WASHINGTON — The Biden administration is lending its support behind Congressional legislation that requires companies to report big data breaches by hackers, including ransomware attacks that increasingly target critical infrastructure of the United States.
“The administration strongly supports congressional action to require victim companies to report grave abuse, including ransomware attacks,” Richard Downing, deputy assistant attorney general at the US Department of Justice, told members of the Senate Judiciary Committee on Tuesday.
“In particular, such legislation should require covered entities to notify the federal government of ransomware attacks, cyber incidents affecting critical infrastructure entities, and other abuses that present an increased risk to the government, the public, or third parties,” Downing said. .
The announcement came as members of Congress introduce more than a dozen bills in response to the recent escalation in ransomware attacks, while the administration has taken a comprehensive government approach to responding to what it sees as public, economic and national security. security threats.
Dick Durbin, chair of the Judiciary Committee, emphasized that information sharing is critical between businesses and the government, and said there is “general bipartisan support” for Congressional action in response to the cybersecurity threat.
“And I hope it will lead – I think it will lead – to specific legislation to deal with this,” said Durbin, a Democrat.
Last week, a bipartisan group of senators introduced the Cyber Incident Notification Act of 2021, a bill that requires federal agencies and contractors as well as critical infrastructure operators to notify the government within 24 hours of a cyber breach that “poses a threat to national security.” To urge information sharing, the bill gives limited immunity to companies who report a violation.
“We should not rely on voluntary reporting to protect our critical infrastructure,” Democratic Senator Mark Warner, the chairman of the Senate Intelligence Committee and one of the sponsors of the bill, said in a statement final week. “We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the packed resources of the federal government can be mobilized to respond to its impact and stave off its impact.”
Republican sponsors of the bill include Senator Marco Rubio, the deputy chair of the Intelligence Committee, and Susan Collins, the ranking member.
Ransomware attacks have grown in number and severity over the former year and a half, as they were previously viewed as a financial crime. Testifying prior the Senate Homeland Security and Governmental Affairs Committee, Homeland Security Secretary Alejandro Mallorcas said attacks have increased 300% over the former year. In this year alone, ransomware attacks have caused economic losses of $300 million, Mayorcas said.
In May, a ransomware attack on Colonial Pipeline, the operator of the country’s largest fuel pipeline, disrupted its operations for several days, leading to fuel shortages and panic buying. In June, meat processing company JBS USA said it had paid $11 million to cybercriminals following a ransomware attack disrupted its operations.
Legislative proposals such as the Warner bill seek to address what law enforcement officials have lengthy seen as a major obstacle to their aptitude to respond to a ransomware attack: companies’ reluctance to notify law enforcement about cyber breaches.
Companies are not currently required to disclose when they were attacked by ransomware criminals. For fear of losing operations or hurt to reputation, most victims choose not to report. The FBI estimates that about 25% to 30% of such incidents are reported, according to Brian Forendran, assistant director of the FBI’s Internet division.
The FBI has lengthy encouraged victims of ransomware attacks to notify law enforcement, saying that sharing this information can aid it better understand and respond to the threat. Now, you want to make notifications required.
Vorndran testified, “Because so many ransomware incidents go unreported, and because silence benefits ransomware actors the most, we strongly believe that the federal standard is necessary for reporting some cyber incidents, including most ransomware incidents. the ransom”
“The scope and severity of this threat has reached a point where we can no longer rely on voluntary reporting alone to learn more about incidents,” Forendran said.
In addition to ransomware attacks that exceed a threshold, Downing said, the Department of Justice wants required notifications for two other types of breaches: supply chain attacks that could donate outsiders access to critical U.S. government infrastructure and systems, and attacks that involve valuable trade secrets. related to critical infrastructure.
“It is critical that entities are required to report any ransom requests, the date, time and amount of ransom payments, and the addresses to which payments were requested,” Downing said.
While supporting required breach notifications, Downing and other officials have opposed calls to make ransom payments illegal. Jeremy Sheridan, assistant director of the US Secret Service, told lawmakers that banning ransom payments “would cloud any reporting to law enforcement authorities.”
Jeff Selden contributed to this report.