Ransomware legislation under consideration as key senators request input from Biden team
The top two senators on the Homeland Security and Governmental Affairs Committee called on the Biden administration on Friday to provide input on addressing the threat of ransomware, as they draft legislation ahead of the August recess.
Chairman Gary Peters, a Michigan Democrat, along with top Republican Rob Portman of Ohio, asked the administration for specifics, including strategies that federal agencies are developing, new or revised authorities and suggestions for legislation.
The federal government “needs to do more” to support the public and private sectors and punish the bad actors that perpetrate these crimes, the senators wrote in a letter to the White House and Office of Management and Budget.
“As highlighted in recent weeks, a single ransomware attack against a vulnerable target can have widespread and devastating impacts for communities across the United States,” they wrote.
The request, asking for information within 30 days, comes in the wake of cyber breaches of a major oil pipeline, the New York City transportation system, and meatpacking centers.
Last month a ransomware attack on Colonial Pipeline prompted a nearly week-long shutdown of one of the most important fuel pipeline’s in the US and led to panic buying and widespread gas station outages in the Southeast. That incident, followed several weeks later by a cyberattack on a major US meat producer, JBS, highlighted the crippling impact that ransomware can have for businesses and vital services throughout the US, as criminals have increasingly had success targeting large enterprises.
The recent ransomware incidents hitting critical infrastructure prompted new urgency inside the Biden administration to formulate a way to respond and laid bare for President Joe Biden and senior officials the vulnerabilities that exist in private-sector networks.
Biden previously said he was “looking closely” at retaliating in response to a ransomware attack on JBS, which the White House identified as having been carried out by a group working from Russia.
On Thursday, the committee held a nomination hearing for two of the senior officials expected to round out Biden’s cyber team. Chris Inglis, the nominee for the newly created national cyber director role, said the threat of ransomware “will not stop on its own accord.”
“It’s not a fire raging across the prairie that once it’s consumed the fuel, it will simply stop, and we can simply wait for that moment. We must stand in and there’s a range of activities that we must undertake,” Inglis told lawmakers during his confirmation hearing.
Like-minded nations need to remove “sanctuary and bring to bear consequences on those who hold us at risk,” he said.
Biden’s nominee to the lead the DHS cybersecurity agency, Jen Easterly, expressed support for mandatory private sector reporting to the government on cyber incidents during the same hearing Thursday.
“I don’t have a sense across the board. But it seems to me that voluntary standards are probably not getting the job done,” she said.
Last month in response to the attack on Colonial, the Department of Homeland Security mandated that critical pipeline operators comply with several cybersecurity measures, including reporting cybersecurity incidents to the department within 12 hours.
Peters and Portman also authored a provision in the larger bipartisan competitiveness bill that passed the Senate earlier this week, aimed at helping improve the federal response to cyber breaches.
The provision establishes a cyber response and recovery fund for the DHS Cybersecurity and Infrastructure Security Agency to provide direct support to public or private entities after significant cyberattacks.