U.S. Justice Department officials came out in strong support of legislation requiring companies to report ransomware attacks and other severe data breaches to federal authorities.
“Without prompt reporting, investigative opportunities are lost, our ability to assist other victims facing the same attacks is degraded and the government and Congress does not have a full picture of the threat facing American companies,” said Richard Downing, deputy assistant attorney general for the criminal division of the U.S. Department of Justice, at a Senate Judiciary hearing on ransomware Tuesday.
The sentiment was shared by Bryan Vorndran, assistant director of the cyber division at the FBI.
“We need a federal cyber incident reporting standard for breaches that pose significant risks because inconsistent volunteer reporting is simply not enough,” said Vorndran.
Current versions of reporting legislation circulating on Capitol Hill put the Department of Homeland Security’s cybersecurity agency at the center of reporting. Eric Goldstein, executive assistant director for CISA told Congress that “we look forward to working with Congress on incident reporting legislation that will significantly increase the volume of incidents that are reported to CISA.”
Lawmakers of both parties shared a consensus that breach notification laws were needed in light of a recent wave of ransomware attacks against U.S. companies including Colonial Pipeline and the meat supplier JBS.
Sen. Sheldon Whitehouse (D-R.I.) urged the Justice Department to collaborate with the Senate on his recently introduced cybersecurity legislation, which he noted was similar to legislation proposed by Downing.
“If there are technical changes that you think we should make, then we’re eager to work that out but we think that this is a bill that has bipartisan support that could potentially move by unanimous consent, and we’d like to get this straightened out,” Whitehouse said.
His isn’t the only ransomware-related bill-making rounds on the hill. Senate Intelligence Chairman Mark Warner (D-VA.) in June introduced bipartisan legislation that would require key groups including critical infrastructure owners, cybersecurity incident response firms, and federal contractors to report cyber intrusions to the Homeland Security Department within 24 hours.
Downing shot down at least one measure in the Whitehouse bill, which would allow for private companies to hack back against cybercriminals. Downing said that such a tactic could lead to the damage of third party infrastructure or interference by criminal actors.
“Our long-standing position has been that it is not a helpful road to go down, instead report to us,” he said. “Report to the FBI. We have the authorities to have an effect and an impact.”
Officials testifying in front of the committee also largely expressed a consensus against a full-out ban on ransomware payments. While the FBI has long advised victims to not pay ransoms, the rise in hackers leaking victim data has complicated that approach.
“It’s our opinion that banning ransomware payments is not the road to go down and there’s really a prime reason for that,” said the FBI’s Vorndran. “Now you’re putting U.S. companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities.”
Such a ban would shut down cooperation with law enforcement, agreed Jeremy Sheridan, assistant director of the office of investigations at the United States Secret Service.
“As was stated several by several of my colleagues, banning the payments would further push any reporting to law enforcement into obscurity and make it virtually impossible for us to have that relationship,” Sheridan said.