amendment to the fiscal year NDAA.
This amendment focused on the vulnerability of the internet's
underlying core email protocol, Simple Mail Transport Protocol (SMTP),
which was first adopted in 1982 and is still deployed and operated
today.
However, this protocol is susceptible to a wide range of attacks
including man-in-the-middle content modification and content
surveillance.
The security of email has grown in importance as it has become in
many ways the primary way that businesses, consumers, Government
communicate.
The Solarium Commission's 75 recommendations are organized under 6
pillars:
(1) Reform the U.S. Government's Structure and Organization for
Cyberspace;
(2) Strengthen Norms and Non-Military Tools;
(3) Promote National Resilience;
(4) Reshape the Cyber Ecosystem toward Greater Security;
(5) Operationalize Cybersecurity Collaboration with the Private
Sector; and
(6) Preserve and Employ the Military Instrument of Power.
This amendment presented an opportunity to take a significant step
forward in establishing a cybersecurity ecosystem that reinforces a
cultural shift in how the Federal Government enforces norms that
sustain cybersecurity.
Most recently, the Russian government infiltrated Government and
critical infrastructure networks, in part, by executing a supply chain
attack through the SolarWinds Orion platform.
In December, the Federal Government learned the Russian government
had executed a malicious cyber campaign targeting Federal networks and
certain critical infrastructure.
Russian hackers used a combination of traditional tactics,
techniques, and procedures (e.g.: password guessing) and a supply chain
attack to infiltrate targeted networks.
In a supply chain attack, malicious actors infiltrate a target
network by exploiting security vulnerabilities in the network of a
trusted partner to gain access to the targeted network.
In this case, one of the trusted partners was SolarWinds, a U.S.-
based vendor whose Orion Platform provides network monitoring services
to entities across the world, including the U.S. Government.
To execute the attack, hackers gained access to SolarWinds and
injected malicious code into an Orion software update sent to customers
in March 2020.
The malicious code created a back door in the affected network that
caused the server to communicate with a U.S. IP address after a dormant
period.
In response, hackers sent additional malicious code to some, but
not all, affected networks.
Ultimately, the additional malicious code allowed hackers to access
elevated credentials and move around a victim's network, monitoring
activity and slowly taking data. To deceive security products on
customers' networks, actors disguised their activity as normal network
traffic and were able to persist through the creation of additional
credentials from other applications.
A total of 18,000 SolarWinds customers downloaded the compromised
version of Orion, but far fewer have identified activity beyond the
creation of a backdoor.
Nearly 40 Federal agencies downloaded the compromised SolarWinds
Orion update, but evidence of further compromise has only been detected
at 9 Federal agencies to date. Agencies that downloaded the compromised
Orion update continue to hunt for indicators of compromise.
It is important to note that about 30 percent of both Government
and non-Government victims of the Russian cyber campaign had no direct
connection with Solar Winds.
According to news reports, hackers also breached networks by
``exploiting known bugs in software products, by guessing on-line
passwords and by capitalizing on a variety of issues in the way
Microsoft Corp.'s cloud-based software is configured.''
Bugs can also be called Zero Day Events that if exploited could
cost significant disruption in the function of application or services
that rely in computers or remote computing services.
The SolarWind Orion exploit was not, from what we have learned thus
far was not intended to damage or disrupt computing systems, it was
designed to spy on networks and spread to other systems.
The SolarWinds campaign illustrates many of the shortcomings in the
Federal Government's ability to monitor and respond to threats on
private networks.
Because there is no overarching Federal law requiring private
entities to report cybersecurity incidents, there is little public
information on the number of victims that installed the infected
versions of SolarWinds Orion or experienced second-stage intrusions.
The Cybersecurity and Infrastructure Security Agency should be
empowered to more effectively coordinate and lead interagency
cybersecurity and risk management activities.
Congress should provide CISA the authorities and budget that match
its mission.
Over the past decade, the private sector has raised fair concerns
about the value of many Federal cybersecurity programs and has used its
concerns as an excuse for not fully participating, to the detriment of
National cybersecurity efforts.
That must stop. The private sector has an important role to play to
improve the Nation's cybersecurity posture and must step up.
Solving this cybersecurity challenge will require creativity from
policy makers as we seek out new strategies to bolster security efforts
for Federal and private-sector networks.
I look forward to working with the committee on a cybersecurity
bill to address the issues raised in my statement.
I look forward to questions and answers with our witnesses.
I yield back.
Chairwoman Clarke. I now welcome our panel witnesses.
Retired Major General John Davis is the vice president for
the Public Sector at Palo Alto Networks and is also a co-chair
of the Ransomware Task Force at the Institute for Security and
Technology. Prior to joining the Palo Alto Networks, General
Davis served as the senior military advisor for cyber to the
undersecretary of defense for policy and served as the acting
deputy assistant secretary of defense for cyber policy.
Ms. Megan Stifel is the executive director for the Americas
at the Global Cyber Alliance and is also a co-chair of the
Ransomware Task Force. Prior, Ms. Stifel served as a director
for international cyber policy in the National Security Council
at the White House and was an attorney in the National Security
Division at the Department of Justice.
Mr. Denis Goulet is the commissioner of the Department of
Information Technology for the State of New Hampshire and the
current president of the National Association of State Chief
Information Officers. Mr. Goulet also has nearly 30 years of
private-sector IT experience in the sectors ranging from health
care to manufacturing.
Finally, Mr. Chris Krebs, former director of the
Cybersecurity and Infrastructure Security Agency, CISA, at the
Department of Homeland Security.
Without objection, the witnesses' full statements will be
inserted in the record. I now ask each witness to summarize his
or her statement for 5 minutes beginning with General Davis.
STATEMENT OF MAJOR GENERAL JOHN A. DAVIS, U.S. ARMY (RETIRED),
VICE PRESIDENT, PUBLIC SECTOR, PALO ALTO NETWORKS
Mr. Davis. Good afternoon. I am honored to appear before
you today to discuss actionable policy solutions to address the
unsustainable rise of ransomware. I would like to thank
Chairman Thompson and Ranking Member Katko, Chairwoman Clarke
and Ranking Member Garbarino for their leadership on this
important issue. I offer my commitment to work in partnership
with you and your staff to support the committee's actions to
address this threat.
That the committee would hold this hearing shows that you
see what we do, that ransomware is a profound and growing
threat. Indeed, we believe that it has crossed a threshold. It
is no long purely a criminal nuisance driven by a profit
motive. Now it is impacting National security, economic
stability, and public health and safety of the National and
international community on a massive scale.
Unfortunately, the problem is getting worse. An analysis by
the Palo Alto Networks' Unit 42 Threat Intelligence team
concluded that the average ransom paid for organizations
increased 171 percent year over year from 2019 to 2020.
Adversary tactics are increasingly egregious. As mentioned
earlier, in 2020, for instance, ransomware disproportionately
impacted the health care sector as hospital systems struggled
to cope with the COVID-19 pandemic.
This unsustainable trajectory compelled the creation of the
Ransomware Task Force. Our goal was not to achieve an
unrealistic outcome where all ransomware can be eliminated.
Rather our objective is to proactively and relentlessly disrupt
the ransomware business model and make ransomware a threat that
can be more effectively managed through a series of coordinated
actions which can be implemented by industry, Government, and
civil society. In total, the report identifies 48 actions
across 4 strategic goals: To deter ransomware attacks through a
Nationally and internationally coordinated comprehensive
strategy; to disrupt the ransomware business model and decrease
criminal profits; to help organizations prepare for ransomware
attacks; and to respond to ransomware attacks more effectively.
Our recommendations should be viewed as a set of collective
mutually reinforcing actions that should be applied with
continuous, coordinated, and overwhelming pressure. Some can be
immediately pursued, some will require more time and creative
policy solutions, including new legislation. I will focus today
on 2 of the report's recommendations.
First, the United States should lead by example and execute
a sustained, aggressive, whole-of-Government anti-ransomware
campaign coordinated by the White House and in partnership with
the private sector. The foundational step is recognizing that
the nature of the ransomware challenge will require a massive
team effort across Government, industry, academia, nonprofits,
and the international community. This effort and our
recommendations must be embraced at the highest levels of
Government and industry as a policy priority and given
sufficient resources. To this end, we are heartened to see
recent actions at the Department of Homeland Security and the
Department of Justice that signal elevated prioritization.
Second, we should develop a clear, actionable framework for
ransomware mitigation, response, and recovery. We see a core
responsibility to help all organizations better prepare.
Improving the ability to prepare for and even prevent
ransomware events from happening in the first place is, in my
view, the single most important function in reducing this
threat to a manageable level. The adage an ounce of prevention
is worth a pound of cure is especially true in the case of
ransomware because once you have been hit, you have already
lost the battle and can only play a painful catch-up game.
Most organizations, regardless of size or security acumen,
are aware of the threat, yet these organizations don't
understand how to reduce their risk. An action we can take is
the creation of an internationally-accepted framework that
establishes clear steps to prevent or recover from attacks.
Finally, these recommendations serve as a foundation for
other policy actions. For example, the task force recommends
the creation of a cybersecurity grant for--a grant program for
States where funding for ransomware prevention technologies
could be unlocked through alignment to the best practice
framework once it is established. This will enhance the
resilience of local information systems and provide a much-
needed modernization of security tools to prevent attacks.
Distinguished Members of this subcommittee, thank you again
for the opportunity to testify today and I look forward to
answering your questions.
[The prepared statement of Mr. Davis follows:]
Prepared Statement of John A. Davis
May 5, 2021
Chairwoman Clarke, Ranking Member Garbarino, and distinguished
Members of the subcommittee, I am honored to appear before you today to
discuss actionable policy solutions to address the unsustainable rise
of ransomware. Thank you all for your leadership on this issue. I offer
my commitment to work in partnership with you and your staff to support
the subcommitte's oversight responsibilities on this issue.
That the committee would hold this hearing shows that you see what
we do: That ransomware is a profound and growing cybersecurity threat.
Indeed, ransomware has crossed a strategic threshold. It is no longer
purely a criminal nuisance driven by a profit motive. Rather, it is now
impacting National security, economic stability, and public health and
safety of the National and international community on a massive scale.
Unfortunately, the problem is getting worse. An analysis by the
Palo Alto Networks Unit 42 threat intelligence team concluded that the
average ransom paid for organizations increased 171 percent year over
year from 2019 ($115,123) to 2020 ($312,493). The highest-known paid
ransom in 2020 doubled from the previous years ($5 million to $10
million). And adversary tactics are getting increasingly egregious. In
2020, for instance, ransomware disproportionately impacted the health
care sector as hospital systems struggled to cope with the COVID-19
pandemic.
This unsustainable trajectory compelled Palo Alto Networks--and the
broader ecosystem of collaborators that comprised the Ransomware Task
Force--to take action. The Ransomware Task Force (RTF) is a public-
private coalition of over 60 experts from Government, industry,
nonprofits, and academia that came together to develop a comprehensive
framework to tackle the ransomware threat. I am honored to represent
the Task Force along with my colleague Megan Stifel at this hearing and
discuss some of the key policy recommendations from the report the RTF
released last week on April 29.
The goal of the RTF was not simply to help the world better
understand ransomware; we are well past that point. Nor was it to
achieve an unrealistic outcome where all ransomware could be
eliminated. Our objective was to proactively and relentlessly disrupt
the ransomware business model through a series of coordinated actions
which can be implemented by industry, Government, and civil society. In
total, the report identifies 48 actions across 4 strategic goals.
1. Deter ransomware attacks through a nationally and
internationally coordinated, comprehensive strategy;
2. Disrupt the ransomware business model and decrease criminal
profits;
3. Help organizations Prepare for ransomware attacks; and
4. Respond to ransomware attacks more effectively.
I will focus today on the report's recommendations that the United
States should lead by example and execute a sustained, aggressive,
whole-of-Government, intelligence-driven anti-ransomware campaign,
coordinated by the White House, and that the United States should
develop a clear, actionable framework for ransomware mitigation,
response, and recovery, mapped to specific security capabilities
organizations need to protect themselves.
Before turning to these points, I would like to introduce myself.
As a reminder, I am here today in my capacity as a co-chair of the
Ransomware Task Force. I am a retired U.S. Army Major General now
serving as Vice President of Public Sector for Palo Alto Networks,
where I am responsible for expanding cybersecurity and global policy
initiatives for the international public sector and assisting
governments and industry organizations around the world in preventing
successful cyber attacks and protecting our digital way of life. Prior
to joining Palo Alto Networks, I served as the senior military cyber
advisor at the Pentagon and was appointed as the acting deputy
assistant secretary of defense for cyber policy. Prior to this
assignment, I served in multiple leadership positions in operational
cyber assignments, special operations, and information warfare. These
experiences provide me with a unique perspective on both the commercial
cybersecurity marketplace as well as efforts under way across the U.S.
Government to leverage technological innovation to solve critical
cybersecurity challenges, including the threat of ransomware.
For those not familiar with Palo Alto Networks, we were founded in
2005 and have since become the world's largest cybersecurity company.
We serve more than 80,000 enterprise and Government organizations--
protecting billions of people--in more than 150 countries. We support
95 of the Fortune 100 and more than 71 percent of the Global 2000
companies, and are partnered with elite technology leaders.
Palo Alto Networks collaborates extensively with key stakeholders
across the U.S. Government and with like-minded countries
internationally on both policy and operational matters. For example,
Palo Alto Networks is a member of the President's National Security
Telecommunications Advisory Committee (NSTAC), providing industry
counsel on National security policy and technology issues for the White
House and other senior U.S. Government leaders; the Executive Committee
of the Information Technology Sector Coordinating Council (IT-SCC), the
principal entity for coordination between the Department of Homeland
Security and IT sector; and the Defense Industrial Base Sector
Coordinating Committee. Finally, we maintain robust threat
intelligence-sharing partnerships with DHS, the intelligence community
and across the international community to share technical threat data
and collaborate to support Government and industry response to
significant cyber incidents, like SolarWinds and Microsoft Exchange.
This commitment to meaningful collaboration with governments to
tackle our shared cybersecurity goals is what compelled us to join the
Ransomware Task Force. It has been an honor to be a part of this group
and I have been humbled by the depth of passion and expertise this
public-private partnership has brought to addressing this challenge.
The diversity of thought, perspectives, and experience that the RTF
reflects should give you confidence in the viability and immediacy of
the recommendations articulated in the report at accomplishing these
recommendations would lead to our overall shared strategic goals.
It's important to note that since its formation, the RTF has been
deeply cognizant that we are not the first group to seek to tackle the
ransomware issue. Many good initiatives have been stood up to focus on
addressing cybersecurity and the threat of ransomware specifically. We
stand on the shoulders of those efforts. The RTF never endeavored to
replace that work--but instead consolidate and clarify the very best
into a comprehensive strategic framework for action.
The RTF report recommendations are about dramatically reducing
ransomware as a threat; there are no illusions about ``solving
ransomware.'' Instead, the report takes a practical approach to change
the trajectory of this threat that has now crossed over a very
dangerous threshold. We believe that our recommendations can reduce
ransomware to a threat that can be more effectively managed like other
threats that are dealt with through a practical risk management
framework.
While I will highlight just a few of the report's key
recommendations, I believe that the recommendations in the report
should be viewed as a set of collective actions that should be applied
with continuous, coordinated and overwhelming pressure. Some of these
recommendations can immediately be pursued. Some will require creative
policy solutions, including new legislation.
RTF Report Recommendation.--The United States should lead by
example and execute a sustained, aggressive, whole-of-Government,
intelligence-driven anti-ransomware campaign, coordinated by the White
House.
A foundational step is recognizing that the nature of the
ransomware challenge will require a massive effort to sustainably shift
the trajectory. While I am a retired Army General, I will borrow a
phrase from my Naval comrades to say that our report calls for an ``all
hands on deck'' approach. No single organization, public or private,
has all of the capabilities, capacities, skills, experience, resources,
or authorities to act effectively in isolation.
It will take a team approach across Government, industry, academia,
nonprofits, and the international community. This effort and our
recommendations must be embraced at the highest levels of Government
and industry as a policy priority and given sufficient resources. To
this end, we are heartened to see recent actions at the senior levels
of the Department of Homeland Security and Department of Justice that
signal the elevated prioritization of addressing this issue on a
National and international level. But much more can and must be done to
elevate this to even higher organizational levels within the
administration.
RTF Report Recommendation.--Develop a clear, actionable framework
for ransomware mitigation, response, and recovery.
In addition to the need for greater strategic attention and
coordination at the National policy levels, we also saw a core
responsibility to help all organizations--States and localities,
schools, and critical infrastructure like hospital systems--better
prepare operationally for the threat of ransomware attacks.
Within the RTF, I was a co-chair of the Prepare Working Group.
Improving the ability to prepare for and even prevent most ransomware
events from happening in the first place is the single most important
function in reducing this threat to a manageable level. Building on
best practices that have proven to be successful, clarifying and
consolidating them, and making them easily accessible at appropriate
levels is one of the most powerful tools we can employ. The adage ``an
ounce of prevention is worth a pound of cure'' is especially true in
the case of ransomware because, once you have been hit, you have
already lost the battle and can only play catch up.
Most organizations, regardless of size or security acumen, are
aware of the threat of ransomware. But most are not similarly empowered
with adequate knowledge to quantify how finite resources can be applied
to reduce their risk to ransomware threats specifically. We need to
bridge the communications gap between IT and security professionals and
senior organizational leadership. We need organizations to stop
thinking about ransomware as a niche cybersecurity issue but instead as
a core business continuity risk that must be managed in the same way as
other physical disruptions.
The RTF saw the current State of awareness around ransomware as
similar to the environment prior to 2014, when no authoritative
compilation of best practices existed for cybersecurity generally. NIST
responded by leading a multi-stakeholder process to create the
Framework for Improving Critical Infrastructure Cybersecurity. In a
similar way, the single most impactful measure we can take to help
organizations is the creation of an internationally accepted framework
that establishes clear actionable steps to prevent ransomware, and
recover from it if prevention is not successful.
Of course, while technology isn't the only category associated with
building this framework, it is certainly an important arrow in the
quiver. Ransomware prevention technologies exist today and have
demonstrated success. However, these technologies are not widely
adopted. Coming from the cybersecurity industry, I have personally
witnessed both traditional and emerging technologies that have
demonstrated success in preventing ransomware attacks. Effective
technologies include Endpoint or Extended Detection and Response (EDR/
XDR) with automated behavioral analytics, fileless protections and
deceptive technologies that stage objects as decoys or deploy decoy
documents. These tactics employ automation and advanced analytics to
flag modification to files and automatically prevent the ransomware
encryption process. There are also cloud-based capabilities to launch
unknown processes or applications in a container, which prevents
malicious software or command and control channels from interacting
with an organization's core network.
More traditional technologies at the network level include those
that monitor and block common ransomware methods, such as Remote
Desktop Protocol (RDP), phishing protections, capabilities that limit
access to unknown or risky domains, and Secure Socket Layer (SSL)
decryption to observe and scan content as it traverses the network.
Finally, the traditional capabilities such as Uniform Resource Locator
(URL) filtering, Domain Name System (DNS) security, Intrusion
Prevention Systems (IPS) and sandboxing capabilities provide
protections against many common ransomware tactics, techniques, and
procedures.
Once the proposed ransomware framework's baseline security
standards are established, it will be critical to map those standards
to the specific security capabilities that organizations need to
protect themselves. The creation of framework-aligned ransomware
prevention reference architectures using industry leading technologies,
consistent with the on-going work at NIST's National Cybersecurity
Center of Excellence, would be helpful toward this end.
Finally, these baseline best practices can also serve as a
foundation for a number of potential policy actions to raise the bar of
security across critical infrastructure and Government. To this end,
the RTF report suggests several incentives for entities that
demonstrate a commitment to maturing their capabilities in alignment
with the ransomware framework. For example, the report recommends the
creation of a cybersecurity grant program for States and localities,
where funding to procure ransomware-prevention-focused security
technologies could be unlocked through demonstrated alignment to the
established best practice framework. Dedicated funding--aligned to
strong cybersecurity planning and continuous vulnerability
assessments--will enhance the resilience of State and local information
systems, and provide a much-needed modernization of the security tools
these governments use to prevent ransomware attacks. Opening up
opportunities for multi-State grants will further drive innovation,
security, and efficiency.
Chairwoman Clarke, Ranking Member Garbarino, and distinguished
Members of the subcommittee, thank you again for the opportunity to
testify today. I look forward to answering any questions you may have.
Chairwoman Clarke. Thank you. I now recognize Megan Stifel
to summarize her statement for 5 minutes.
STATEMENT OF MEGAN H. STIFEL, EXECUTIVE DIRECTOR, AMERICAS,
GLOBAL CYBER ALLIANCE
Ms. Stifel. Chairwoman Clarke, Ranking Member Garbarino,
Members of the subcommittee, thank you for the opportunity to
testify today on the growing threat ransomware poses to our
homeland and National security. My name is Megan Stifel and I
am the executive director, Americas, at the Global Cyber
Alliance, an international nonprofit organization dedicated to
providing practical solutions to reducing cybersecurity risks.
Like John, I appear before you today as co-chair of the
Ransomware Task Force, a group of more than 50 organizations
that convened with the Institute of Security and Technology and
gathered over the past 4 months to develop a comprehensive
framework to reduce the risk of ransomware. Last week the task
force published a report outlining 5 priority recommendations
to achieve 4 goals, as noted with a series of 48 total
recommendations. I will focus my testimony today on 3 of these
recommendations.
First, the need for a coordinated international diplomatic
and law enforcement effort to prioritize ransomware, supported
in the United States by a whole-of-Government strategy.
Second, the need for enhanced information to support and
enable this effort, including the development of a ransomware
framework to help organizations better prepare for and respond
to ransomware.
Third, the establishment of cyber response and recovery
funds and other assistance to support ransomware response and
other cybersecurity activities.
As the Members of the subcommittee well know, the scope and
scale of ransomware has grown exponentially over the past year.
Payments in the $40,000 range in 2019 quadrupled to $170,000 on
average in 2020. Recent reports indicate that some payments
have stretched to the millions while demands have stretched to
the tens of millions. But as also noted, not the size of
payments just grew, but also the number of organizations
targeted. Twenty-four hundred U.S.-based Government health care
facilities and schools were known to have been targeted in 2020
by ransomware. The actual number who were affected potentially
may be much higher.
In addition to holding access to data hostage, ransomware
hackers now threaten to publish the data they obtained from the
victims' networks. According to one report in the fourth
quarter of 2020, 70 percent of reported ransomware attacks
threatened to release the data. Ransomware is, plain and
simple, 21st Century extortion.
These figures illustrate that in just a few years
ransomware has grown from a nuisance to a National security
threat. Organizations around the world have been targeted, but
as has also been well established, ransomware actors operate
from safe havens, countries whose governments are mostly
unwilling as well as unable to assist in efforts to bring them
to justice. As such, without significantly limiting the
ransomware attack at scale, there is little guarantee it will
not simply emerge elsewhere, presenting an on-going risk to the
global community.
The Ransomware Task Force convened in order to address this
growing international challenge. Its breath influenced the task
force's first priority recommendation. Specifically, the
coordinated international diplomatic and enforcement efforts
make clear that ransomware is an international and National
security and law enforcement priority, and that an
international coalition be established to combat it.
Governments must also develop comprehensive, resourced
strategies that use both carrots and sticks to reduce the
number of countries providing safe havens. But as the task
force's other recommendations make clear, governments must also
work collaboratively together and with the private sector to
share information, jointly investigate, and bring these actors
to justice or otherwise eliminate their ability to operate with
impunity.
For the United States, the task force recommends that this
effort be led by a whole-of-Government strategy out of the
White House. This strategy should also include a Ransomware
Task Force to coordinate a Nation-wide campaign against
ransomware and identify and pursue opportunities for
international collaboration. This task force should also
collaborate closely with private-sector organizations that can
help defend and disrupt ransomware operations, such as security
vendors, platforms, ISAOs, and cybersecurity nonprofits.
Second, better information is necessary to enable this
collective international action. It is important to emphasize
we are not talking about more information sharing of indicators
of compromise. Both the scope and quality of information must
improve. For example, IOCs should be tied to ransomware
incidents and this information must get quickly into the hands
of those who can use it within the Government as well as
outside it. IOCs must also be supplemented with additional
information, including payments.
Better information, however, is necessary, but insufficient
to fully combat this threat. Organizations, both their
leadership as well as their operational--in operational roles
need to understand that ransomware is a real and relevant
threat. They need better guidance on how to prioritize
mitigation efforts, especially given their limited resources.
To address this gap, the task force recommends that a
framework be developed to help organizations better prepare for
and respond to ransomware attacks, together with materials to
support framework implementation such as tool kits and other
how-to resources. The Global Cyber alliance, and other
organizations, I am sure, is ready to add such guidance to our
existing resources to assist organizations in reducing their
risk.
Finally, additional resources for implementation are
essential to the success of the ransomware framework and
through it the disruption of the ransomware business model. The
task force, therefore, recommends that governments establish
response and recover funds. The task force believe the ability
of these funds will help reduce the number of victims electing
to pay the ransom demand. As an incentive, organizations could
be required in order to access such funds to demonstrate a use
of the ransomware framework to ensure a commitment to a
baseline level of cybersecurity.
In addition, the task force recommends that more grant
funding be available. For example, Homeland Security
Preparedness Grants could be expanded to address cybersecurity
threats.
On a personal note, I would like to emphasize the
importance of these grants. A dollar spent to prevent crime
will be more effective than a dollar spent to recover from it.
In closing, I want to highlight the essential role
nonprofits played in developing the task force's
recommendations and that they can play in their implementation.
Nonprofits develop policy recommendations, support information
sharing, and, in the case of GCA, provide guidance on the
implementation of established cybersecurity best practices,
including to combat ransomware. The task force offered a range
of actions that could be taken building on these capabilities
to stem the burgeoning ransomware threat.
Nonprofits depend on contributions from a range of
stakeholders to fulfill their unique and important roles. Now
more than ever it is critically important that all stakeholders
take collective action to combat this threat.
Thank you again for the opportunity to testify today. I
welcome your questions.
[The prepared statement of Ms. Stifel follows:]
Prepared Statement of Megan H. Stifel
May 5, 2021
Chairwoman Clarke, Ranking Member Garbarino, Members of the
Subcommittee on Cybersecurity, Infrastructure Protection, and
Innovation, thank you for the opportunity to testify today on the
growing threat ransomware poses to our homeland and National security.
My name is Megan Stifel, and I am the executive director, Americas,
at the Global Cyber Alliance (GCA). GCA is an international nonprofit
organization dedicated to providing practical solutions to reduce
cybersecurity risk. I appear before you today as a co-chair of the
Ransomware Task Force, convened by the Institute for Security and
Technology, and comprised of over 50 organizations that gathered over
the past 4 months to develop a comprehensive framework to reduce the
risk of ransomware. Last week the Task Force published a report
outlining its recommendations, including 4 goals and 5 priority
recommendations, with a series of supporting actions constituting 48
total recommendations. The priority recommendations include the need
for sustained, coordinated collective action among governments,
industry, academia, and nonprofits to meaningfully reduce the
ransomware threat.
I will focus my testimony today on 3 of these priority
recommendations. First is the need for a coordinated, international
diplomatic and law enforcement effort to prioritize ransomware,
supported in the United States by a comprehensive whole-of-Government
strategy. Second is the need for enhanced information to support and
enable this effort, including the development of a ransomware framework
to help organizations better prepare for and respond to ransomware. And
third is the establishment of Cyber Response and Recovery Funds and
other assistance to support ransomware response and other cybersecurity
activities.
As Members of this subcommittee know well, the scale and scope of
the ransomware challenge has grown exponentially over the past year. In
2019 the average ransomware payment was $43,593; by the end of 2020 it
had quadrupled to $170,696.\1\ Recent reports indicate some payments
have stretched to the millions, while demands have reached the tens of
millions.\2\ But not just the size of ransom payments grew, so too did
the number of organizations targeted, including hospitals and schools.
In 2020, nearly 2,400 U.S.-based government, health care facilities,
and schools were known to have been targeted with ransomware,\3\ with
the actual number affected potentially much higher. In addition to
holding access to data hostage, ransomware actors are now threatening
to publish data they have obtained from the victim's networks.
According to Coveware, in the third quarter of 2020, 50 percent of
ransomware attacks involved a threat to release data. That figure rose
to 70 percent in the fourth quarter of 2020. Ransomware is plain and
simple 21st Century extortion.
---------------------------------------------------------------------------
\1\ Coveware, ``Ransomware Payments Fall as Fewer Companies Pay
Data Exfiltration Extortion Demands,'' February 1, 2021, available at:
https://www.coveware.com/blog/ransomware-marketplace-report-q4-2020.
\2\ CNBC, ``The extortion economy: Inside the shadowy world of
ransomware payouts,'' April 6, 2021, available at: https://
www.cnbc.com/2021/04/06/the-extortion-economy-inside-the-shadowy-world-
of-ransomware-payouts.html.
\3\ Emsisoft Malware Lab, ``The State of Ransomware in the US:
Report and Statistics 2020,'' January 18, 2021, available at: https://
blog.emsisoft.com/en/37314/the-state-of-ransomware-in-the-us-report-
and-statistics-2020/.
---------------------------------------------------------------------------
These figures illustrate that in just a few years ransomware has
grown from a nuisance to a National security threat. And it is not just
a problem for the United States. Organizations around the world have
been targeted by ransomware.\4\ As has also been well established,
these threat actors operate from safe havens, countries whose
governments are mostly unwilling as well as unable to support efforts
to bring them to justice. Given the size of this threat, reducing its
impact in one country is not possible without the assistance of others.
Likewise, even if the United States and partner nations reduce
ransomware in their own jurisdictions, without significantly limiting
this threat at scale, there is little guarantee it will not simply
emerge elsewhere, presenting an on-going risk to the global community.
---------------------------------------------------------------------------
\4\ Sophos, ``The State of Ransomware 2020,'' May 2020, available
at: https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-
papers/sophos-the-state-of-ransomware-2020-wp.pdf.
---------------------------------------------------------------------------
an international, collaborative effort must form to reduce the
ransomware threat
The Ransomware Task Force convened to address this growing
international challenge. The breadth of the challenge informed the Task
Force's first priority recommendation. Specifically, coordinated
international diplomatic and enforcement efforts must make clear that
ransomware is an international national security and law enforcement
priority and that an international coalition should be developed to
combat it. Governments should also develop a comprehensive, resourced
strategy that uses both carrots and sticks to reduce the number of
countries providing safe havens. In doing so, governments can build on
the 2020 G7 finance minister's statement in further signaling publicly
the urgency of this threat. But as the Task Force's other
recommendations make clear, governments must also work collaboratively
among themselves and with the private sector to share information,
jointly investigate, and bring these actors to justice or otherwise
eliminate their ability to operate with impunity.
For the United States, the Task Force recommends that this
collective and collaborative action be driven by a whole-of-Government
strategy, led by the White House. Such a strategy should also include a
Joint Ransomware Task Force to coordinate an on-going, Nation-wide
campaign against ransomware and identify and pursue opportunities for
international cooperation. This joint interagency task force should be
empowered at the appropriate levels to use all instruments of National
power, and it should prioritize ransomware threats to critical
infrastructure. In conducting its work, the interagency task force
should also collaborate closely with relevant private-sector
organizations that can help defend against and disrupt ransomware
operations, such as security vendors, platform providers, information
sharing and analysis organizations, and cybersecurity nonprofits.
The Task Force further recommends the development of a Ransomware
Threat Focus Hub that can also support existing, informal efforts. The
Hub can serve as a central, organizing node for informal networks and
collaboration of a sustained public-private anti-ransomware campaign.
In addition, to support the Hub's and its participants' ability to
disrupt the ransomware life cycle, the Task Force also recommends that
the Departments of Justice and Homeland Security provide further
clarity on the scope of defensive measures entities may undertake
pursuant to the Cybersecurity Information Sharing Act of 2015.
the scope and quality of information about ransomware must improve
In order to develop and support this international strategy and its
domestic elements, and through such a strategy eliminate safe havens,
members of the Task Force believe that better information is necessary
to enable this collective action. It is important to emphasize that
this is not just more information sharing of cyber threat indicators,
or indicators of compromise (IOCs), as they are also called. Both the
scope and quality of information must improve. For example, IOCs should
be tied to ransomware incidents, and this information must get into the
hands of those who can use it--within the government as well as outside
it. IOCs also need to be supplemented with additional information about
ransomware incidents, including payments.
Due to the limited and inconsistent nature of information about
ransomware incidents, the Ransomware Task Force also recommends that
national governments encourage organizations that experience a
ransomware attack to voluntarily report the incident. Furthermore, the
Task Force recommends that should a victim elect to pay the ransom they
be required to share details with the government in advance of such
payment. At a minimum, the notification should include the ransom date,
demand amount, and payment instructions (e.g., wallet number and
transaction hashes). Gathering and analyzing this information is
essential not just for law enforcement but also for incident responders
and insurers, who can deploy additional analytic tools that may help
cybersecurity firms prevent the next incident as well as allow insurers
to pursue payment recovery, including through subrogation.
This information is necessary but insufficient to fully combat this
threat. Organizations, both their leadership as well as those in
operational roles, need to better understand that ransomware is a real
and relevant threat and have better guidance on how to prioritize
mitigation efforts given limited resources. To address this knowledge
gap, the Task Force recommends that a framework be developed to help
organizations better prepare for and respond to ransomware attacks,
together with materials to support framework implementation such as
tool kits and other how-to resources. Importantly, this framework
should include customized recommendations based on each organization's
current capacity to implement the recommendations. Following the
success of the Cybersecurity Framework, the Task Force recommends that
the National Institute of Standards and Technology convene an effort to
develop this ransomware framework, in collaboration with international
counterparts. The development of tool kits and other how-to materials
are a necessary complement to ensure wide-spread adoption of the
ransomware framework. GCA (and other organizations, I am sure) is ready
to add such guidance to our existing resources to assist organizations
in reducing their ransomware risk.\5\
---------------------------------------------------------------------------
\5\ Global Cyber Alliance Blog, ``Combatting Ransomware: A Call to
Action,'' April 29, 2021, available at: https://
www.globalcyberalliance.org/combatting-ransomware-a-call-to-action/.
---------------------------------------------------------------------------
establishing response and recovery funds and expanding grant
availability can support victims and disrupt the ransomware business
model
Resources for implementation are essential to the success of the
ransomware framework and through it the disruption of the ransomware
business model. To address this need, the Task Force recommends that
governments establish Response and Recovery Funds. These funds should
cover the cost, for example, of restoring systems for victims that
serve essential functions including local governments as well as
critical national functions. The Task Force believes that the
availability of these funds will help reduce the number of victims
electing to pay the ransom demand. As an incentive for organizations to
invest in cybersecurity, governments could consider requirements to
access the fund, such as demonstrating use of the ransomware framework
to ensure a commitment to a baseline level of cybersecurity.
In addition, the Task Force recommends that more grant funding be
available to use for cybersecurity. For example, Homeland Security
Preparedness Grants could be expanded to address cybersecurity threats.
Additional grants, along the lines established by the Help America Vote
Act, could also be made available to States through which they could
manage delivery of funds to municipalities. Not only would these
investments reduce cybersecurity risks, they will also enhance State,
local, Tribal, and territorial resilience as upgrading software and
hardware are often the most cost-effective security investments
organizations can make. As with Response and Recovery Funds, access to
these grants could be conditioned upon demonstrated alignment with the
ransomware framework following its development. Elements of the State
and Local Cybersecurity Improvements Act, which passed the House of
Representatives last session, could serve as a baseline effort to
address these recommendations.
On a personal note, I'd like to emphasize the importance of these
grants. A dollar spent to prevent a crime will be more effective than a
dollar spent to recover from it. Moreover, some grant funding should be
focused on prevention mechanisms that can be used by many and work at
scale rather than requiring every grantee to reinvent the wheel.
conclusion
Combating ransomware is important because it is threatening large
sections of the U.S. and global economy including health care services
and schools. Left unchecked, its rapid growth is threatening national
security, and payments associated with it are supporting a number of
societal harms including human trafficking and the development of
weapons of mass destruction. To combat this challenge, the Ransomware
Task Force believes that the previously described recommendations
together with other actions detailed in its report will, when
implemented collectively, significantly reduce ransomware in the coming
years.
In cybersecurity it is not often the case that one player can also
fulfill another's role--we each have unique roles and bring unique
capabilities. The Task Force offered a range of actions that could be
taken building upon these unique capabilities, including with nonprofit
resources, to stem this burgeoning threat. In closing, I want to
highlight the essential role nonprofits played in the development of
the Task Force's recommendations and that they can play in its
implementation. Nonprofits may develop policy recommendations, support
information sharing, and in the case of GCA, provide guidance on the
implementation of established cybersecurity best practices including to
combat ransomware. Nonprofits depend on contributions from a range of
stakeholders to fulfill their unique and important roles. What is most
important is that more action be taken by all stakeholders.
Thank you again for the opportunity to testify today. I welcome
your questions and comments.
Ms. Rice. Thank you for your testimony. I now recognize Mr.
Goulet to summarize his statement for 5 minutes.
STATEMENT OF DENIS GOULET, COMMISSIONER, DEPARTMENT OF
INFORMATION TECHNOLOGY, AND CHIEF INFORMATION OFFICER, STATE OF
NEW HAMPSHIRE, AND PRESIDENT, NATIONAL ASSOCIATION OF CHIEF
INFORMATION OFFICERS, TESTIFYING ON BEHALF OF THE NATIONAL
ASSOCIATION OF CHIEF INFORMATION OFFICERS
Mr. Goulet. Thank you, Chairwoman Clarke, Ranking Member
Garbarino, distinguished Members of the subcommittee, for
inviting me today to speak on the cybersecurity challenges
facing----
Ms. Rice. Can everyone hear? Mr. Goulet? Mr. Goulet? Can
you either get closer to the microphone? We are having a hard
time hearing you.
Mr. Goulet. Better?
Ms. Rice. Yes, if you could just speak up, that would be
great.
Mr. Goulet. Thank you, Chairwoman Clarke, Ranking Member
Garbarino, distinguished Members of the subcommittee, for
inviting me today to speak on the cybersecurity challenges
facing State and local governments. As commissioner of the
Department of Information Technology in New Hampshire and the
president of NASCIO, I am grateful for the opportunity to
discuss cybersecurity, efforts to mitigate ransomware attacks,
as well as highlight the vital role that State information
technology agencies play in providing critical citizen
services, ensuring the continuity of Government.
Cybersecurity has remained the top priority for State CIOs
for the past 8 years. My State and across the country we are
observing a shift among Government leaders treating
cybersecurity as a continuity of Government issue. But while we
used to be concerned with theft of data and personally
identifiable information, the nature and scope of cyber attacks
today are aimed at crippling the functioning of our Government.
Recent attacks on water treatment facilities and hospital
systems have shown us how these incidents have progressed from
digital consequences to sophisticated strikes designed to
threaten the health and safety of our Nation's citizens.
We have observed that ransomware incidents are
disproportionately affecting the LTT part in State, local,
territorial, and Tribal governments. The question of why the
Federal Government is not contributing to the cybersecurity of
the States is straightforward as States are the primary agents
for the delivery of a vast array of Federal programs and
services.
A lack of adequate resources for cybersecurity continues to
be the most significant challenge facing State and local
governments. State CIOs are tasked with additional
responsibility, including providing cybersecurity assistance to
local governments, doing so with shortages in both funding and
cyber talent. The 2020 NASCIO Cybersecurity Study found that
only 36 percent of States and territories have a dedicated
cybersecurity budget and nearly a third have seen no growth in
those budgets.
Almost all CIOs are directly responsible for the
cybersecurity in their State and have initiatives to improve
their cybersecurity posture. These programs are crucial as
Congress considers the implementation of a cybersecurity grant
program for State and local governments. Key elements include a
centralized approach to cybersecurity; adoption of a
cybersecurity strategic plan and framework; development of a
cyber disruption response plan; and implementation of regular
security awareness training for employees and contractors.
For the past decade, NASCIO has advocated for a whole-of-
State approach to cybersecurity. We define this approach as
collaboration among State agencies and Federal agencies, local
governments, the National Guard, the education sector, critical
infrastructure providers, and private-sector partners. By
approaching cybersecurity as a team sport, information is
widely shared and each stakeholder has a clearly-defined role
to play.
My colleagues across the country have significantly
increased our involvement in fighting ransomware, especially
with our local government partner. We have taken on additional
responsibilities and incurred new expenses while continuing to
face an unrelenting cyber threat environment.
I am truly concerned about how crucial IT and cybersecurity
will be funded in coming months and years. While COVID relief
legislation has provided opportunities for some States to
improve their cybersecurity posture, the pandemic has amplified
vulnerabilities in State and local networks.
I know I speak for all of my colleagues around the country
when I say that a dedicated Federally-funded cybersecurity
grant program, like the State and Local Cybersecurity
Improvement Act, is overdue and will strengthen our ability to
defend ourselves from cyber attacks.
Since the Act would also require State legislatures to
match a portion of Federal grant funds, it would provide an
increased incentive for State legislatures to make cyber an on-
going priority in every State's budget.
I look forward to continuing to work with the Members of
this subcommittee in the creation of a program to improve our
cybersecurity. This concludes my formal testimony. I look
forward answering your questions. Thank you.
[The prepared statement of Mr. Goulet follows:]
Prepared Statement of Denis Goulet
Wednesday, May 5, 2021
Thank you, Chairwoman Clarke, Ranking Member Garbarino, and the
distinguished Members of the subcommittee for inviting me today to
speak on the numerous cybersecurity challenges facing State government
that have been amplified during the COVID-19 pandemic. As commissioner
for the Department of Information Technology in New Hampshire and the
president of the National Association of State Chief Information
Officers (NASCIO), I am grateful for the opportunity to discuss
cybersecurity, efforts to mitigate ransomware attacks, as well as
highlight the vital role that State information technology (IT)
agencies have played in providing critical citizen services and
ensuring the continuity of government throughout the current public
health crisis.
state cybersecurity overview and challenges
As president of NASCIO, I am honored to represent my fellow State
chief information officers (CIOs) and other State IT agency leaders
from around the country here today. While some of my testimony will be
based on my experiences as CIO in New Hampshire for the past 6 years, I
will also be providing the members and staff of the subcommittee with
National trends and data from NASCIO's 2020 State CIO Survey and the
2020 Deloitte-NASCIO Cybersecurity Study.
It may come as little surprise to you that cybersecurity has
remained the top priority for State CIOs for the past 8 years. In my
State and across the country, I have seen a palpable shift among
government leadership that IT and cybersecurity are not simply regarded
as a technology problem but a key tenet to the continuity of our
government. While we used to be concerned only with the theft of data
and personally identifiable information (PII), the nature and scope of
cyber attacks today are aimed at crippling the entire functioning of
our government. Recent attacks on water treatment facilities and
hospital systems have shown us how these incidents have progressed from
digital consequences to sophisticated strikes designed to threaten the
health and safety of our Nation's citizens.
The threat environment we face is incredibly daunting with State
cyber defenses repelling an estimated 50 to 100 million potentially
malicious probes and actions every day. State and local governments
remain attractive targets for cyber attacks as evidenced by dozens of
high-profile and debilitating ransomware incidents. The financial cost
of these attacks is truly staggering with a recent report from Emsisoft
finding that ransomware attacks in 2019 impacted more than 960
government agencies, educational institutions, and health care
providers at a cost of more than $7.5 billion.
Lack of adequate resources for cybersecurity has been the most
significant challenge facing State and local governments, even prior to
the COVID-19 pandemic. As State CIOs are tasked with additional
responsibilities, including providing cybersecurity assistance to local
governments, they are asked to do so with shortages in both funding and
cyber talent.
The question of why the Federal Government should be contributing
to the cybersecurity of the States is straightforward as States are the
primary agents for the delivery of a vast array of Federal programs and
services. A lack of budgeting at the State level for cybersecurity is
also a significant impediment. The 2020 Deloitte-NASCIO Cybersecurity
Study found that only 36 percent of States and territories have a
dedicated cybersecurity budget and nearly a third have seen no growth
in those budgets. The study also found that State cybersecurity budgets
are typically less than 3 percent of their overall IT budget, which is
far less than Federal agencies and financial institutions.
NASCIO has long encouraged State government officials to establish
a dedicated budget line item for cybersecurity as a subset of the
overall technology budget. While the percentage of State IT spending on
cybersecurity may be much lower than that of private sector industry
and Federal agency enterprises of similar size, the line item can help
State IT leaders provide the State legislature and Executive branch
leaders the right level of visibility into State cybersecurity expenses
in an effort to rationalize spending and raise funding levels. State
legislation could demand visibility into cyber budgets at both the
State and individual agency levels. In addition, the Deloitte-NASCIO
Cybersecurity study results indicate that Federal and State
cybersecurity mandates, legislation and standards with funding
assistance result in more significant progress than those that remain
unfunded. While we still have a long way to go, I greatly appreciate
legislative efforts by numerous Members of this subcommittee to
encourage State legislators to begin budgeting for cybersecurity.
a whole-of-state approach
More than 90 percent of CIOs are responsible for their State's
cybersecurity posture and policies. In collaboration with their chief
information security officers (CISOs), whose role has expanded and
matured in recent years, CIOs have taken numerous initiatives to
enhance the status of the cybersecurity program and environment in
their States. I believe these initiatives are also fundamentally
crucial as Congress considers the implementation of a cybersecurity
grant program for State and local governments. Some of these key tenets
include: A centralized approach to cybersecurity, the adoption of a
cybersecurity strategic plan and framework based on the NIST
Cybersecurity Framework, the development of a cyber disruption response
plan and the implementation of regular security awareness training for
employees and contractors.
One key initiative is the whole-of-State approach to cybersecurity,
which NASCIO has advocated for over the past decade. We define the
whole-of-State approach to cybersecurity as collaboration among State
agencies and Federal agencies, local governments, the National Guard,
education (K-12 and higher education), utilities, private companies,
health care, and other sectors. By approaching cybersecurity as a team
sport, information is widely shared and each stakeholder has a clearly
defined role to play when an incident occurs. Additionally, many States
who have adopted the whole-of-State approach have created State-wide
incident response plans. According to our 2020 CIO survey, more than 79
percent of State CIOs have implemented a whole-of-State approach in
their States, are in the process of implementing or planning to
implement.
Crucially, numerous State IT agencies are conducting cyber incident
training and incident response exercises with these partners to ensure
they are able to quickly operationalize their incident response plans.
One example of this type of training is the inaugural State-wide Cyber
Summit for Local Governments that we held in New Hampshire earlier this
spring. We had over 250 local government attendees from towns, cities,
counties, and school districts with Federal participants from CISA and
the Secret Service. Regular cyber exercises not only increase cyber
awareness across all levels of the State but foster key relationships
and trust among officials allowing for a more successful and rapid
response when an incident occurs.
In August 2019, more than 2 dozen local governments, education
institutions, and critical infrastructure systems in Texas were struck
by debilitating and coordinated ransomware attacks. However, it was the
successful collaboration and cooperation among Federal, State, and
local officials--a whole-of-State approach combined with a detailed
cyber incident response plan--that prevented these attacks from
succeeding. In fact, as Amanda Crawford, Texas CIO and executive
director of the Texas Department of Information Resources, testified
before the Senate Homeland Security and Governmental Affairs Committee
in February 2020, all impacted entities were remediated within 1 week
after the attacks.
state and local collaboration
As the Texas ransomware attacks illustrate, under-resourced and
under-staffed local governments continue to remain an easy target for
cyber attacks. Due to the combination of a whole-of-State approach to
cybersecurity and the proliferation of numerous high-profile ransomware
attacks across the country, State CIOs have significantly increased
collaboration with local governments to enhance their cybersecurity
posture and resilience. In fact, more than 76 percent of CIOs reported
increased collaboration and communication with local governments in the
last year.
In 2020, NASCIO released a research paper with the National
Governors Association focused on State and local collaboration titled
``Stronger Together.'' As Congress considers the components of a State
and local cybersecurity grant program, I would urge you to incorporate
some of the conclusions from that paper. This includes encouraging
States to continue building relationships with local governments and
helping States raise awareness for IT and cybersecurity services
offered to local governments.
Additionally, Congress should assist State and local governments
with more easily purchasing cybersecurity tools and services through
existing models at the Federal level. Streamlining the procurement of
cybersecurity services would also expedite a currently bureaucratic
process and result in significant cost savings.
partnership with dhs cisa
In terms of partnerships with Federal agencies, I do want to
highlight State IT's growing partnership with the Department of
Homeland Security's Cybersecurity and Infrastructure Security Agency
(CISA). While this relationship is still in its infancy, CIOs and CISOs
appreciate the cybersecurity resources, services, and guidance provided
by CISA. NASCIO has and will continue to support efforts to define
CISA's roles and responsibilities more clearly in assisting State and
local governments. We've also endorsed Federal legislation to increase
CISA's resources within each State. This includes the recent passage
and enactment of S. 3207, the Cybersecurity State Coordinator Act,
which will ensure greater continuity between the efforts of States and
the Federal Government. It will also provide a stronger State voice
within CISA, helping them to better tailor their assistance to States
and localities.
Additionally, NASCIO was a strong advocate of the DOTGOV Act, which
was included in the omnibus Government funding bill signed into law in
December 2020. The DotGov Act transferred ownership of the DotGov
Program from the General Services Administration to CISA, which
officially took place last month, and reinforced the important
cybersecurity aspect of domain registration. I want to praise CISA and
the DotGov Office for their announcement last week to waive all fees
for new DotGov registrations. The $400 annual fee had been a
significant barrier of adoption for local governments, who remain most
vulnerable to misinformation and disinformation campaigns. With less
than 10 percent of all eligible local governments currently on DotGov,
NASCIO looks forward to continuing our work with CISA to better improve
the cybersecurity of local governments. Now more than ever, it is
essential to ensure the American people are receiving accurate and
authoritative information from their Government websites.
dedicated cybersecurity funding for state and local governments
I would again like to reiterate my appreciation to this
subcommittee for its attention to cybersecurity issues impacting State
and local governments. The 116th Congress focused significantly on
these issues and introduced numerous pieces of legislation endorsed by
NASCIO. In particular, I look forward to continuing to work with the
Members of this subcommittee to ensure the passage of a State and local
cybersecurity grant program.
Currently, cybersecurity spending within existing Federal grant
programs, including the Homeland Security Grant Program, has proven
challenging in the face of declining Federal allocations, increased
allowable uses and a strong desire to maintain existing capabilities
that States have spent years building. In fact, less than 4 percent of
all Homeland Security Grant Program funding has been allocated to
cybersecurity over the last decade.
NASCIO urges the reintroduction and passage of the bipartisan State
and Local Cybersecurity Improvement Act, a $400 million annual grant
program for State and local governments to strengthen their
cybersecurity posture. This legislation would require grant recipients
to have comprehensive cybersecurity plans and emphasizes significant
collaboration between CISA and State and local governments. The
legislation would also allow State and local governments to make
investments in fraud detection technologies, identity and access
management technologies and implement advanced cybersecurity frameworks
like zero trust. We would also be able to invest in cloud-based
security services that continuously monitor vulnerabilities of servers,
networks, and physical networking devices.
Passage of the State and Local Cybersecurity Improvement Act would
provide vital resources for State IT agencies, meaning my fellow CIOs
and I would not have to compete against other agencies and States.
Ultimately, a specific cybersecurity grant program would allow us to
better assist our local government partners and address threats from
well-funded nation-states and criminal actors that continue to grow in
sophistication. As I mentioned earlier in my testimony, NASCIO also
supports provisions within this legislation that would ensure State
governments are budgeting for cybersecurity.
We also greatly appreciate the recent passage of the American
Rescue Plan Act (ARP), which includes $350 billion in flexible aid to
State and local governments. While we await guidance from the
Department of the Treasury on allowable expenditures, I believe the ARP
will create significant resources for States to invest in legacy
modernization, cybersecurity improvements, and broadband expansion over
the next 3 years.
conclusion
When COVID-19 spread across the country last March, my fellow State
CIOs and I faced enormous challenges to ensure wide-spread remote work
was manageable and secure. This was made even more difficult in States
that did not have a culture of remote work. Working with our private-
sector partners, we adapted to a nearly universal remote environment
almost overnight.
We expedited lengthy, bureaucratic acquisition processes, deployed
AI-powered chatbots to assist overburdened State agencies and assisted
school districts with virtual learning. We implemented numerous digital
Government initiatives to improve how citizens interact with their
State government websites, a crucially important project as citizens
relied more than ever on State services and authoritative information
sources.
CIOs also implemented COVID-19 testing websites, contact and
exposure notification applications and now, vaccine websites.
In New Hampshire, we have taken numerous measures to improve the
cybersecurity posture of our entire State--including with the education
and health care sectors. New Hampshire recently passed legislation that
mandated the establishment of ``Minimum Standards for the Privacy and
Security of Student and Employment Data.'' Through a cooperation with
the State, our schools have established a Student Data Privacy
Agreement, which participating districts ask vendors to sign, in order
to comply with the ``Minimum Standards.'' We've also furthered our
partnership between the State CISO and the New Hampshire Chief
Technical Officer Council on issues relating to cybersecurity and
privacy.
On the health care front, the New Hampshire Information and
Analysis Center routinely distributes cybersecurity alerts and
advisories to health care entities within New Hampshire from the State
and Federal Government. A recent debilitating ransomware attack on a
hospital system in a neighboring State was also a real awakening for
many hospital operators in New Hampshire. It helped them to understand
that ransomware can have a profoundly destructive impact on their
ability to operate and treat patients, as well as understand that a
centralized approach to cybersecurity is superior to the more
decentralized and permissive approach employed by some organizations.
In closing, as president of NASCIO, I know I speak for all my
colleagues around that country that a Federally-funded cybersecurity
grant program for State and local governments is long overdue. There
can be no doubt that State governments need to change their behavior
and begin providing consistent and dedicated funding for cybersecurity
moving forward. It is my hope that the States will follow the lead of
the Federal Government in this area, especially if grant programs
require them to match a portion of Federal funds. I look forward to
continuing to work with the Members of this subcommittee in the
creation of a grant program to improve the cybersecurity posture for
our States and local governments.
Ms. Rice [presiding.] Thank you for your testimony. I now
recognize Mr. Krebs to summarize his statement for 5 minutes.
STATEMENT OF CHRISTOPHER C. KREBS, PRIVATE CITIZEN, FORMER
DIRECTOR OF THE CYBERSECURITY AND INFRASTRUCTURE SECURITY
AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Krebs. Chairwoman Clarke, Congresswoman Rice, Ranking
Member Garbarino, Members of the subcommittee, it is my
pleasure to appear before you today to discuss much-needed
efforts to combat ransomware. Given my recent experience as
CISA director, I remain on a bit of a personal and professional
crusade to raise attention and drive toward disruptive
solutions to this growing National security threat.
I would like to start with why we are here. In 2011, famed
Silicon Valley innovator and entrepreneur Marc Andreessen
famously penned in a Wall Street Journal piece that ``software
is eating the world.'' A decade later, if left unchecked,
ransomware will similarly eat the world. This is not a problem
that is going to go away or solve itself. The last several
years alone show that cyber criminals are not only getting
better, they are diversifying and they are specializing and
they are getting more brazen. To put it simply, we are on the
cusp of a global digital pandemic driven by greed, a vulnerable
digital ecosystem, and an ever-widening criminal enterprise.
The underlying enabling factors for this cyber crime
explosion are rooted in the digital dumpster fire of our
seemingly pathological need to connect everything to the
internet combined with how hard it is to actually secure what
we have connected. Two more recent factors have thrown fuel on
the already smoldering heap: The spread of cryptocurrencies
that enable the transfer of funds largely outside the eyes of
financial regulators and corrupt safe havens that don't mind if
a little crime happens on their turf as long as it brings home
some revenue, directs malicious on-line activities elsewhere,
and has the added benefit of making life more difficult for
strategic adversaries.
It is important to reinforce that cryptocurrency in and of
itself is not a criminal enterprise nor do I currently believe
eradicating or regulating it to the point of uselessness is the
answer. The challenge is to appropriately intervene to avoid
societal harms while fostering a marketplace for technologies
like cryptocurrency where we can both lead in innovation and
maintain a globally competitive edge.
We have seen some glimpses of an appetite to address the
ransomware crisis with the recent announcement of the
Department of Justice ransomware-focused initiative and the
Department of Homeland Security's ransomware 60-day sprint.
These efforts build on prior efforts from the Secret Service,
FBI, CISA, and other organizations. Critically, there are also
indications that the White House is considering a more
strategic approach on the ransomware front soon.
But last week was perhaps the most promising development
with the Ransomware Task Force releasing its report. The task
force identified where the real policy and operational gaps
lie. First, the need for prioritization across the National
security structure. Second, greater ransomware-focused
operational public-private collaboration. Third, chokepoints in
the cryptocurrency payments kill chain. Fourth, in addressing
the challenges facing the cybersecurity insurance industry.
Perhaps the area with greatest need for Government
investment, however, is not necessarily within the Federal
Government, but, as Mr. Goulet pointed out, within our State
and local partners. The idea is simple. We can reduce a tax
surface across State, local, Tribal, and territorial government
organizations in this country by investing in more modern
systems. In doing so, we can improve citizen services for all
Americans, create more tech jobs in our communities, and
continue to invest in today's and tomorrow's technology
innovators. It is a way to defend against today's threats while
investing in a secure tomorrow.
Ultimately, whatever the administration and Congress choose
to do, there is no single solution or silver bullet. No one
organization alone will solve this problem. Much like
confronting election security threats or disinformation more
broadly, there are a range of levers that Government and
industry can pull to achieve positive outcomes.
I would like to thank the committee for holding this timely
hearing. I would also like to thank you for your leadership and
constant enduring support of CISA. I look forward to your
questions.
[The prepared statement of Mr. Krebs follows:]
Prepared Statement of Christopher C. Krebs
May 5, 2021
introduction
Chairwoman Clark, Ranking Member Garbarino, Members of the
subcommittee, it is my pleasure to appear before you today to discuss
much-needed efforts to combat ransomware. My name is Christopher Krebs
and I previously served as the first director of the Cybersecurity and
Infrastructure Security Agency (CISA), leading CISA and its predecessor
organization, the National Protection and Programs Directorate, from
August 2017 until November 2020. Over the last several years, I have
had the pleasure of working with many of you as Members of the primary
oversight committee for CISA and have testified in front of the
committee several times.
It is an honor to appear before this subcommittee to testify about
the threat ransomware poses to countless organizations across this
Nation. Given my recent experience as CISA director, and now as
founding partner of the Krebs Stamos Group, a cybersecurity risk
management consultancy, as well as the Newmark Senior Cyber Fellow at
the Aspen Institute, I am continuing my commitment to improving the
Nation's cybersecurity and resilience.
In 2011, famed Silicon Valley innovator and entrepreneur Marc
Andreessen famously penned in a Wall Street Journal piece that
``software is eating the world.''\1\ A decade later, cyber criminals in
the form of ransomware gangs have come around for their piece of the
action. Considered a low-dollar, on-line nuisance crime only a few
short years ago, ransomware has exploded into a multi-billion-dollar
global racket that threatens the delivery of the very services so
critical to helping us collectively get through the COVID pandemic. To
put it simply, we are on the cusp of a global pandemic of a different
variety, driven by greed, an avoidably vulnerable digital ecosystem,
and an ever-widening criminal enterprise.
---------------------------------------------------------------------------
\1\ Marc Andreessen on Why Software Is Eating the World--WSJ.
---------------------------------------------------------------------------
As we have spent the last several months debating appropriate
responses to Russian and Chinese cyber activities, cyber operations
that most Americans will not see any direct impact, ransomware, on the
other hand, has continued to affect our communities. According to the
2020 Verizon Data Breach Report, Ransomware accounts for 27 percent of
malware incidents, with the highest rate of occurrence in the
education, health care, and Government administration sectors.\2\
---------------------------------------------------------------------------
\2\ 2021 Verizon Data Breach Report, Figure 5., pg 7. Available for
download here.
---------------------------------------------------------------------------
Cyber criminals have been allowed to run amok while governments
have mainly watched from the sidelines, unclear on whether cyber crime
is a National security-level threat. If there was any remaining doubt
on that front, let's dispense with it now: Too many lives are at stake.
We need a different approach, and that shift is needed now. We have
risen to the challenge in the past and can do it again.
the context for the ransomware explosion
The underlying enabling factors for this cyber crime explosion are
rooted in the digital dumpster fire of our seemingly pathological need
to connect everything to the internet combined with how hard it is to
actually secure what we have connected. Two more recent factors have
thrown fuel on the already smoldering heap: The spread of
cryptocurrencies that enable the transfer of funds largely outside the
eyes of financial regulators, and corrupt safe havens that don't mind
if a little crime happens on their turf as long as it brings home some
revenue, directs malicious on-line activities elsewhere, and has the
added benefit of making life more difficult for strategic adversaries.
It is important to reinforce that cryptocurrency in and of itself
is not a criminal enterprise, nor do I think eradicating or regulating
it to the point of uselessness is the answer. Like many other
transformational technology developments, cryptocurrency has likely
crossed a threshold where it is here to stay. In fact, in many markets,
cryptocurrency and similar financial technology developments represent
a promising future for technological innovation. Therefore, the
challenge is to appropriately intervene to avoid societal harms while
fostering a marketplace for technologies like cryptocurrency where we
can both lead in innovation and maintain a globally competitive edge.
Even if software and services were more secure, the allure of a
quick buck and no real repercussions means the forward-looking
prospects for ransomware actors are quite good. But we do not even have
good metrics on how good the market is, as there's no real
clearinghouse of authoritative sources of information on the number of
victims there are. The best source in fact may be to just ask the
criminals themselves (and I'm not going to take their word for it)--
they'll likely offer you cyber hygiene and security advice in their
response.
Ransomware crews have been propelled and professionalized by
commodity malware and specialization across various hacking techniques.
The sophistication of the actors is impressive--it is not just a single
gang running entire operations. Different groups of criminals have
developed focused capabilities or access in different aspects of the
heist and collaborate as they see fit to get the job done. This allows
for a commoditization of the ``kill chain,'' creating further
opportunities to elude law enforcement and dance around international
financial rules and regulations.
And while these gangs have become more sophisticated, governments
have been sluggish in responding in a meaningful way. As a result,
victims are often left to fend for themselves, turning to specialty
incident response firms that have developed a niche industry for
negotiating decryption. The costs of lost productivity, disrupted
operations, inefficiency in markets, and operational recovery likely
far outweigh the dollars siphoned out of the world's economies and
dumped into illicit activities from human trafficking to the
development of weapons of mass destruction. That's right--this malware
has afforded Kim Jung Un's ability to continue to expand his nuclear
arsenal. How is this still only viewed as a cyber crime?
For a few years, I have been stumping for a more coordinated
approach across industry and Government that can bring defenders
together, break the payment chain, and put some consequences on the bad
guys either directly or have their landlords do it. But much like
countering disinformation (and frankly cybersecurity in general),
because of the cross-cutting nature of the problem, spanning different
Government agencies with different authorities, with often competing
priorities and mission sets, National governments to include the United
States have struggled to make meaningful progress.
confronting the growing ransomware national emergency
We have seen some glimpses of appetite to address the ransomware
crisis with the recent announcement of the Department of Justice (DOJ)
ransomware-focused initiative, and the Department of Homeland
Security's ransomware 60-day sprint. This builds on efforts by the
United States Secret Service, the Federal Bureau of Investigation
(FBI), CISA, industry efforts like the National Cyber Forensics and
Training Alliance, among others. Critically, there are indications that
the White House is considering a more strategic approach on the
ransomware front soon.
Ultimately, whatever the administration and Congress chooses to do,
there is no single solution or silver bullet. No one agency alone will
solve this problem. Much like confronting election security threats or
disinformation more broadly, there are a range of levers that
Government and industry can pull to achieve positive outcomes. And
there are past successes in operational collaboration that can be built
on to ensure future success. For example, drawing on the lessons
learned from the Russian efforts to interfere in the 2016 election, a
coalition of agencies, including CISA, the National Security Agency
(NSA), the FBI, and others, built a playbook that first prioritized
effective coordination across Federal, State, and local government
agencies. Second, increasing Federal support and resources to election
security stakeholders to improve defenses and response. And third,
engaging the adversary to learn more about their operations but also
disrupt activities where possible.
The secret sauce to our election security efforts were the clear
acknowledgement that multiple agencies had the ability to contribute to
the ultimate outcome and we all recognized that the greater good was
more important than any individual agency's ``turf'' concerns. The
United States along with our allies need to take a new, more strategic
and coordinated approach to overcoming the emerging National security
emergency posed by ransomware. Similarly, the counter ransomware
``triplet'' includes improving cyber defenses, disrupting the
criminals' business model, and increased coordinated action against
ransomware gangs and their enablers. This strategy will require
Government and the private sector to contribute and commit to
partnering together to break the ransomware cycle.
Improving Defenses
First, we must improve defenses of our businesses and agencies
across all levels of government. Ubiquitous use of multifactor
authentication (MFA) for access to networks can limit credential abuse,
updated and patched systems can prevent actors from exploiting known
vulnerabilities, and a well-practiced incident response plan
accompanied by backed up and off-line systems can enable rapid reaction
and restoration. In many cases, even these straightforward steps are
beyond the reach of many companies or State or local agencies. We need
to rethink both our approach to technology deployment, including MFA by
default, and the Federal Government should consider increasing
technology upgrade grants to States and localities to retire legacy
systems and join the digital transformation.
Disrupting the Ransomware Business Model
Second, we must break the business model of ransomware. Simply put,
ransomware is a business, and business is good. The criminals do the
crimes and their victims pay the ransom. Often it seems easier (and
seemingly the right thing to do from a fiduciary duty to shareholders
perspective) to pay and get the decryption key rather than rebuild the
network. There are 3 problems with this logic: (1) You are doing
business with a criminal and expecting them to live up to their side of
the bargain. It is not unusual for the decryption key to not work. (2)
There is no honor amongst thieves and no guarantee that the actor will
not remain embedded in the victim's network for a return visit later,
after all the victim has already painted themselves an easy mark. (3)
By paying the ransom, the victim is validating the business model and
essentially making a capital contribution to the criminal, allowing
them to hire more developers, more customer service, and upgrade
delivery infrastructure. And, most worrisome, go on to the next victim.
We must address the ransomware business model head on and disrupt
the ability of victims to pay ransom. We need to prioritize countering
ransomware as a Nation. That includes appropriately investing in our
Government agencies and their ability to investigate, disrupt, and
apprehend criminals. We need to do more to understand the ransomware
economy and the various players in the market. And at the points where
cryptocurrency intersects with the traditional economy, we need to take
action to provide more information, more transparency, and comply with
the laws that are already on the books. This includes Kiosks, Over the
Counter trading desks, and cryptocurrency. Last, we don't know enough
about the ransomware economy, as it operates in the shadows. We lack a
clear understanding of the scale of the problem, including the number
of victims of ransomware--the denominator we are trying to improve
against.
There are different ways to do gain better insight into the
ransomware economy, including requiring anyone paying a ransom (as a
last resort, of course) to notify the Government and provide specific
details. There is an alternate model, where to make a payment to an
identified (in this case an officially-sanctioned organization) victims
or their agents must seek a license or similar permission from the
Government prior to making that payment. The Department of Treasury
Office of Foreign Asset Control (OFAC) began down this track last year,
declaring ransom payments to identified entities may be a violation of
economic sanctions laws. Because the identity of the ransomware actor
is not always obvious, the OFAC advisory may have an overall chilling
effect on ransom payments.
More Aggressive Action Against Ransomware Actors
Third, we need more coordinated action against ransomware actors
using the range of authorities available to Federal agencies, as well
as capabilities and rights resident in the private sector. To be clear,
I am not suggesting extrajudicial kinetic actions against ransomware
gangs. However, other authorities available to law enforcement and
military should be on the table, with great care taken not to blur the
lines between the two. Traditional approaches have clearly not been
sufficient to prevent the outbreak of ransomware. More aggressive and
repeated disruption of malware command and control infrastructure, like
the action earlier this year against Emotet, is a good start.\3\ Where
there are clear ties between ransomware actors and State actors or a
potential imminent threat to an event or infrastructure of significance
like a National election, action should be on the table. The private
sector also has options available, as demonstrated by Microsoft's
aggressive policing the abuse of its trademark and source code,
including last fall's operation against Trickbot.\4\ When coordinated
and jointly conducted, private and public sector can make the internet
an inhospitable place for cyber criminals.
---------------------------------------------------------------------------
\3\ Emotet Botnet Disrupted in International Cyber Operation/OPA/
Department of Justice.
\4\ New action to combat ransomware ahead of U.S. elections--
Microsoft On the Issues.
---------------------------------------------------------------------------
Collective Action Against Ransomware
Last week was perhaps the most promising development in the fight
against ransomware, with the Ransomware Task Force releasing its
report.\5\ The Task Force, a collaboration of more than 60 experts in
cyber policy, software engineering, and academia, lays out a
comprehensive set of recommendations that all players in the IT
ecosystem can take. The report is 81 pages packed with evidence,
analysis, and practical/actionable recommendations. It's clear that
they've identified where the real policy and operational gaps lie: The
need for prioritization across the National security structure, for
greater ransomware-focused operational public-private collaboration,
chokepoints in the crypto payments kill chain, and in addressing the
challenges facing the cyber insurance industry.
---------------------------------------------------------------------------
\5\ Combating Ransomware--A Comprehensive Framework for Action: Key
Recommendations from the Ransomware Task Force
(securityandtechnology.org).
---------------------------------------------------------------------------
Perhaps most importantly, the report calls for a coordinated
strategy with real leadership from Government and industry. This is a
critical step forward--a clear commitment to lead from the front, to
ensure the various agencies and actors are working in concert. It's not
just enough for the Government to coordinate itself, it needs to
coordinate priorities, actions, and investments with the private
sector. These actions can include taking disruptive steps against cyber
criminals. Ultimately, the attack surface is not the Federal.
The RTF also calls for standing up an international coalition,
something that has existed principally in law enforcement channels, and
should fold in defensive teams as well as intelligence agencies. We
have shown time and time again that information sharing is most
effective when the people that can act on the information--regardless
of whether they are in industry or in Government--actually have that
information.
The RTF, importantly, calls for additional support to businesses
and Government agencies preyed on by ransomware actors. This support
necessarily includes boosting preventative measures, but also sets out
a set of actions that everyone can take to help victims work through an
attack, and only as a last resort make payments, and even in such an
undesirable event, requiring reporting and tracking. Maybe then we will
get good sense of how big this problem really is and more effectively
build out the tools that are needed to respond on the time scales these
criminals operate on. If the U.S. Treasury is expected to facilitate
incident reporting, identify suspicious activity, coordinate with law
enforcement, and assist private-sector victims all within the window of
the extortion threat, they deserve the tools and resources they need to
move with that kind of agility and speed. The same goes with the FBI
and DOJ officers tasked with executing court orders to seize crypto
wallets, or the team at CISA helping coordinate, respond, or work with
State and Local authorities in advance to better defend their networks.
Without these additional tools and resources, the criminals will
continue to exploit these seams with impunity.
Last, for the RTF's recommendations to really take hold, the
administration and Congress need to start putting together a
legislative package to enable the additional authorities and
appropriations recommended by the group. Again, there is a clear road
map for cyber-related law, recently trail-blazed by the Cyberspace
Solarium Commission, another group that tackled thorny cyber problems
and was able to get dozens of new cyber provisions passed into law. In
fact, there are a range of recommendations that already fit well into
options the Solarium is considering as it continues developing further
legislative proposals.
The Ransomware Task Force should be commended for their work over
the last 4 months. They showed initiative and commitment and have
delivered an actionable road map for helping us get through our current
digital crisis. We have tackled and overcome challenges as great as
this before, we can do it again. I encourage the administration to take
the recommendations on board and implement quickly, together with
private industry, and I similarly encourage the Congress to consider
smart legislative action.
Increasing Funding for State and Local Government Agencies
Perhaps the area with the greatest need for Government investment
is not necessarily within the Federal Government, but within our State
and Local partners. I recently wrote an op-ed on this subject with a
former CISA-colleague, Matt Masterson.\6\ The idea is simple, we can
reduce attack surface across State, local, Tribal, and territorial
Government organizations in this country by investing in more modern,
cloud-based systems. In doing so, we can improve citizen services for
all Americans, create more tech jobs in our communities, and continue
to invest in today's and tomorrow's technology innovators. No, we are
not going to defend our way out of the ransomware problem, but we can
close out many existing vulnerabilities, and gain additional benefits
along the way. It is a way to defend against today's threats, while
investing in a more secure tomorrow.
---------------------------------------------------------------------------
\6\ Congress needs to help modernize our digital infrastructure/The
Hill.
---------------------------------------------------------------------------
As Congress considers and debates various infrastructure investment
packages, I respectfully encourage consideration of cyber and
technology specific funding. Everything we do these days in some way is
somehow enabled by the technologies around us. Even as we have all made
dramatic shifts in the way we see our friends and family, work,
worship, and entertain ourselves in this new pandemic-era, the
underlying infrastructure in our communities may struggle to keep up in
the coming years. The difference between the haves and the have nots
will be even starker, as many Government agencies will see a reduction
in tax revenues due to the economic impacts of COVID.
conclusion
In this era of surging ransomware, modernizing State and local IT
systems is not just good Government--it is a National security
imperative. Investment and support of State and local cyber
infrastructure is an investment in our democracy, our judicial system,
law enforcement, and the privacy and security of our citizens. Our
adversaries allow cyber criminals and their own State-supported hackers
to operate from their own sovereign territory, disrupting citizen
services and stealing money and intellectual property from U.S.
governments and businesses alike. It is time to step up and provide all
partners inside and outside Government with the support and resources
they need to effectively defend themselves.
I would like to thank the committee for holding this timely
hearing. I would also like to thank you for your leadership and support
of CISA. I look forward to your questions.
Ms. Rice. Thank you, Mr. Krebs. Our Chairwoman will be back
in a few minutes, so I think what I am going to do is ask
Congressman Garbarino to begin his 5 minutes of questioning.
Mr. Garbarino. OK. Thank you very much, Congresswoman Rice.
Mr. Krebs, thank you very much. I love that we both used
the silver bullet analogy. That was very good. We have similar
speechwriters, I guess.
You touched about this a little in your opening, but, as
you know, over the past few years there has been a robust
discussion about the need for a State and local cybersecurity
grant program. While no one here will disagree that an increase
in funding is vitally needed, we also need to ensure that these
funds are spent responsibly and in a way that meaningfully buys
down risk. I know you have to have the buy-in from the State
and locals, but can you talk about specifically the role CISA
needs to play in providing the State and local governments with
the cybersecurity guidance and expertise?
Mr. Krebs. Yes, sir. Thank you for that question. I do
think we share some staff perhaps, some of my former staff at
least.
So, I think we should step back a little bit and think
about where we are from a legislative perspective right now.
There is a lot of conversation in both chambers of the Congress
about infrastructure and infrastructure investments. I think
that this is a great opportunity to rethink, at least
strategically, about what an infrastructure investment package
looks like.
Everything we do today in our communities, in our society,
in our economy has some sort of connectivity to it. It has some
sort of attack surface from a cybersecurity perspective. So all
infrastructure investments should include a consideration for
modernizing the underlying IT systems as well as security
aspects of that.
So my concept is let us do a 21st Century Digital
Infrastructure Investment Act that will allow State CIOs and
community CIOs, like Mr. Goulet, not just buy cybersecurity
technologies, but get off some of the dated legacy systems that
they have that, you know, tend to have higher recurring
operations and maintenance costs; that in some cases cannot be
updated and are no longer supported. That was kind-of my point
about it will increase citizen surfaces, it will be more
resilient to attack, it will increase tech jobs in our
communities, and ultimately it will plow money back into U.S.
tech companies, which will keep us at the cutting edge of the
technology sector.
Now, CISA can play a role in advising State and locals, in
helping administer a grant program either within CISA to help
dole out those grant funds or work with an existing State grant
program like over at FEMA and provide that technical expertise.
We have done that in the past. CISA has done that in the past
with some of the State and Homeland Security grant program
fundings. So, there is the expertise there, the mechanisms are
there. I think the infrastructure, so to speak, for a grant
program is in place at CISA as well as at FEMA. So now it is
just a matter of authorizing the program and then providing
sufficient funds.
Mr. Garbarino. I thank you very much for that answer. Mr.
Goulet, would you agree with what Mr. Krebs was saying or would
you like to expand on any other roles that you think CISA could
provide to State and local governments?
Mr. Goulet. Yes. Well, first of all, I wholeheartedly agree
on the legacy system comments. The State of New Hampshire
recently conducted an independent cyber risk--a comprehensive
cyber risk assessment, and the findings came back
overwhelmingly pointing at legacy systems where, you know,
where we found vulnerabilities. In fact, we ended up shutting
down some of our citizen casing systems temporarily while we
mitigate those, and so that actually motivated the agency in
question to, you know, to look harder and prioritize more
effort at addressing that.
We are so happy with the partnership with CISA we have
seen. You know, we love the collaboration and we intend to
continue that and leverage it further and provide our input as
well in terms of, you know, how we can work better together.
So, we very much look forward to that.
Mr. Garbarino. Great. I appreciate that. I have some other
questions, but I will do a quick one because I only have 30
seconds left and it is for everybody and I think it is just a
yes or no, if you can be rapid, and some of you touched on it.
Should ransomware payments be made illegal? The members of the
IST Task Force were conflicted on this.
Jump in whenever you want. Wow.
Mr. Krebs. This is a tough one. I am going to hedge on
this. I would say the minimum--I think we should--payments
should be made at a very last possible resort. If payments are
made, they should in some way be either licensed or logged and
reported to the Government. We, frankly, just don't have the
denominator on all the victims and it is hard to really control
the rest of it from there.
Mr. Garbarino. I appreciate that. Thank you.
Chairwoman Clarke. I thank the gentlelady from New York for
stepping in momentarily on my behalf. We are all juggling
hearings during this time, so I truly appreciate it.
I will now recognize myself for questions. Mr. Goulet,
currently cybersecurity is a permissible use of funds awarded
under the State Homeland Security Grant Program and the Urban
Area Security Initiative. I was pleased to see that Secretary
Mayorkas announced earlier this year that recipients would need
to dedicate at least 7.5 percent of their award toward
cybersecurity.
However, in your testimony, you emphasized that there is a
need for a separate dedicated cybersecurity grant program. Can
you elaborate on why existing grant programs are inadequate for
ensuring State and local governments develop the kind of
comprehensive cybersecurity improvements necessary for
combatting ransomware?
Mr. Goulet, I think you have to unmute.
Mr. Goulet. You know, we applied for grants each time in
New Hampshire. In fact, we have used that grant money to
develop our cyber disruption plan in the State of New Hampshire
that is a strong plan. But around the States, myself and my
colleagues and the CISOs in the States, receive a very small
percentage of the total grant funding that goes through that
program. The amounts that we are able to access are not
adequate to the task.
Chairwoman Clarke. Understood. Ms. Stifel, one of the
recommendations of the Ransomware Task Force is the creation of
response and recovery funds. We have seen similar proposals
from the Solarium Commission and in the President's budget
request. What kind of entities do you believe should be
eligible for assistance under these funds and under what
circumstances and what kinds of expenses would be covered?
Ms. Stifel. Thank you, Madam Chairwoman, for the question.
Yes, we, as you noted, agree that these types of funds need to
be established.
As far as the types of entities that could be recipients or
eligible for these funds, in the first instance I would say
those that we have identified previously in this conversation
today, State, local, Tribal, territorial, as well as
potentially organizations that are providing critical National
functions. Therefore, as I know IT is currently working through
identifying or has identified these essential function
entities, they would also be, in our mind, an eligible
recipient.
As far as types of resources that could be--these funds
could be put to, we have identified and I think I agree with
other panelists who said that the legacy systems are a first
priority. This is particularly the case in light of what we
have been through over the past 18 months--or, excuse me, 14
months with the pandemic. The decrease in taxes that are
funneling to States and, therefore, even more constrained
resources to put toward cybersecurity.
So, we urge that the committee--you know, appreciative of
the committee in putting forward or renewing your legislation
from last session. Thank you.
Chairwoman Clarke. Thank you. General Davis, when we talk
about ransomware we hear about how it is a growing crisis and
we see statistics showing an increasing number of attacks with
larger financial impacts and more disruption. What existing
efforts have you seen that are currently working to defend
against or mitigate the impacts of ransomware? Are there
examples of actions that organizations are taking that are
reducing risk that can serve as a model for others?
Mr. Davis. Thank you, Madam Chairwoman. Yes, I have a
couple of thoughts about that and the fact that doing a lot on
the front end, and even a little bit goes a long way, as we
stated in the report.
So, first of all, I will just say basics matter. In many
cases, increasing security in a few key areas could make a
significant difference in an effort to prepare for attacks.
Complex security software or complete network rebuilds may not
be required. Implementing things that we heard up front by one
of the Congressmen was implementing multifactor authentication
or adopting password managers. Those kinds of things can
dramatically improve an organization's security posture.
Although any organization, regardless of its security,
could be a target for ransomware, improving baseline security
and raising awareness among employees can go very far in
protecting organizations from attack. There are some very basic
human behavior-related actions that can help with the problem
of phishing, which remains one of the most often used initial
access methods for ransomware. So, I mean, just being
suspicious of who is knocking on your digital front door and
not answering it when you weren't expecting the visitor, so to
speak, is a good way to look at some very basic things that can
be done.
In addition, technology, although not the single answer,
can provide some both emerging capabilities as well as legacy
capabilities that can help improve this fight. So there is a
whole array of things that I believe can be used up front in
order to help prevent a lot of what we are seeing from the
ransomware threat in the first place.
Chairwoman Clarke. Thank you very much for your response,
General Davis. I now recognize the gentleman from South
Carolina, Mr. Norman, for 5 minutes.
Mr. Norman. Thank you, Madam Chairwoman, and thank all the
ones that are testifying. I thank you for your time.
Mr. Krebs, I was on a bank board for a number of years and
they had a cyber attack. It was like pulling teeth to get them
to, I guess, let the word out and to get help from others. They
finally corrected it, but 2 questions.
How can we get--and I understand the reason, because their
stock price, the name, you know, their, I guess, relationship
with customers that may be threatened if it had gotten out. But
how do we--in your opinion, what will we do to have them at
least get the word out and get help from a lot of different
factors? This is, what, a $20 billion problem.
Second, when an attack actually occurs, you know, if we
have an emergency, we call 9-1-1. If you need the police, 9-9-
9, you know. If you need an ambulance, you know, we know the
number to call. But what should a company do, No. 1, to get the
word out and get help? No. 2, you know, what do they do when
they are attacked? Because they are kind-of left holding the
bag and not really knowing who to go to or what expert that
could solve the problem. Can you shed some light on that?
Mr. Krebs. Yes, sir. So, I think on your first question how
do we get more organizations leaning forward and being more
transparent about their events, I think things have perhaps
gotten a little bit better in the last couple years, in part
because some of the requirements for publicly-traded companies
to file reports, public reports.
We are also seeing, I think, a new breed or strain of
corporate executives that perhaps have been through enough
events and they recognize that being forthcoming and being
transparent and being straight-up with your customers or
clients actually benefits you in the long run. Really the idea
here is that do you want to be straight-up with your customers
or do you want to hide something from them and then they go
away because they don't trust you? That trust is the coin of
the realm and you have really got to protect that.
So, I think in part we need to explore for at least those
most critical infrastructures, as Megan Stifel mentioned, that
there are some degree of--or some sort of requirements for them
to make notifications at a minimum to the Federal Government
and to law enforcement. But more broadly, we have to continue
to reinforce with our friends in the executive community,
boards of directors, that it is ultimately in their best
interest to be a good corporate citizen and come forth.
On your second piece, how do we get more prepared, well,
that is actually probably the most important part right now. It
goes to what General Davis said about that ounce of prevention,
pound of cure. You know, there is, at least in FEMA, natural
disaster calculations that a dollar invested up front in
mitigation saves you $4 in incident response. The same thing
applies here. The cost of responding to it, even if you pay the
ransom, the cost of responding to a ransomware event are
massive. It is not a guarantee you get everything back. So, it
is all about preparation and planning.
If you do have a bad day, because everybody has a bad day
sometimes, do you know what to do? Do you know how to respond?
Do you have a team on contract? Do you have relationships with
CISA, with the FBI, with the intelligence community where you
can get on top of this thing quickly as soon as you detect it
and shut it down? So it is all about preparation and playbook
planning.
Mr. Norman. OK. Quickly, I guess this will be for anybody,
I don't want to go over my time, but regulations. OMB had a--
GAO had a report that 49 to 76 percent of regulations are
redundant when it comes to cybersecurity. What is your opinion
on that? Again, say if it is problem, getting it cured, do you
go to OMB? Who do you go to?
Mr. Krebs, we will start off with you.
Mr. Krebs. Yes, sir. So, I think we need to look at
different levers we can pull here. The Federal Government has
procurement powers, one of the largest procurers of, for
instance, IT technologies. I think what we are probably going
to see out of the White House with an Executive Order is
increased and enhanced security requirements for software. That
is going to have a trickle-down effect through the rest of the
economy. But I still think that there are specific parts of the
economy, those highest-risk, critical infrastructures, that
have enjoyed an enormous amount of success in the economy and
they have to step up from a corporate citizenship perspective
and apply enhanced security requirements. That is an area to
explore for regulation.
Mr. Norman. Well, I am out of time and I don't want to take
other time, but help us do that. Because you all are in a
position to let us know.
Thank you, Chairwoman Clarke, I yield back.
Chairwoman Clarke. I now recognize Ms. Jackson Lee of
Texas.
Ms. Jackson Lee. Thank you very much, Madam Chair. This is
Congresswoman Sheila Jackson Lee and I just want to make sure
you all can hear me. Thank you to the Ranking Member for
holding this hearing that is crucial and one that we have been
immersed in for those of who have served on this committee for
quite a long time.
To each of the witnesses, very grateful for your
presentations dealing with how we deal with ransomware. I
remember being a Chair of the Transportation, Security, and
Infrastructure Committee, which now is now the Cybersecurity
Committee, and we were talking about the amount of cyber in the
private sector, which at that time was 85 percent versus 15
percent of governments. But what we really had come to find out
is that we all are interrelated.
So, let me focus my questioning. As I do so, let me
acknowledge former Director Krebs of CISA. We are grateful
certainly for your service and regret the fact that your work
as head of CISA ended over your principled stand that the
election was, in fact, a legitimate election and that you had
seen and determined that there was no cyber fraud or any kind
of fraud under your jurisdiction that would have countered the
election of Joe Biden. Principles in Government I think is
crucial and I want to particularly thank you for that.
My work in the 117th Congress has included introducing H.R.
119, the Cyber Defense National Guard Act; H.R. 118, the Cyber
Vulnerability Disclosure Reporting Act; and as well H.R. 57,
the DHS Cybersecurity Asset Protection of Infrastructure Under
Terrorist Attack Logistical Structure Act, which is called the
CAPITALS Act. I hope in this Congress we will be able to pass
these legislative initiatives, in particular because they
really deal with the vulnerabilities of the system at this
time.
I would like to pose to you, Director Krebs, because of
your current past experience, if you will, dealing with this
agency. What I recall is that you were very interested in
standing this agency up and making it stronger. I would be
interested in your understanding of the strength of the
Ransomware Task Force and some of the provisions that it
offered, but in the course of you saying that, I would like to
know what Congress could do to strengthen this agency. I
believe it should be given greater jurisdiction and support
with resources. What ultimate role, how large a role do you
believe the agency should play in combatting ransomware?
We always say that the large amount, as I said earlier, of
this cyber infrastructure is in the private sector. I believe,
however, Government can be very effective in helping to steer
that sector along with their cooperation.
Director Krebs.
Mr. Krebs. Yes, ma'am. Thank you for that and thank you for
the kind words. It certainly was an honor of a career and of a
lifetime to serve as director of CISA. But I will say that I am
incredibly excited for the agency and for the nominee for the
next director, Jen Easterly. I have known her for quite some
time and she is an absolute rock star and she is going to do
great things there, which brings me to your question about what
more can we do here, what more can we do next?
I think the last several years, particularly the National
Defense Authorization Act of 2021 was very beneficial to CISA.
In fact, I just read a letter or an article this morning that
the agency has used its administrative subpoena authorities
recently and that was something that I had asked for last
Congress. It would allow the system to make notifications on
vulnerable systems to IT providers. That is the sort of thing
that can help.
I think ultimately the area that CISA needs the most
support from Congress in that we have seen in the previous
support and we need to expand from here, what I would always
say is the future of CISA is in the field. So, we have now
State-wide coordinators or one in or on the way to at least
every State capital to work with the State CIOs, to work with
the election officials. That is an area that we need to
consider continuing to do. So, we need not just 47 of them, we
may need 150 of them because there is plenty of work out there
for everyone to do.
I also think we need to think about as we resource a grant
program, what additional shared services can CISA provide? We
see CISA providing shared services for the Federal Government
through programs like Continuous Diagnostics and Litigation,
the recently awarded Protected DNS Service, and also the
hardened Cloud environment that CISA is going to provide for
the Federal Government.
Can CISA build a gold image almost Cloud service that
States can use, get some economies of scale, get centrally
monitored and logged? Those are the sorts of game-changing
technologies that I think can really help manage security
better.
Ms. Jackson Lee. Thank you so very much. Thank you, Madam
Chair. Thank you very much. I yield.
Chairwoman Clarke. The gentlelady's time has expired. The
Chair recognizes for 5 minutes the gentleman--I am sorry, the
gentlewoman from Tennessee, Ms. Harshbarger, for 5 minutes.
Ms. Harshbarger. Thank you, Chairwoman Clarke and Ranking
Member Garbarino and all the witnesses. This is something
really alarming. You know, when I read this report, 2,400 U.S.-
based Government health care facilities and schools that were
victims, that is unbelievable.
You know, when I was on another committee here, it seemed
that our own Government, our Federal agencies can be hacked due
to apps and upgrading or updating apps. That is a scary
proposition to know that.
I guess it is just a statement and then I can go to each
one of the Members. As everybody knows, the cyber incident
reporting has been a significant point of interest on
significant cyber incidents. The committee is interested in
better understanding the right combination of mandatory
incident reporting with appropriate incentives.
I guess, Mr. Krebs, I can start with you and open it up to
the whole panel. Should our intelligence and law enforcement
agencies be given carte blanche to take down the networks of
people and organizations perpetuating ransomware?
Mr. Krebs. I think that there is always a set of trade-offs
when you talk about the intelligence community and their
activities. I think they are historically focused on, you know,
the exquisite threats, the intelligence capabilities. But I
think what we are seeing, as evidenced by recent Department of
Treasury sanctions, is that ransomware gangs and foreign
intelligence services are working hand-in-glove. They are in
fact taking direction. Evil Corp was a Russian crew that was
taking direction from the FSB. Those are the linkages that we
really need to explore. That to me I think is what really kind-
of tipped ransomware over into the clear National security
threat. Once you have those linkages, I do think that opens up
additional authorities for consideration by the Title 10 and
Title 50 organizations.
Ms. Harshbarger. Mr. Davis.
Mr. Davis. Congresswoman, I agree with Chris Krebs on this.
I will just tell you from the perspectives of my experience in
Government, including now in the private sector, it is a blurry
world out there in this murky cyber-related business between
state and non-state actors. I believe that states now see an
opportunity to leverage non-state entities in a variety of ways
to fundamentally undermine and gain an advantage over Western
democracies in general, not just the United States. This is in
the area that you have covered in terms of misinformation and
disinformation, but it is also in ways to circumvent sanctions.
These have been through the specific capabilities associated
with ransomware. We have seen various states now that have
begun to embrace this idea of leveraging these other entities,
criminal entities and others, in order to undermine democracy.
I think that what we are seeing is this is just another reason
why the task force has taken the position that you all seem to
agree with, this is now a National security-related threat.
Ms. Harshbarger. Absolutely.
Mr. Goulet.
Mr. Goulet. Well, I think that real time, as we are--our
networks are being hammered by these actors, both, you know,
the nations and the nation-states, as well as other actors. So
the volume of that, if it continues to increase and our
relative investment on the things that we need to do there to
protect ourselves needs to increase. So we are absolutely right
in the middle of that swirling mass of things. I think it is
partly--it has been traditional because the State governments
carry a lot of information that could be useful for our
enemies. Also I think that--you know, there is so much
important stuff happening at the Government level, whether it
is State or local. Like, for--a great example would be, you
know, a computer-aided dispatch that is being shut down by a
law enforcement agency, you know, where that is--you know, or
dispatching for ambulance, that kind of thing, which we have
seen happen. It is really a big deal.
You did mention incident reporting, which I wanted to touch
on. I have legislation pending in New Hampshire that would
mandate incident reporting in, you know, our political
subdivisions to the State so that we can collaborate better. I
have had a couple of occasions where I found out about an
incident in school or a police department from the press versus
from hearing about it and it is not a great way to collaborate.
So I think, you know, going on that theme that, you know,
it is not shameful to have a cyber incident happen to you. In
fact, it has probably happened to almost every agency and we
all need to, you know, be transparent, report, and respond
better.
Ms. Harshbarger. Absolutely.
Well, I think my time is up. I yield back. Thank you.
Chairwoman Clarke. Thank you.
The Chair now recognizes for 5 minutes one of our
preeminent experts in this space, all things cyber, the
gentleman from Rhode Island, Mr. Langevin, for 5 minutes.
Mr. Langevin. Very good. Thank you, Madam Chair, and thank
you for organizing this important hearing today. I want to
thank our witnesses for your testimony and great contribution
to our efforts to try to better protect the country in cyber
space and get around here on this vexing problem.
So I wanted to begin of course by congratulating General
Davis and Ms. Stifel and all the co-chairs of their Ransomware
Task Force for the report. I believe it is an important
document and a fine example of industry self-organizing to put
forth important policy recommendations.
This is an issue--cyber is something the Government can't
solve on its own, private sector can't solve on its own, and it
really needs to have that public-private partnership. It is
great to see you acting as a resource.
So let me begin--and I also of course want to thank Former
Director Krebs for being here today. I want to echo the
comments of my colleague from Texas in thanking you for your--
certainly your service at CISA and especially securing our
elections.
But so, Mr. Krebs, in your testimony you referenced the
work of the this Solarium Commission as a model for making
these recommendations a reality. One of the recommendations we
got done last year--no small thanks to--no small part I should
say--thanks to your help in so many in creating a Joint Cyber
Planning Office at CISA. What role do you see for the JCPO in
Ransomware Task Force recommendations?
Mr. Krebs. So thank you for that, and good to see you
again. As we heard from the Ranking Member, you know, twice in
24 hours is a pretty good streak here.
What needs to be done within the Federal Government right
now, and this is frankly one of my greatest frustrations over
the last 4 years, is we needed a strategic approach to
countering ransomware given the fact that there are a multitude
of agencies that have an authority, a lever, or some sort of
influence they have over the problem set.
So let us begin with the White House National Security
Council stating that this is going to be a National security
imperative to counter ransomware. So with that stage set you
can declare whatever the policy is and then turn it over to an
operational piece. There are a couple of operational pieces
that already exist. You have the National Cyber Investigator
Joint Task Force that the FBI hosts that runs campaigns, you
have the National Cyber-Forensic and Training Alliance in
Pittsburgh that also does some information sharing, but I think
again we need to bring together the broader set of authorities
from law enforcement to civil defensive agencies, civilian
agencies, the IC and the Department of Defense. The JCPO could
play a role there to coordinate operations.
Mr. Langevin. Thank you. I appreciate the answer. I
strongly support leveraging the JCPO to coordinate this kind of
campaign planning in coordination with the National Cyber
Director. I have been briefed several times by the Executive
Assistant Director Goldstein on the stand up of the JCPO. I
certainly believe it will be well-positioned to coordinate a
whole-of-Government effort.
So let me turn next to Ms. Stifel and General Davis. This
subcommittee focuses a lot on CISA's Federal network defense
role and we have closely monitored the Federal response to
SolarWinds. However, CISA has a much broader responsibility to
coordinate protection of critical infrastructure that I am
concerned are significantly under-resourced.
So the Cyberspace Solarium Commission has recommended
increasing CISA's funding by $400 million next year to help
increase operational capacity to address threats like
ransomware. Do you support such an increase and do you believe
it falls in line with the Task Force report?
General Davis, I want to start with you and then Ms.
Stifel.
Mr. Davis. Sure, Congressman.
I don't know about the specifics of it from a Task Force
perspective. I do know that we--that the Task Force report
specifically speaks about the role of DHS in a number of
different areas. I believe there are, if I have it right, 10 of
the recommendations across each of the 4 main--you know, deter,
disrupt, repair, and respond--functions have what we recommend
is a role either as a leading role or a supporting role for
DHS. So in order to do this, you know, DHS and CISA
specifically have really an over-sized role and they need the
support--adequate support in terms of skills, capability,
capacities, and authorities.
So I would--I don't know what the right answer is, but I do
believe that in order for DHS, and CISA specifically, to pick
up the roles and responsibilities that we are recommending in
these 10 various recommendations, it appears we are going to
require commensurate resources, and that will be above and
beyond what they currently have today.
Mr. Langevin. Thank you. I know my time has run out, but,
Ms. Stifel, do you have anything briefly?
Ms. Stifel. I would agree with John. Thank you,
Congressman, for the question. I do agree that additional
resources are necessary for CISA to step into and mature into
the organization that it needs to be in order to better protect
the homeland.
Mr. Langevin. Agreed. Thank you all. Appreciate that.
I yield back.
Chairwoman Clarke. Thank you, Congressman.
The Chair now recognizes for 5 minutes the gentleman from
Georgia, Mr. Clyde.
Mr. Clyde. Thank you, Chairwoman Clarke, and Ranking Member
Garbarino, for holding this very important hearing.
In my district, though we are mostly a rural district, we
had a very detrimental attack that occurred to a local
manufacturing company, called ASI. That ransomware attack
completely shut them down for almost 6 weeks. Though the ransom
was only $100,000 in bitcoin, it cost them over a million
dollars in hard cash to replace their systems in order to
recover. So this a very, very serious issue, not just for
Government entities, but for commercial entities as well.
So my question goes to Mr. Krebs here. I was reading in the
ransomware guide, which I thought was a pretty amazing
document, that CISA offers a no-cost vulnerability scanning
service and other no-cost assessments. So I followed the links
in the guide to a document that further explained these no-cost
cyber hygiene services, what they were, and they included
vulnerability scanning, web application scanning, phishing
campaign assessment, and remote penetration scanning, which I
thought was very outstanding. From what I have read they are
available to all agencies, Federal, State, local, Tribal, and
territorial, as well as public and private-sector critical
infrastructure organizations.
So 2 things here quickly, how does CISA get this guide out
and get the word out on these services, which I think are
phenomenal? Can you explain how an entity would sign up for
them? Then how would you also determine what a critical
infrastructure entity is in the private sector?
Thank you.
Mr. Krebs. Yes, sir.
So what you have highlighted here was one of my biggest
concerns. There is a great deal of technical acumen and
expertise at CISA, really good cyber expertise. Marketing on
the other hand was never a real area of strength. That goes
back to my earlier point of the future of CISA is in the field.
One of the greatest ways that--the best ways to engage with our
stakeholders, which are not all the time, at least in the
Beltway, is to get out there and mingle in their community. As
a Georgia native I know your district quite well, spent a lot
of time up there playing sports and all that good stuff. But we
would need somebody that would be in that area that would be
meeting with the State and local representatives, that would be
meeting with the critical infrastructure. Then just from a
critical infrastructure perspective, we tend to know what the
riskiest stuff is out there, but a lot of it is self-selection.
Again, it is marketing, marketing, marketing. It is customer-
centricity, it is getting out there with constant engagement
and asking what do you need.
Mr. Clyde. OK. Great. Thank you.
The question about what determines whether an entity in the
private sector is critical infrastructure or not, do you guys
make that determination yourself, or is there something that
you go on, a definition that you go on?
Mr. Krebs. So critical infrastructure in the United States
is anything from banks to bridges, schools to sewers. It is a
broad categorization that would lead an organization into a
partnership, a voluntary partnership with CISA.
There are critical infrastructures that at greatest risk
can be identified and tagged by CISA. There is no, you know,
regulatory requirement necessarily that goes along with that,
but it tends to be a self-sorting mechanism that brings
organizations in to work with us.
Mr. Clyde. OK. If any private-sector organizations choose
to work with you, I assume that CISA gives them the complete
confidence that any data that they share, anything that is--is
held in complete confidence with CISA.
Mr. Krebs. We have a pretty good track record. Yes, sir. Or
at least as I was there prior, of not sharing or leaking or
disclosing information about partners. There are some
regulatory protective measures, the Protected Critical
Infrastructure Information Program that actually has criminal
penalties on Federal employees that disclose information.
Mr. Clyde. OK. That is great to know. Thank you.
One last question, you made a comment about chokepoints
across the cryptocurrency. Because I think cryptocurrency, you
know, it is a common denominator in all ransomware, because
that's how they get paid.
So can you talk a little bit about chokepoints? How we can
improve chokepoints maybe and make cryptocurrency harder for
people to use anonymously?
Mr. Krebs. Well, so I think the way I would characterize it
is you have the up points of leverage where the cryptocurrency
economy intersects with the conventional economy. It is in
kiosks, it is over the counter desks, it is exchanges. Any time
that you are taking bitcoin, you are buying bitcoin, or trading
it out, those are areas that you can actually say, look, you
have to comply with financial regulations, know your customer,
anti-money laundering. The Task Force does a fantastic job of
laying out some of those issues.
The thing that we have to be careful about is
cryptocurrency is one of those technologies that has crossed
the threshold in my view. It is here to stay. In fact, there
are other emerging--you know, in China cryptocurrency is way,
way, way ahead of where we are in the United States. If they
are likely--it is going to be, you know, the future of
financial transactions. So rather than cut it off and strangle
it, we need to figure out how to get the outcomes we want,
positive societal outcomes, while reducing and minimizing. I
think that is the area that Congress needs to spend a lot of
time policy-wise thinking about.
Mr. Clyde. Thank you very much.
Chairwoman Clarke. The gentleman's time has expired. Thank
you. Thank you for your questions, Mr. Clyde.
The Chair now recognizes for 5 minutes the gentlewoman from
New York, Ms. Rice.
Ms. Rice. Thank you so much, Madam Chair.
I do hope that we take the recommendations that the
Ransomware Task Force made and incorporate it into some kind of
legislation as quickly as possible because what I am hearing
from both sides of the aisle during this hearing is that the
recommendations are good, especially, you know, making the
United States lead by example and execute a sustained,
aggressive, whole-of-Government, intelligence-driven, anti-
ransomware campaign that is coordinated by the White House in
the 4 ways they--or the 3 ways that they mentioned because that
is critical. We have to have one mission, we have to have a
specific way to execute that.
Mr. Krebs, just a couple of questions that I would like to
direct to you. There were 560 ransomware attacks on U.S. health
care facilities in 2020 in the middle of this pandemic. I am
sure that you would qualify health care facilities as critical
infrastructure. I would just like to get your opinion on what
we can do to ensure--and, by the way, the pandemic I think made
clear that there is a fundamental connection between strong
public health infrastructure and strong National security. So I
want, you know, your thoughts on that.
In my district in 2019 as part of an attack that targeted
several school districts around Long Island and New York, 2
school districts in my district were targeted by cyber
criminals and had all of their data held for ransom. One
district had all of its data backed up off-line and didn't need
to make the ransom payment to the attackers, but unfortunately
the other was forced to pay nearly $100,000 to regain access to
its data.
I guess they would be going back to do you criminalize the
payment of ransomware, but also is there best practices that
say school districts--like one of them knew to keep this stuff
off-line, the other did not and had to make the payment. What
are your thoughts on that?
Also I just really wanted to get into the cryptocurrency
issue again. I mean we have been talking about this--in all my
years on Homeland Security, talking about cryptocurrency and
the use of cryptocurrency by terrorists, but now it is becoming
much more accepted and daily used form of payment for not just
terrorists, but here we are with ransomware and, as you say,
every day in China and it is going to become much more
ubiquitous.
So your thoughts on that as well.
Mr. Krebs. OK. So, OK, there is bitcoin, there are schools,
and there are hospitals. On the hospitals point, in the middle
of COVID, your number 560, that is at least what we know. One
of the biggest problems we have right now in cyber crime and
ransomware specifically is we don't actually know--we don't
have confidence and granularity on the actual denominator
because there is a lot of lack of reporting. So we need to work
through how do we get a better fidelity on the numbers of
actual victims. So the Ransomware Task Force had some
recommendations on requirements for paying for ransom. Because,
you know, school setting is an opportunity is for CISA and the
Department of Education, both at the Federal and the individual
State levels, to work together to develop best practice and
guidance. I think that is under way over the last several
months to pull that together.
Last, happy to come in and bring some experts in to talk
about Bitcoin, but this is--or cryptocurrency, rather, more
broadly. Again, we need to think about, you know, boosting
innovation and reducing the harms.
Last point I want to make here though is that based on my
experience in leading CISA, the budget process and the
appropriations process is critically important on seeking the
outcomes that you want as Congress. When you dedicate specific
resources sufficiently to tackle a problem, for instance
election security, then that allows us to put surge resources
to that problem. So if ransomware is a priority, then you need
to think about what is it going to take from a unit type cost
perspective to achieve the outcomes you want so that there can
be hiring, there can be certainty in contracting, there can be
other resources acquired and brought in.
I am telling you right now, the approach we took to
election security is but one of the critical infrastructure
sectors. In fact, 1 of 55 National critical functions. It
required a significant amount of focus and personnel and
resources, but it can be repeated. We can repeat that same
model to counter ransomware. But, again, you can't just say,
hey, you guys have to do this now out of your existing budget.
We have to put resources against it and it will get done. I
promise you that.
Ms. Rice. Well, I couldn't agree with you more.
I want to thank all of the witnesses here today because
with a brain trust like you helping legislators like us, I
don't know how we can't get this done. We just have to get
behind it in a nonpartisan way and get the job done.
Madam Chairman, I yield back. Thank you so much.
Chairwoman Clarke. I thank the gentlelady.
Let me just address an issue to remind Members that
pursuant to House rules Members are required to be on camera
when recognized during committee proceedings. Members may be
allowed to participate without video where they are having
technical difficulties.
Having said that, I would like to now recognize for 5
minutes the gentleman from New York, Mr. Torres, for 5 minutes.
Also inform colleagues that we will likely have a second
round of questions for our witnesses, so those of you who may
have additional questions, there will be a second round
following Mr. Torres.
Mr. Torres, the floor is yours.
Mr. Torres. Thank you, Madam Chair.
According to Cybersecurity Ventures, the cost of cyber
crime has been on an exponential curve, with $3 trillion in
2015 to a projected $6 trillion in 2021, to a projected $10.5
trillion in 2025. According to Third Way, almost all cyber
crime goes unpunished with less than 1 percent resulting in
enforcement action.
My first question concerns prevention and it is directed
toward Mr. Krebs. In your professional judgment, would
protective DNS services be effective at preventing most
ransomware breaches?
Mr. Krebs. Most ransomware breaches, I think that is hard
to say. I think it would certainly be an effective way to
detect malware on a network. And help minimize any sort of
further compromise.
Mr. Torres. What about the efficacy of multifactor
authentication?
Mr. Krebs. Well, that is just--that is table stakes. This
is one of the biggest problems right now that we are seeing I
think in State and local communities--and I would love to hear
Mr. Goulet's perspective--but some of these State and local
organizations, Tribal and territorial as well, don't have the
resources to shift off of some of their legacy systems and
don't have the staff to implement a multifactor authentication
regime. They rely on single-factor authentication, like
passwords that are easily brute force, password sprayed, and
things like that. I think we need to give them the resources to
make that shift, but we also need to put additional pressure on
some of the technology companies that are providing the
services and say, look, MFA, multi-factor authentication, by
default has to be the new normal.
Mr. Torres. A quick question about reporting. If a Federal
contractor were to make a ransom payment using Federal funds,
would the contractor be required to report the incident to the
Federal Government?
Mr. Krebs. I am not clear right now on some of the Federal
acquisition regulation requirements on that. But I mean if it
is not, it certainly should.
Mr. Torres. You know, it seems to me that the scandal is
not only that we are failing but in many ways we are not even
trying. Most State and local governments have no separate line
item for cybersecurity, which tends to be buried in the larger
IT budget. My understanding is that State and local government
on average dedicate only 1 to 3 percent of their IT budget on
cybersecurity.
In your estimation, what percentage of a State or local
government's IT budget should go toward cybersecurity?
Mr. Krebs. Percentages of overall IT spend dedicated to
cybersecurity is a metric that sometimes gets thrown around as
a good way to measure. I don't think it is always that helpful
because you could spend 15 percent of your budget on stuff that
doesn't do anything for you. So it is about are you investing
in the right things, like multifactor authentication. I think
for State and local, I think getting to the cloud, you know,
getting off of your on premises exchange servers, segmentation
of your networks, recovery, incident response planning and
exercises. I think those are 4 or 5 of the things that I would
put a lot of focus on.
Mr. Torres. I know the Task Force on Ransomware has put
forward 48 recommendations. I suspect many of those
recommendations are familiar proposals that have percolating
for a long time. I am curious now what historically has been
the greatest barriers to the implementation of those
recommendations and what can be done to break down those
barriers. This question is for both General Davis and Megan
Stifel.
Mr. Davis. Thank you, Congressman. I will go first while
Megan is considering her response.
There are a lot of good things that are out there that
exist today. I think part of the problem though is that, No. 1,
I was in the prepare working group. I was a co-chair in that
working group as well. What we came to the conclusion was that
for a variety of reasons organizations, especially the smaller
ones, both in the public and the private sector, were either
unaware of or there was a failure to adopt it for a number of
reasons. That is why one of the--in my opinion, one of the
biggest recommendations that we made was to come up with this
framework, this internationally-accepted, accessible, practical
framework of the best practices that exist out there today so
that this information can be made available.
In terms of adoption, part of the challenge with adoption
was the aspect of--especially at a smaller organizational
level, when you only have so many dollars, it seems that most
of the business decision making is done concerning availability
when it comes to information systems and not security.
So part of the recommendations we made was also to get
after that audience of business decision makers to arm them
with the information that would enable them to make better risk
management decisions within the context of the business and not
simply IT decisions.
Then just from the general perspective, I think a lot of
the reasons why some of the good things that are out there just
aren't adopted as wide-spread as they could be is the fact that
it has been stovepipe and piecemeal, and there is a lot of
noise that needs to be sifted through.
So I think our approach is this full court press with, you
know, all of these required participants in order to solve some
of those challenges.
Ms. Stifel. I am happy to respond. The time has expired,
but I would agree----
Chairwoman Clarke. Yes, the gentleman's time has expired
and we are going to enter into a second round of questioning.
So I just wanted to--if you can just hold your comments and you
can probably tack it on a response to some additional
questions.
I now recognize myself for the beginning of the second
round of questioning.
My next question goes to General Davis and you, Ms. Stifel.
The Ransomware Task Force report observes that there is a lack
of reliabile representative data about ransomware scope and
scale. DHS has long worked to incentivize cyber information
sharing with somewhat mixed results.
How can the Federal Government best incentivize State,
local, and private-sector entities to share timely, actionable
information about ransomware incidents?
Mr. Davis. Madam Chairwoman, I will be brief since I hogged
the last question and didn't give Megan a chance to answer.
But I will just say that from the perspective of the Task
Force, information sharing--threat intelligence sharing and
information sharing was seen as absolutely critical and that
there is a lot of good work that has been done, especially with
the Cybersecurity Information Sharing Act of 2015. All we are
recommending is that that be reviewed with an eye toward
ransomware specifically. There are some new indicators of
compromised and contextual information specifically around
ransomware that we believe can be integrated into the existing
regimes to make improvements where required.
Chairwoman Clarke. Ms. Stifel, your impressions? I know you
wanted to jump onto the last question.
Ms. Stifel. So first I would say with respect to
information sharing, agree with John that a great deal of work
has gone into and been successful in enhancing that capacity
over the past 5 years. Still I think there is an opportunity
for enhanced awareness around the importance of this
information, especially as it relates to ransomware, but also
of the incentives, so to speak, that are offered to entities
that do share information with the Government. I think there
are still, you know, hesitance and that can be reduced through
a range of opportunities, including valued members of the panel
with me in highlighting the value of sharing information.
On the last piece, I think part of the challenge relates to
knowing that there is a strategy. Improving the ability, again,
to highlighting the real threat that ransomware has become and
ensuring that the available resources that exist are known to
entities that meet them when they need to respond to them, as
well as to help better prepare them.
Chairwoman Clarke. Very well. Thank you for your response.
Mr. Goulet, the COVID-19 pandemic highlighted how dependent
we are on technology across Government and business. In
particular, we saw how under investment in State IT budgets
strained the ability of Americans to access certain programs,
such as enhanced employment benefits.
How has the pandemic affected States' risk to ransomware
and how could a ransomware attack impact a State's ability to
distribute Federal benefits to residents?
Mr. Goulet. Well, thank you.
Well, with the, what I call the Diaspora, with all the
people, you know, moving home to work early last year, where
the attack surfaces for any cyber attack just massively
increased because of, you know, where basically people's home
networks became part of our State networks as part of that.
Really the criticality of these systems became so much more
important, particularly like our unemployment systems or our
case management systems, where we use them for contact tracing
and vaccinations.
So, you know, the extra effort and impact of--we can
imagine--in fact we had sent out a special to all employees in
New Hampshire early in COVID saying don't be the one that
clicks on a link and takes down our unemployment system.
I would also have to comment on the multi-factor
authentication that came up earlier. Many States are
implementing that. It is a financial challenge for many States,
but it is absolutely critical, especially for systems that
are--where administrative access such--those with
administrative access accounts. It is absolutely critical that
multi-factor authentication be implemented.
Chairwoman Clarke. Very well. Thank you very much.
Ms. Stifel, you mentioned in your testimony that 70 percent
of ransomware attacks in the fourth quarter of 2020 involved
the threat to release data, in what some call double extortion
ransomware. That is a startling change from the traditional
ransomware practice of just denying access to data or networks.
What do you think is driving this change, how does this
additional threat shape victim's behavior, such as their
willingness to pay a ransom, and how have these threats
increased the impact that ransomware has on victim
organizations?
Ms. Stifel. Thank you, Madam Chairwoman. That is a great
question.
I would say there are a number of factors that are
influencing this shift. The first is that in some cases--I
think it was in about 20 percent of cases--ransom payments were
being made, and so the need to--and the fear that private
information, particularly if it is intellectual property, might
be hacked and dumped on-line can--incentivized criminals to try
and take this approach thinking that they are more likely to
get paid.
Similarly, the fact that in many cases now organizations
have back-ups--may not be fully comprehensive, but we heard
story earlier in this hearing about one school system being
able to restart from back-ups and the other not. That can also
frustrate criminals and so they need to pivot to an alternative
business model to try to continue to fund their malicious
activities.
The third I think is really that the ability for criminals
to--where victims are not making clear that they have been the
victim of an incident, by dumping the information they are
demonstrating their prowess, so to speak. So really I think one
of the things that people need to think about as they are
working to mitigate and prevent these types of activities is,
again, the utility of encryption and encrypting data at test
and in transit so that where files were--an actor gains access
to the network, they are still limited in their ability to gain
access to these essential files.
Chairwoman Clarke. I thank you.
I have gone over time, so let me now recognize the Ranking
Member of the subcommittee, the gentleman from New York, Mr.
Garbarino, for his questions.
Mr. Garbarino. Thank you, Chairwoman, for the second round.
I appreciate it.
Quickly, Ms. Stifel. You mentioned many CRRFs in your
opening statement, Cyber Response and Recovery Funds, yet the
ransomware report states that only about one-third of affected
companies pay the ransom. What would prevent a company that was
never planning to pay the ransom from applying for free money
from the Government to rebuild. Does this effectively take away
the incentive for private sector to modernize and securitize
their systems if they know the Government will pick up the tab?
Should there be some sort of cost-sharing arrangement in your
opinion?
Ms. Stifel. Thank you, Congressman.
Yes, the Task Force recommends that not just a blank check
so to speak be offered to entities that are applying to receive
assistance through the Cyber Response and Recovery Funds, but
in fact there being some set of criteria after which they might
be able to access the funds.
So in the case of the Task Force, the example was one a
framework is developed that identifies practices that could be
undertaken to better prevent ransomware victimization in the
first place, demonstration of compliance with or the ability to
meet the suggestions and the framework be one doorway through
which an organization might access the funds.
Mr. Garbarino. Thank you very much.
This is both for General Davis and Ms. Stifel. You both
participate, you are both co-chairs of the Task Force. I
believe one of the priority recommendations advocates to know
your customer. Another requirement is on cryptocurrency
exchanges. Can each of you expand on that recommendation? If
there is time, Mr. Krebs, maybe you want to jump in as well.
Mr. Davis. Thank you, Congressman. I will go ahead and
start.
But obviously the recommendation is that what we found from
the Task Force perspective was that ransomware crimes should be
more closely regulated and Government should require
cryptocurrency exchanges with crypto kiosks, the over-the-
counter trading desk, to comply with existing laws. Those were
the ones including know your customer, anti-money laundering,
and combatting the financing of terrorism. In our view, those
are good laws, they are just not effectively and consistently
implemented in all cases. Great oversight and the ability to
enforce those we believe would actually put a dent in this
problem.
Ms. Stifel. Just a little bit on what John said to you
highlights the importance of the information that can be
gathered through these types of requirements. Those cannot only
facilitate the investigation of the crime itself, but also it
is preventative measures that law enforcement and others can
take in trying to again deter the number of ransomware attacks.
Mr. Garbarino. Mr. Krebs, is there anything additional?
Mr. Krebs. I think that covers the fair share of it. Again,
I think what we have to focus on is increased--and I can't
believe I am saying this right now--but increase the
information sharing on victim--not personal information, but
victim wallets to the extent that we can get better fidelity on
the size and scope of this issue and where the funds are going
to light up those aggregation points throughout the economy,
the cryptocurrency economy, that allows us to take further
directive action against the criminals.
Mr. Garbarino. I appreciate that. Thank you very much all.
One just final question for anyone. Are you aware of
companies doing the right thing? You know, having back-ups,
doing what I explained before, but it being more expensive to
do the right thing than actually paying the ransom? Anybody
have any stories on that?
Mr. Krebs. So I--you know, just out of personal experience,
at least in the last several months, we have had a number of
conversations with companies that have ultimately decided they
could either rebuild or recover ultimately, somehow not have to
pay. The reasons for that are going to vary from not wanting to
contribute and otherwise.
Mr. Garbarino. OK. Since nobody else has anything else to
add, I yield back.
Thank you, Chairwoman.
Chairwoman Clarke. I thank the Ranking Member.
The Chair now recognizes for 5 minutes the gentlelady from
Texas, Ms. Jackson Lee. Ms. Jackson Lee, are you with us? Ms.
Jackson Lee?
Well, it appears that she is indisposed. You all have been
wonderful and giving of your time today----
Mr. Langevin. Madam Chair? It is Jim Langevin. If it is
possible to----
Chairwoman Clarke. Oh, absolutely. I am sorry, I am sorry.
The gentleman from Rhode Island is recognized now for 5
minutes, Mr. Langevin.
Mr. Langevin. Thank you, Madam Chair. I appreciate again
you holding this hearing and the time and the testimony of our
witnesses.
So let me go to Ms. Stifel. In your testimony and in the
Task Force report, you referenced the importance of the FBI
cyber assistant legal attaches, or ALATs. The Solarium
Commission, on which I served, also recommended substantially
increasing these positions to help coordinate international
cyber criminal investigations. Can you elaborate on why these
positions are so important from your perspective?
Ms. Stifel. Thank you, Congressman. As an alum of the
Department of Justice, I particularly appreciate the question.
So the ALATs are really the eyes and ears of the law
enforcement community overseas and they work very closely with
their host country counterparts.
So in the first instance they are there to help facilitate
investigations of criminal activity that has occurred against
U.S. citizens, but they are also there too as an extension of
our policy approach to law enforcement activity, including our
support for the Budapest Convention, otherwise known as the
Cybercrime Convention. So they are there not only collecting
evidence, also training local host country staff, but further
extending the policy approach of ensuring that there are
administrative, as well as substantive laws on the books that
criminalize malicious activity and unauthorized access to
computer networks and the ability to bring these perpetrators
to justice. So in some cases they need to be working through
mutual legal assistance activities necessary in order to
further an investigation.
Of course they are also providing assistance potentially
from the U.S. side where U.S. companies may be involved in host
nation's investigation of an activity.
But I think it is also crucial to note that we don't have
as many of these as probably could be most effective for--
particularly for purposes of combatting ransomware. So I would
encourage additional support for ALATs as the Solarium
Commission has also recommended.
Thank you for the question.
Mr. Langevin. You bet. I like how you phrased that there,
they are the eyes and ears of law enforcement on the
international front, if I heard that right. You know, I
couldn't agree more. Right now I think there are too few of
them and we really need to have more. So thank you for that.
I think there are only--people may be surprised to know I
think there are only 12 of them right now; 12 is not enough and
we need more.
Let me go back to General Davis, if you could. We talked in
the past about the preparation of crime as a service. Very
disturbing to me, certainly as it is to others, when you look
at the ransomware ecosystem and business model, what do you
view as the critical function with the disruption of which
would cause maximum pressure on the criminals?
Mr. Davis. Thank you, Congressman Langevin.
First of all, I would say that once again this is a full
court press and that happens to be one of the pressure points.
In looking more deeply at that pressure point, I know the Task
Force investigated the ability to disrupt the payment process,
and it was seen as a critical chokepoint, the infrastructure
associated with the ransomware model and the threat actors
themselves. I think it takes all 3 of those. There are specific
recommendations along the line of each of those 3 aspects of
putting pressure on the act itself, the criminal enterprise.
I do think that in the notion of going after the
infrastructure, there is an enormous role that private industry
can play and has proven to be able to play in certain instances
that are very current, for example. So I think this notion of a
National-level Joint Ransomware Task Force, that involves, you
know, White House-led effort with the appropriate inter-agency
and the new National Cyber Director in coordination with
existing organization, like NCIJTF and the JCPO, that is very
important. But to get after some of these infrastructure-
related disruptions, you are going to need to leverage the hub,
the private industry hub, that we have also made as a
recommendation as a part of that overall whole-of-society
effort.
Mr. Langevin. Thank you, General.
Mr. Krebs and Ms. Stifel, the Task Force recommends
developing target lists of ransomware developers and other
linchpins of the business model. Are there reasons the
Government doing this already? Or ways that we could help it
more effective?
Mr. Krebs. So I will try to keep this short, but, look, the
intelligence community, law enforcement community have, just
like everybody else, a limited set of resources and then a
separate set of priorities that they have to work against. So I
think what is needed here is let us elevate ransomware and
ransomware as a service in the priority list. Now, something is
going to get bumped down unless we give them more people and
more money to get through this. But I do think that there is a
realization in the IC that ransomware sponsored by countries
like Russia is a priority. We were able to prioritize counter
ransomware at least from an elections perspective. I think
there is a broader effort we can do here.
Mr. Langevin. Thank you.
Ms. Stifel, anything?
Ms. Stifel. No, I agree with Chris Krebs.
Mr. Langevin. OK. Very good.
I see my time is expired. Madam Chair, thank you for the
indulgence and I yield back.
Thanks to our witnesses.
Chairwoman Clarke. With that, I do thank our witnesses as
well, General Davis, Ms. Stifel, Mr. Krebs, and Mr. Goulet, for
your forthright answers today and as well as your indulgence in
our second round of questioning. I thank our Members for their
questions.
The Members of the subcommittee may have additional
questions for the witnesses and we ask that you respond
expeditiously in writing to those questions.
Without objection, the committee record shall be kept open
for 10 days.
Hearing no further business, the subcommittee stand
adjourned.
[Whereupon, at 4:22 p.m., the subcommittee was adjourned.]