Newly proposed legislation would strengthen U.S. defenses against ransomware attacks on critical infrastructure operations and impose sanctions on foreign nations that harbor hackers.
Senators Marco Rubio (R-FL), who vice chairs the Senate Intelligence Committee, and Dianne Feinstein (D-CA) have introduced the Sanction and Stop Ransomware Act. The bill would put ransomware in the same category as terrorism by sanctioning nations that back cyber attackers and require the President to impose sanctions consistent with those levied on nations that underwrite acts of terror.
The Sanction and Stop Ransomware Act would:
- Require the development of cybersecurity standards for critical infrastructure entities, consistent with existing federal regulations and existing National Institute of Standards and technology (NIST) levels.
- Require the development of regulations for cryptocurrency exchanges operating to reduce anonymity of accounts and users suspected of ransomware activity and make records available to the U.S. Government in connection with ransomware incidents.
- Direct the Secretary of State, in consultation with the Director of National Intelligence (DNI), to designate as a state sponsor of ransomware any country the government of which the Secretary has determined has provided support for ransomware demand schemes, including by providing safe haven for individuals or groups.
- Require the President to impose sanctions and penalties on each state designated as a state sponsor of ransomware, consistent with sanctions and penalties levied on and against state sponsors of terrorism.
- Require federal agencies, government contractors, and critical infrastructure owners and operators to report the discovery of ransomware operations within 24 hours, consistent with the Rubio-Warner-Collins Cyber Incident Notification Act.
(Note: MSSP Alert has bolded the bullet point above to emphasize the service provider implications.)
Ransomware As Terrorism: Potential MSSP Implications
Keep in mind that any legislation involving cyber incident disclosures could influence how MSSPs, MSPs and MDR (managed detection and response) service providers work and communicate with their customers and the government.
“Our bipartisan bill provides the tools necessary to help safeguard critical infrastructure while discouraging and disrupting these criminal organizations, including the regimes who harbor them," said Rubio. "It is time for the United States to take strong, decisive action to protect American businesses, infrastructure, and government institutions.”
Feinstein also said Congress has some work ahead of it to combat ransomware. “Congress must do more to support all organizations and companies struggling to deal with these escalating attacks," she said. "Our bill will help the private and public sectors avoid ransomware attacks, reduce incentives to pay ransoms and hold foreign governments accountable if they provide a safe haven for ransomware perpetrators.”
Legislation Responds to Cyberattacks, IT Service Provider Risks
The potential legislation comes in the wake of multiple high-profile cyber hijacks, including those that hit Colonial Pipeline, SolarWinds, JBS, Kaseya as well as international targets, most recently a takeover of an Italian health portal used to schedule COVID-19 vaccination appointments. Russia originated cyber crews have been linked to each attack. Following the SolarWinds incident, President Biden imposed economic sanctions on Russia and subsequently publicly rebuked China as well for “malicious cyber behavior,” but he has not gone any further.
The Sanction and Stop Ransomware measure would add to a growing number of potential bills and Congressional activity to address the ransomware scourge. For example, questions on whether Congress should ban U.S. companies from paying ransoms and if companies should be required by law to report cyber attacks to federal law enforcement have arisen as cyber authorities try to deal with the ransomware onslaught.
A top Federal Bureau of Investigation (FBI) cyber specialist recently told the Senate Judiciary Committee that legislation to ban U.S. companies from shoveling what often amounts to millions of dollars to cyber kidnappers is a bad idea because it further emboldens hackers to blackmail victims with threats to sell their vital data on the dark web.
Mandatory Incident Reporting: Coming Soon?
On the other hand, there is relative unanimity among cybersecurity officials that mandatory incident reporting at least for critical infrastructure operations will soon be on the menu. Legislators pushing incident reporting recently received a boost from newly installed Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly and Chris Inglis, the inaugural White House national cyber director, both of whom support the idea.
Virginia Senator Mark Warner (D) has also called on Congress to enact new legislation that would require private companies to report cyber attacks to the federal government, joining U.S Intelligence leaders who have also pressed Congressional lawmakers to require private industry to report security breaches and other threat information to the federal government.
Other federal government efforts are afoot. CISA recently partnered with Amazon, Microsoft and Google to launch the Joint Cyber Defense Collaborative (JCDC), a new agency that will initially focus on combating ransomware and cyber attacks on cloud-computing providers. And, last month, the federal government unveiled StopRansomware, an online hub for companies and municipalities to find resources and get assistance if they are targeted by cyber attacks.
The pain to organizations big and small addled or shut down by ransomware has skyrocketed over the past year. Ransomware groups demanded three times the payoff from their cyber attack victims in the first half of 2021 compared to the corresponding period in 2020, according to Coalition, a cybersecurity insurance provider, in a new analysis of 50,000 of its policyholders in North America. The company’s H1 2021 Cyber Insurance Claims Report found that the average ransom demand made to its policyholders during the period roughly tripled to $1.2 million per claim from $450,000 the year earlier.