U.S. Department of Homeland Security and Ransomware: The Research Findings
The federal government doesn’t know much about ransomware and what it does know is fragmented and siloed at various agencies, largely inaccessible to others, the Department of Homeland Security said in a new report.
For example, the government’s limited understanding of the overall ransomware landscape and how cyber actors use cryptocurrency payments to cloak their heists by making transactions difficult to track blunts the effects of certain tools federal law enforcement has at its disposal to fight ransomware attackers. Moreover, because nearly three-fours of global ransomware money in 2021 went to cyber syndicates either located in Russia or state-backed, collecting data on the attacks and cryptocurrency payments is critical to national security, according to the report, entitled Use of Cryptocurrency in Ransomware Attacks, Available Data and National Security Concerns.
“This limited collective understanding of the ransomware landscape and the cryptocurrency payment system blunts the effectiveness of available tools to protect national security and limits private sector and federal government efforts to assist cybercrime victims,” the report reads.
Here are four key findings:
- The federal government largely relies on voluntary reporting of ransomware attacks and cyber extortion demands, which only captures a fraction of the attacks that occur.
- Data on ransomware attacks is reported to numerous federal agencies including CISA, the FBI, and the Treasury Department’s FinCEN, among others. These agencies do not capture, categorize, or publicly share information uniformly.
- Lack of reliable and comprehensive data on ransomware attacks and cryptocurrency payments limits available tools to guard against national security threats.
- Currently available data on ransomware attacks and cryptocurrency payments limits the private sector and the federal government to fully and effectively assist victims to prevent or recover from ransomware attacks.
And 11 recommendations:
- The Administration should swiftly implement the new ransomware attacks and ransom payments reporting mandate.
- CISA should complete the required rulemaking as soon as possible to implement the requirements in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 signed into law as part of the Consolidated Appropriations Act of 2022, which mandates incident reporting of substantial cyber-attacks and ransomware payments against critical infrastructure.
- Federal agencies should implement the requirement in the law to share all cyber incident reports with CISA to enable a consolidated view of incidents from across different sectors and reported under different regulatory regimes.
- The federal government should standardize existing federal data on ransomware incidents and ransom payments to facilitate comprehensive analysis.
- Agencies should standardize how data from existing reporting requirements for ransomware incidents and ransom payments is organized and formatted across federal government agencies to enable more comprehensive information sharing and analysis.
- Congress should establish additional public-private initiatives to investigate the ransomware economy.
- The federal government should promote public-private partnerships to research the ransomware economy, in particular, the interrelationships between cybercriminals who conduct or facilitate ransomware attacks and the financial structures facilitated by cryptocurrencies that sustain cybercriminals’ illicit activities, including privacy coins.
- These partnerships should also examine ransomware infrastructure to help design and promote effective countermeasures.
- Congress should support information sharing regarding ransomware attacks and payments including crowdsourcing initiatives.
- Congress and relevant agencies should consider ways to support partners within the private, nonprofit, and academic sectors seeking to expand the collection and organization of information on ransomware attacks including by examining federal funding options and sharing anonymized data regarding ransomware attacks and payments.
- Government agencies should collaborate with partners to identify viable crowdsourcing initiatives to pool information regarding ransomware attacks and extortion payments.