Senators urge CISA to implement ransomware reporting rules

The Senate Homeland Security and Governmental Affairs Committee urged the Cybersecurity and Infrastructure Security Agency (CISA) to implement new ransomware reporting rules as quickly as possible after finding sharp increases in the number of attacks targeting U.S. schools, local governments and healthcare facilities.

In a 51-page report on ransomware released on Tuesday, chairman Gary Peters (D-Mich.) and other senators on the committee repeatedly lamented the lack of data on ransomware attacks.

The report said ransomware attacks impacted at least 2,323 local governments, schools, and healthcare providers in the U.S. in 2021, but noted that the figure is a severe undercount considering how few ransomware attacks are reported.

Peters ordered the report in July 2021 and had his staff conduct numerous interviews with federal law enforcement and regulatory agencies as well as private companies that assist ransomware victims with ransom demands.

“Both federal agencies and private companies raised concerns regarding the lack of visibility into the full scope of ransomware threats and cryptocurrency ransom payments,” the report explained.  

“Each of the interviewees advocated for increased data collection regarding illicit actors’ methods and ransom payments to better understand the ever-evolving landscape of ransomware attacks and illicit uses of cryptocurrency.”

CISA told the Senate that only about one-quarter of ransomware attacks are reported.

Peters led the effort to get a cyber incident reporting bill passed and signed into law earlier this year but it only covers critical infrastructure organizations. The organizations have to report breaches to CISA within 72 hours and report ransomware payments within 24 hours.

The law also grants CISA the power to subpoena entities that don’t report a cyber incident or ransomware payment. 

CISA has two years after passage of the Act to issue the notice of proposed rule-making and another 18 months to issue the final rule, meaning it may be years until they officially become law.

As the report notes, ransomware attacks are only getting worse based on the little data available from CISA, the FBI, and the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) as well as other disparate federal agencies. The FBI found that between 2018 and 2020, there was a 65.7 percent increase in victim count and a staggering 705 percent increase in adjusted losses.

In 2021 alone, the FBI received 3,729 ransomware complaints with adjusted losses of more than $49.2 million. 

The Senate committee found gaps in coordination between federal agencies, who often do not share information on ransomware attacks.

Even the FBI — which called the data “artificially low” — spent several years undercounting the number of ransomware attacks because they would only count incidents reported to their Internet Crime Complaint Center and not to local field offices in each state, the report found.

The report cites a study from security company Emsisoft that found at least 24,770 ransomware incidents in the U.S. in 2019.

The Committee reiterated throughout the 52-page report that the lack of data means legislators are unsure of what policies to pass and whether existing policies are addressing the issue.

“The lack of data on ransomware attacks and cryptocurrency ransom payments blunts the effectiveness of available tools for fighting ransomware attacks including U.S. sanctions, law enforcement efforts, and international partnerships, among other tools,” the committee said. 

“The private sector and the federal government are not able to fully and effectively assist victims to prevent or recover from ransomware attacks without a comprehensive dataset on ransomware attacks, ransom demands, and payments. Such a dataset does not currently exist.”

The report recommends that CISA implement the new ransomware payment reporting mandate as soon as possible and urged federal agencies to “implement the requirement in the law to share all cyber incident reports with CISA to enable a consolidated view of incidents from across different sectors and reported under different regulatory regimes.”

The Senate committee also said the federal government needs to standardize existing federal data on ransomware incidents and ransom payments to facilitate comprehensive analysis. 

“Agencies should standardize how data from existing reporting requirements for ransomware incidents and ransom payments is organized and formatted across federal government agencies to enable more comprehensive information sharing and analysis,” the report said. 

Several other recommendations are listed, including federal government-promoted public-private initiatives to investigate ransomware attacks.