- Unfortunately, most breaches are not reported to law enforcement, writes Deputy Attorney General Lisa Monaco.
- Congress can help close this gap by enacting legislation to create a national standard for reporting cyber incidents that pose significant risk, she writes.
The ransomware attack on Colonial Pipeline should have been a wakeup call for America.
A group of cybercriminals infiltrated a company that runs one of the country's largest pipelines, halting operations across the entire Eastern seaboard. The compromise led the federal government to take action to stem the disruptive gasoline shortages felt by Americans up and down the east coast.
The Colonial Pipeline attack was not the first of its kind, nor the last. A few weeks later, JBS Foods — one of the world's largest meat distributors — suffered a similar attack. Shortly afterwards, criminals struck Kaseya, a global IT software provider.
This string of attacks illustrates the surge in ransomware and digital extortion attacks over the last several years. The collective damage of ransomware is easily in the billions of dollars. The FBI is investigating over 100 different strains of ransomware, each of them with scores of victims.
So what will it take for us to recognize that ransomware threatens both our country's public safety and national security? The Justice Department's prosecutors and the FBI have stopped ransomware attacks, shut down computers and services they rely upon, seized ransom and returned it to victims, and prosecuted offenders no matter where in the world they may be. But we won't prosecute our way out of the problem.
More needs to be done. Cybercriminals have increased the scale, scope and impact of their nefarious efforts. The simple fact is we cannot go at this problem alone. The growth of "ransomware-as-a-service" — allowing sophisticated hackers to sell or lease the tools needed for a ransomware attack to criminal customers — has reduced the technological skill needed to successfully conduct a ransomware attack. Every day, cyber actors are resorting to digital extortion: hacking into a system, stealing sensitive data, and not only holding vital data hostage but also threatening to leak or sell victim data, in an effort to raise the stakes for victims and coerce them to pay these ransoms.
This cannot stand. That is why earlier this year, the Department of Justice created the Ransomware and Digital Extortion Task Force as part of the Biden's administration's whole-of-government effort to deter and disrupt cyber threats.
The goal is to be both more coordinated in our response to these attacks and more assertive in preventing them. Together with our partners, and the FBI, the Task Force allows the Department not only to use all of the tools at our disposal to prevent, disrupt and prosecute these attacks, but also — and perhaps most importantly — it allows us to collaborate with the private sector to better protect our infrastructure from these attacks in the first place.
Too often after a cyberattack, the victim company struggles with how, whether, and when to contact law enforcement. But if you have an intruder in your home you do not hesitate to call 911, and it is time to think about cyberattacks with the same instinctive response.
Engagement with the private sector is vital because much of what investigators and prosecutors will know about a ransomware or digital extortion attack depends on what victims tell us — and when. In cases like Colonial, we got their ransom payment back by following the money — a tried and true law enforcement technique that was made possible through quick and thorough reporting followed by close cooperation. As in other cases, this allows us to trace victim funds, recover exfiltrated data, identify perpetrators and prevent future attacks.
Unfortunately, most breaches are not reported to law enforcement. Absent prompt reporting, investigative opportunities are lost, our ability to assist other victims facing the same threats are degraded, and the government loses the full picture of the threat facing our country. The current gap in reporting hinders the government's ability to combat not just the ransomware threat, but all cybercriminal activity. It means we go at it alone, without key insights from our partners in the private sector, and it needs to change, today.
Congress can help close this gap by enacting legislation to create a national standard for reporting cyber incidents that pose significant risk, including ransomware and incidents that affect critical infrastructure and their supply chains.
Legislation should designate a single mechanism where victims can file reports to the federal government to be shared immediately with all relevant federal agencies — with the Department of Justice and the Department of Homeland Security taking the lead on joint rulemaking to ensure its implementation. Reports must be prompt, and should include information about the incident, the means by which the attack occurred, infrastructure that was used, and a description of the systems or data affected.
In the case of ransomware, such reporting should also include details about any ransom demand or payment. And victims should not be worse off for helping the government.
As we observe Cybersecurity Awareness Month this October, this year's theme could not be more timely: "Do Your Part. #BeCyberSmart." Law enforcement will always respond to and support businesses and organizations on the front lines who fall victim to ransomware attacks, and we will continue to pursue bad actors in ways that the private sector cannot. But for us to truly succeed in strengthening our resilience against and combating the growing threat posed by ransomware, we cannot go at it alone.
We need to tackle this problem together, through a close partnership between the government and the American public, across sectors, and at both an organizational and individual level. Without action, we are not safe. With increased reporting and cooperation with the private sector, America's law enforcement and partner agencies can make even greater strides in responding to the threat, identifying and arresting those responsible, and making America safer.
Lisa O. Monaco is the 39th deputy attorney general of the United States. She previously served as assistant to the president for homeland security and counterterrorism under President Barack Obama, and before that, as the assistant attorney general for the Justice Department's national security division, the first woman to hold that role.