Ransomware, Governance, Risk and Compliance, Industry Regulations

Lawmakers seek metrics for Russian ransomware cooperation

Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency at the U.S. Department of Homeland Security, center, speaks at a Nov. 16 hearing with the House Committee on Oversight and Reform in the Rayburn House Office Building in Washington. (Photo by Anna Moneymaker/Getty Images)

Lawmakers pressed officials from the Department of Homeland Security for quantifiable proof the Russian government has changed course on ransomware prevention at a House Homeland Security hearing Wednesday.

Russia, home to many components of the ransomware economy, has historically turned a blind eye to cybercrime whose victims are outside its borders. Following the early year flurry in high-profile ransomware attacks, the Biden administration has pressured Russian President Vladimir Putin to change that through a variety of measures, including the issue being the focus of an in-person meeting between the leaders. Biden said he told Putin there would be consequences for continued ransomware attacks on the 16 sectors the United States classifies as critical infrastructure. The U.S. has also sanctioned Russian cryptocurrency exchanges believed to be favored by ransomware groups and made countries harboring criminals a central point of a multinational summit on ransomware, which Russia was not allowed to participate in because of its history.

Tuesday marked the five-month anniversary of Biden's meeting with Putin. Lawmakers are now asking to see any returns.

"We need to see the metrics that tell us whether or not it's being it's being taken seriously and having an effect," said Rep. August Pfluger, R-Texas.

Wednesday's hearing was a joint meeting of two Homeland Security Committee subcommittees, that of intelligence and counterterrorism (for which Pfluger is ranking member), and infrastructure and innovation. Around half of the representatives focused questions on Russia, with metrics being a central ask.

"We want to see and hear and understand the specifics of those instances and how that effect is actually being is making headway," said Pfluger.

Russian harboring of cybercriminals is a commonly discussed component of ransomware prevention, but it is not the only component. Other nations, including Ukraine, are known hideouts for ransomware operators, with West Africa a haven for different kinds of cybercrime. And many studies of ransomware place equal, if not greater, importance on prevention efforts within our shores. The multistakeholder Ransomware Task Force also recommended improving the base cybersecurity for potential victims and increasing the resources available to victims who choose not to pay a ransom. The Biden administration has made some efforts in these directions, but Congress has been more reluctant.

But ransomware groups' ability to evade law enforcement has made traditional pressures on crime untenable. Law enforcement groups often can only arrest actors when they go on vacation to extradition countries.

"Putin could shut these operations down in a day if he wanted to," said Rep. Tom Malinowski, D-N.J.

Homeland security officials were not immediately able to provide metrics to show Russian cooperation.

"It's quite difficult to assess after a period of just a few months because the vast majority of ransomware incidents are not reported to the federal government," said Robert Silvers, undersecretary for Homeland Security's Office of Strategy, Policy, and Plans.

Mandatory reporting of breaches is a component of the National Defense Authorization Act currently being resolved in Congress.

The ransomware economy is complex. It involves many separate actors. Malware designers license the use of their products to affiliate groups, who often purchase access to pre-hacked systems from initial access brokers. Funds are funneled through permissive cryptocurrency exchanges and laundered or extracted through a variety of other criminal ventures. A Russian crackdown could reduce the number of actors in Russia even while more attacks involve Russian actors somewhere along their supply chain.

The witnesses at the hearing, including Silvers, CISA executive director Brandon Wales, and Treasury Assistant Director of Investigations Jeremy Sheridan, said that the federal government was not waiting for Russia to solve the problem.

"We have been quite direct with the Russian government, but we are not sitting around and waiting for the Russian government to act," said Silvers.

"Metrics have been brought up multiple times. ...But we use some quantifiable metrics in the Secret Service," said Sheridan. "We've conducted over 937 arrests for cyber fraud activities. We prevented more than $2 billion in fraud loss. We've seized more than 3.5 million financial accounts that have been used for illicit activities, seized $129 million, returned more than $55 million to victims. We do have quantifiable metrics in this space."

Metrics specific to Russia, said the witnesses, do not exist yet.

Members of Congress said they would be eager to hear the statistics of Russian cooperation when they do.

"I would expect that one year out from [the Biden/Putin] summit, we will be back here having that conversation with metrics to assess what has happened in the year since," said Rep. Elissa Slotkin, D-Mich. "If the United States knew that actors, criminal actors, were emanating from our soil and attacking another country, we would act. And I don't see any evidence that Russia is actually helping us on this on this score."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.