At a Senate Judiciary hearing covering a diverse array of ransomware policy options, witnesses from the Department of Justice, FBI, CISA and the Secret Service backed widely discussed proposals to require enterprises to report breaches to the federal government.
"We face a gap in reporting from victims. Without prompt reporting, investigative opportunities are lost, our ability to assist other victims facing the same attacks is degraded, and the government and Congress do not have a full picture of the threat facing American companies, Congress should enact legislation to require victims to report," said Richard Downing, deputy assistant attorney general for the DOJ's criminal division.
Though the first efforts to require enterprises to notify the government after being breached date back to a bill from Sens. Susan Collins, R-Maine, and Joe Lieberman, then an independent from Connecticut, lawmakers began a vigorous push for similar legislation after the SolarWinds espionage campaign earlier this year. One high-profile option is a bill from Mark Warner, D-Va., Marco Rubio, R-Fla., and Collins released last week.
Downing said the Department of Justice would back a reporting requirement that covered critical infrastructure, ransomware and other "high-impact" attacks, but not all proposed reporting schemes have prioritized sharing detailed information with law enforcement. Some have limited the data flow to CISA where it would be anonymized before sharing elsewhere.
The hearing covered a wide array of policy options for ransomware. Several senators asked about forcefully preventing ransom payments. Chair Dick Durbin, D-Ill., proposed preventing cyber insurance payouts to cover ransoms, while Sen. Mazie Hirono, D-Hawaii, asked about the prospect of banning all ransom payments from any source.
Witnesses were against the idea of banning ransom payments outright.
"Banning the payments would further push any reporting to law enforcement into obscurity and make it virtually impossible for us to have that relationship," said Jeremy Sheridan, assistant director of the Secret Service's office of investigations.
Bryan Vorndran, assistant director of the FBI's cyber division, said that enterprises were squeezed hard enough by ransomware that many would still pay even after a ban, opening them up for continued extortion for breaking the law.
Sen. Tom Tillis, R-N.C., asked about the prospect of allowing enterprises to hack back, which the Senate is currently mulling via a bill from Sheldon Whitehouse, D-R.I, and Steve Daines, R-Mont.
"The department has long held the position that it is still advised to encourage or permit, private sector people to hack back," said Downing, who explained the risks for collateral damage, geopolitical harm and interfering with ongoing investigations.
Whitehouse did not focus on the hack back bill, instead expressing disappointment that baseline cybersecurity standards were not being met at enterprises. Whitehouse blamed that on security guidelines not being mandatory, which he said was because of pushback from groups like the U.S. Chamber of Commerce whenever mandatory measures were proposed.
Reached for comment, Christopher Roberti, U.S. Chamber of Commerce senior vice president for cyber, intelligence, and supply chain security policy, said that the Chamber believes lawmakers are not agile enough to adequately maintain cybersecurity standards.
"We will continue to work with willing parties to advance productive ideas to strengthen critical infrastructure without defaulting to counterproductive approaches that don’t keep up with the rapidly evolving threats facing the private sector today," he said, via email.
While most of the hearing shied away from partisan bickering, Sen. Ted Cruz, R-Texas, argued that recent failures in ransomware protection could be traced back to the Biden administration, including geopolitical efforts to curb Russian cyberespionage and crime.
"He met with Putin and told him that only certain parts of America's critical infrastructure should be off-limits - he specified 16 parts that were off-limits. Call me crazy. I think all of our critical infrastructure should be off-limits to Russian hacking," said Cruz.
The Department of Homeland Security classifies all critical infrastructure as fitting into 16 sectors -- 16 sectors is, therefore, all critical infrastructure.