As ransomware data remain ‘fuzzy,’ US cyber leaders see reasons for optimism
NASHVILLE — Two top federal cybersecurity leaders on Friday described ransomware as a persistent threat but offered optimism that existing and recently launched efforts would help combat the digital pandemic.
“I’m not sure when it’s going to crest,” U.S. Cyber Command and NSA chief Gen. Paul Nakasone told reporters after his keynote address at the Vanderbilt University Summit on Modern Conflict and Emerging Threats.
“It certainly isn't going down.”
Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly acknowledged the almost-daily reports of ransomware attacks but noted “it’s hard to tell” if the number of incidents is rising or falling because there is no strict reporting requirement yet to provide the government with a “big picture.”
“There's not this authoritative body about how much ransomware has gone up or gone down,” she told reporters after her fireside chat at the conference. “It's very fuzzy. It's very anecdotal.”
The White House and Congress have worked to address ransomware after the historic extortion attacks on Colonial Pipeline and other major private entities in 2021 made the online threat a kitchen table issue for Americans households.
Most notably, President Joe Biden last year signed into law bipartisan legislation that mandated critical infrastructure owners to notify the government if their organization has been hacked or made a ransomware payment; tasked the Homeland Security Department’s cyber wing with creating an incident reporting regime; and authorized other initiatives, including the Joint Ransomware Task Force run by CISA and the FBI.
Yet attacks continue and have seemingly ramped up against organizations — like local school districts, law enforcement agencies and hospital networks — that lack the resources to protect themselves from criminal gangs.
‘The more important question’
Speaking to the conference earlier in the day, Easterly said her agency is looking to put into place programs over the next couple of years that will “make a big difference to really understand the ransomware ecosystem,” like the joint task force, the Joint Cyber Defense Collaborative (JCDC) and the more recent ransomware vulnerability warning pilot program.
She told reporters it was also her sense that the events in 2021 raised awareness about ransomware and cyberdefense overall.
“I would set aside the question of, is it up, is it down?,” she said. “The more important question is, have we been able to make a difference in raising awareness and also putting into place measures that will allow us to reduce both the prevalence — that's what's behind our ransomware vulnerability warning pilot — but very importantly, impact?”
Nakasone — who launched a “surge” at both of his agencies in 2021 to combat the proliferation of ransomware — said he has “not necessarily” observed malicious actors employing new techniques to achieve their goals.
He noted that the two organizations he helms are working “very, very closely” with the FBI, CISA, as well as other federal entities and international partners, to tackle it.
The four-star Army general highlighted the deepening relationship between Easterly’s agency and his command’s elite Cyber National Mission Force (CNMF) as a “big piece” of going after ransomware in the future.
Still, the digital scourge “is not going to disappear anytime soon,” according to Nakasone.
Meanwhile, Easterly said her agency remains on track to roll out the final rule on the incident reporting regime in September 2025.
“That's not soon enough to my liking but that's what was established in statute,” she told reporters. “Then we'll have a much better idea of sort of how to baseline a lot of this and we will really be able to say, at that point in time, the impact, the prevalence of ransomware has materially diminished.”
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.