House Committee on Oversight and Reform works towards cracking down on ransomware intrusions

ransomware intrusions

The U.S. House Committee on Oversight and Reform met this week to discuss strategies on ransomware intrusions, and chalk out ways to disrupt cyber hackers. The members also sought to outline plans that would build resilience against cyber threats. During the hearing, the committee members underscored that combatting ransomware attacks is a crucial, bipartisan issue.

The hearing will examine the competing pressures private sector companies, especially those serving critical public functions, and state and local governments face when confronting ransomware intrusions, often leading them to accede to attackers’ demands. The hearing will also consider the actions that the Biden Administration has taken to combat ransomware. It will also look into how Congress can ensure the United States implements a whole-of-government response with the National Cyber Director.

Chris Inglis, National Cyber Director, Brandon Wales, executive director for the Cybersecurity and Infrastructure Security Agency (CISA), and Bryan Vorndran, assistant director at the cyber division for the Federal Bureau of Investigation (FBI) were ‘witnesses’ at the house committee hearing.

Ahead of the hearing, Chairwoman Carolyn B. Maloney released a new staff memo showing preliminary findings of the Committee’s investigation into the ransomware intrusions on CNA Financial, Colonial Pipeline, and JBS Foods. The note examined how these ransomware intrusions unfolded and how legislation and policies may be developed to counter ransomware threats.

The meeting was held against the backdrop of reports that the FBI became a victim of a hack that allowed emails to be sent from its email servers disguised as genuine emails from the agency.

“In short, we are at a tipping point as cyberattacks have become more common and potentially more damaging,” Rep. Carolyn B. Maloney, the Chairwoman of the Committee on Oversight and Reform, said in her opening statement. “Several recent attacks have used a type of malicious software known as ransomware, which encrypts a victim’s system and demands a payment in exchange for restoring access or refraining from publishing stolen data. This is especially dangerous because it can shut down an entire system and can cause chaos in a community, an industry, or even the entire country. And cyber criminals are now demanding—and receiving—more money than ever,” she added.

The committee members and witnesses highlighted the dangers of paying ransom to the cybercriminals and underscored the need to implement a ‘whole-of-government’ strategy to better share information between private and public entities. Assistant Director Vorndran emphasized that in the event of victims paying a ransom, the federal government should “be notified as soon as possible when that ransom is paid so we can do our best to track the money.”

The memo also said that ransomware attackers took advantage of relatively minor security lapses, such as a single user account controlled by a weak password, to launch enormously costly attacks. Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures prior to an attack.

It also drew attention to the fact that some companies lacked clear initial points of contact with the federal government. Depending on their industry, companies were confronted with a patchwork of federal agencies to engage regarding the attacks they faced. For example, two companies’ initial requests for assistance were forwarded to different FBI offices and personnel before reaching the correct team. Companies also received different responses on which agencies could answer questions as to whether the attackers were sanctioned entities. These examples highlight the importance of clearly established federal points of contact.

Another factor the memo brought out was that given the uncertainty over how quickly systems could be restored using backups and whether any sensitive data was stolen, the companies appeared to have strong incentives to quickly pay the ransom.  This pressure was compounded by attackers’ assurances that payment of the ransom would resolve the situation and avoid negative publicity for the company.

Among the issues raised at the meeting was that the Committee’s staff memo findings disclosed that some companies did not know to contact the federal government in the case of a ransomware attack.

Inglis stated that he agreed with the core finding that “it is essential that the federal government be joined up and coherent as individual citizens or organizations attempt to report or to seek service from that government.”  He added that when companies report attacks to the federal authorities, it allows the government to “bring all of our various authorities and resources to bear.”

The witnesses unanimously supported an incident reporting requirement, highlighting the dangers of incomplete data on ransomware intrusions. Each witness expressed their support for legislation requiring that companies report ransomware attacks to CISA and the FBI.

Vondran stated, “I can’t stress enough the importance of the FBI receiving full and immediate access to cyber incidents so we can act on them as soon as possible and in unison with our federal partners at CISA.”

Wales agreed that passing cyber threat notification legislation is a top priority. “We need the information because that enables CISA and the FBI to both engage with that victim, offer our assistance, understand what’s happening from on their networks and protect other victims.”

In his written remarks, Inglis noted that the current U.S. administration “supports legislative efforts to require cyber incident reporting—including ransomware payments—to both the FBI and CISA, that will help prioritize the use of precious resources to support victims, disrupt threat actors and guide future investments to improve resilience.”

Cyberattacks on industrial control systems (ICS) for critical infrastructure are increasingly sophisticated and far-reaching, making cyber resilience and regulatory compliance more important than ever. Industrial organizations have had to adopt digital transformation to adopt more emerging technologies like 5G, the Internet of Things (IoT), machine learning, and artificial intelligence.

Data released by IBM Security X-Force earlier this year also disclosed that ransomware persisted as the top contender in the threat category in 2020, accounting for 23 percent of security incidents, while security vulnerabilities related to ICS, detected last year, were 49 percent more than those discovered in 2019.

Based on data collected from real attacks in its ‘IBM X-Force Threat Intelligence Index’ report, IBM found that the Sodinokibi (REvil) ransomware harvested a conservative profit of about US$123 million and stole around 21.6 terabytes of data. Ransomware attackers increased the pressure on victims by combining data encryption with threats to leak the stolen information on public sites. Manufacturing was the second most attacked industry coming right behind the finance and insurance industry.

Earlier this week, the U.S. administration brought in the Bipartisan Infrastructure Law that will provide much-needed investment towards building the resilience of physical and natural infrastructure. “The law makes our communities safer and our infrastructure more resilient to the impacts of climate change and cyber-attacks, with an investment of over $50 billion to protect against droughts, heat waves, wildfires, and floods – in addition to a major investment in the weatherization of American homes,” according to a White House statement.

Mark Carrigan, cyber vice president for process safety and OT cybersecurity at Hexagon PPM,

Mark Carrigan, cyber vice president for process safety and OT cybersecurity at Hexagon PPM,

Government investments to protect the nation’s critical infrastructure sectors have been long overdue, Mark Carrigan, cyber vice president for process safety and OT cybersecurity at Hexagon PPM, wrote in an emailed statement. “The $1B grant program in the Infrastructure Bill to help state, local, tribal and territorial governments protect public critical infrastructure from bad actors is at an investment level that shows the issue is finally being taken seriously.”

Unfortunately, US$50 million in the Build Back Better bill for industrial control systems security doesn’t scratch the surface in securing these aging systems from today’s significant threats, Carrigan pointed out. “These systems run the production environment and if they go down, significant negative consequences occur. Enterprises need to focus on reducing risk and the consequence of a cyber incident. Government can help them do that but it’s not included in either bill at a material level. Private enterprises still carry the financial burden to ensure their production environments are resilient against cyber attacks,” he added.

Data released by the Council of Insurance Agents & Brokers revealed that the second quarter this year was recorded as the 15th consecutive quarter of increased premiums, with respondents reporting an average increase of 8.3 percent across all-sized accounts. The premiums increased for all lines of business for the fifth consecutive quarter, though price increases for all lines moderated in the second quarter of this year compared to previous quarters. The only exception was cyber, which recorded the highest premium increase out of all lines, 25.5 percent, surpassing the 17.4 percent increase in ‘umbrella’ by a significant margin.

Umbrella insurance is extra insurance that provides protection beyond existing limits and coverages of other policies. It typically can provide coverage for injuries, property damage, certain lawsuits, and personal liability situations.

Respondents agreed a rise in ransomware intrusions, combined with lackluster risk management protocols and lack of employee training, was one of the primary drivers behind the notable increase in cyber prices. Underwriting also tightened significantly for troubled lines like cyber and umbrella. Additionally, capacity was contracted for both of those lines, with more than 80 percent of respondents reporting a decrease in capacity for cyber, and more than 70 percent reporting the same for umbrella coverage.

“The rapid increase in ransomware attacks highlighted the need for brokers to work with clients to develop and practice robust risk management strategies to confront the growing threat,” Ken A. Crerar, president/CEO of The Council, said in the report. “In a world where costly cyberattacks are becoming the norm rather than the exception, the broker is in a unique position to help clients identify vulnerabilities, find coverage and protect their firms.”