Biden administration officials endorse ransomware reporting rules
A handful of key Biden administration officials on Tuesday voiced support for legislation that would mandate certain businesses report ransomware attacks to the government.
“Congress should enact legislation to require victims to report,” Richard Downing, a deputy assistant attorney general in the Justice Department’s Criminal Division said in his opening statement during a Senate Judiciary Committee hearing.
Downing, who added an appendix to his remarks that offered a more detailed outline of the legislation backed by the DOJ, said the mandate should also include attacks on critical infrastructure and “other high impact breaches.”
Bryan Vorndran, the assistant director of the FBI’s cyber division, echoed that sentiment.
“We need a federal Cyber Incident Reporting Standard for breaches that pose significant risks because inconsistent volunteer reporting is simply not enough,” he told the panel.
“We are very significant advocates for mandatory breach reporting,” he later added, noting that the FBI estimates that only between 25 and 30 percent of incidents get reported to federal law enforcement.
Eric Goldstein, the executive assistant director for cybersecurity at CISA, was more careful in his remarks, saying that the cyber wing of DHS looks forward to “working with Congress on incident reporting legislation that will significantly increase the volume of incidents that are reported” to the government.
He later said the agency’s view is that “any efforts to increase the volume of incident reporting to CISA and to be shared with our partners in federal law enforcement is absolutely essential.”
The hearing was the latest in a parade of sessions convened on Capitol Hill as lawmakers look to come up with policy solutions to get a better handle on digital assaults on the U.S. private sector, such as the high-profile ransomware attacks that briefly knocked the Colonial Pipeline offline and jammed up production at meat processing behemoth JBS, in addition to supply chain attacks on IT software vendors like Kaseya and SolarWinds.
The lobbying by officials from DOJ, FBI and CISA found a receptive, bipartisan audience among panel members, many of whom said the current, voluntary framework has not worked to stem the tide of hacks and signaled they would support legislation mandating businesses notify the government of attempted or successful breaches.
Sen. Sheldon Whitehouse (D-R.I.) called the voluntary system a “total faceplant failure” in the case of Colonial’s ransomware attack.
He specifically asked Downing to come back and work with senators to potentially tweak legislation introduced last month aimed at creating stiffer penalties for cyberattacks against critical infrastructure and provide DOJ more leeway to bring charges against criminals in foreign countries.
A trio of incident reporting bills have begun to circulate around Congress, the most notable of which would require federal contractors, agencies and critical infrastructure operators to report cyber intrusions to the CISA within 24 hours of discovery.
While some panel members lamented the lack of an overall strategy on ransomware — despite recent steps to combat it, such as establishing an information hub — others blasted companies for not doing more.
“Our corporate sector really is failing in its responsibility to protect our national security by refusing to report these instances of cyberattacks. Am I overstating it?” Sen. Richard Blumenthal (D-Conn.) asked Goldstein.
He replied that the best remedy “needs to be a whole-of-nation effort with government and industry working together around this shared challenge and the more the companies report their intrusions to the government, the better job we can do to manage this risk.”
Blumenthal responded: “I interpret that as a ‘yes.’”
Judiciary Committee Chair Dick Durbin (D-Ill.) ended the hearing by noting there was a “general bipartisan consensus on this side of the table. And I like that. And I think that’s a positive thing, and I hope it leads, I think it will, to specific legislation to deal” with ransomware.
He called the incident reporting legislation Downing proposed the “beginning of a conversation with the administration on doing this … and we want this committee to facilitate that conversation.”