The chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee — U.S. Sens. Gary Peters (D-MI) and Rob Portman (R-OH) — wrote to the Biden administration this week to urge efforts to counter mounting ransomware attacks on critical infrastructure.
In the senators’ views, the federal government has not done enough to support partners in both the public and private sectors as they navigate bad actors in the digital space. They concluded that more punishment is needed, and infrastructure companies need to be encouraged to assess their own risk and employ mitigation techniques. The longer that passes without action, the more problems could arise.
“As highlighted in recent weeks, a single ransomware attack against a vulnerable target can have widespread and devastating impacts for communities across the United States,” the senators wrote. “Criminal actors have infiltrated and held critical infrastructure companies hostage, disrupting essential elements of society ranging from our nation’s fuel distribution networks to food supply chains.”
The most prominent of these in recent days was an attack on the Colonial Pipeline that hamstrung gas flow throughout the southeast. The company halted all pipeline operations in response. The largest cyberattack on an oil-based target in the U.S. was believed to have been orchestrated by a hacker group known as DarkSide. A ransom was eventually paid for the stolen data, and the federal government only recently seized much of this money back.
However, other targets have included the New York City transportation system, meatpacking centers, and more. Some attacks have been linked to criminal enterprises.
Peters and Portman are presently drafting legislation on the issue. In their letter, they requested that Shalanda Young, acting director of the Office of Management and Budget, and Jake Sullivan, assistant to the President for National Security Affairs, provide input. Specifically, they sought information on strategies that federal agencies put into practice to combat ransomware attacks, any new authorities or revisions to existing authorities that would further empower such agencies to respond to and combat these attacks, and any suggestions for Congressional legislation and oversight plans on the issue.