By Joseph Chalfant

On July 27, the Senate Judiciary Committee held a hearing over the growing number of ransomware attacks in the wake of the May Colonial Pipeline hack.

Member statements were made by Chair Sen. Dick Durbin (D-IL) and Ranking Member Sen. Chuck Grassley (R-IA) before witness testimony began. The witness panel consisted of representatives from four federal law enforcement agencies: DOJ Deputy Assistant Attorney General of Criminal Division Richard Downing; FBI Assistant Director of Cyber Division Bryan Vorndran; CISA Executive Assistant Director For Cybersecurity Eric Goldstein; and Secret Service Assistant Director of Office Of Investigations Jeremy Sheridan.

Member statements gave a brief overview of cybersecurity threats that have increased in recent years, ranging from attacks on small businesses to critical U.S. infrastructure and medical providers.

Downing opened by noting that ransomware attacks were tough crimes for law enforcement officials to solve, but federal agents have found some success and are now doubling their efforts. He noted that hackers have become emboldened with recent headlines and are now demanding ransoms as high as $50 million. Companies that forgo payment are at risk of having trade secrets stolen.

Downing explained that hackers most prominently operate out of countries with limited or no extradition to the U.S. and maintain anonymity by using deep-web technology like Tor. He claimed that as few as 20% of ransomware attacks are reported to the government. Downing put forward a message from the DOJ to Congress urging them to pass legislation to mandate reporting of high-impact breaches and to form a united front. He remarked that the DOJ task force that successfully recovered a portion of the Colonial Pipeline ransom was a “key part of what must be a whole of government solution” to cybercrime.

Testimony then turned to Vorndran, who reiterated the threat described by Downing and continued to advocate for reform. He believed that the government should make stronger efforts to work with domestic and international partners to create lasting and durable impacts on the cybersecurity industry. He advocated for adopting a standardized federal cybercrime reporting system and urged more victims of ransomware attacks to come forward.

Goldstein said that he wanted Congress to understand that ransomware attacks could affect businesses, organizations, and governments of any size and location. He warned that attacks create substantial amounts of downtime that may cripple critical industries and infrastructure nationwide. He did offer some reassurance by acknowledging that many of the mitigation efforts designed and deployed by the CISA have successfully reduced vulnerability and damage.

Goldstein urged individuals looking to bolster their security efforts to turn to the recently launched CISA project to find free preventative cybersecurity tools. He also advocated for the government to invest in building voluntary relationships with both the public and private sector and believes that increased funding for law enforcement agencies would help provide resources to combat the growing threat.

Witness testimony ended with Sheridan explaining that the growth of cybercrimes has had a direct relationship with the growth of cryptocurrencies like Bitcoin. Increased profitability and a lack of perpetrators being held accountable created an enticing opportunity for international crime syndicates. He believes that the path forward was to reduce profitability by increasing transnational investigative efforts and increased interdiction.

Questioning from committee members offered clarification into a variety of issues. After prodding from Sen. Durbin over cryptocurrency regulatory action, Downing explained that crypto had become prominent amongst criminals due to its anonymity as well as its non-reversality. Still, the DOJ had no legislative proposal for combating crypto-based crimes. He further explained to Sen. Grassley that the department focuses on IP theft from state actors in China. He claimed that some considerations were being made to combat ransomware-as-a-service providers but could not dive into detail.

Sen. Lindsey Graham (R-SC) pushed witnesses over whether the government should create a state-sponsors of ransomware list similar to that of state-sponsors of terrorism. Witnesses explained that their agencies were more concerned with individual actors, and a geopolitical entity would be required to hold state actors accountable.

Sen. Graham then moved his questioning to the effectiveness of deterrence. Time ran out before the question could be answered, so Sen. Ben Sasse (R-NE) reintroduced the issue at a later time. Vorndran answered by stating that agencies were “doing as much as we can with what we have.”

Sen. Sheldon Whitehouse(D-RI) demanded more clarity of the voluntary relationship between CISA and critical infrastructure organizations like Colonial Pipeline. He then pushed for more regulation of critical infrastructure providers over their cybersecurity standards. Sen. Thom Tillis (R-NC) took a similar stance when asking about the efficacy of a similar policy that would require companies conducting businesses with the federal government to reach predetermined cybersecurity standards “as the price of admission.”

The full recording of the hearing and written testimony from the witnesses are available here.