U.S. Sen. Gary Peters (D-MI), chairman of the Senate Homeland Security and Governmental Affairs Committee, concluded an investigation this week into cryptocurrencies’ role in cybercriminal activities with a new ransomware report.
In “Use of Cryptocurrency in Ransomware Attacks, Available Data, and National Security Concerns,” Peters highlighted a lack of federal comprehensive data on ransomware attacks and the use of cryptocurrency to pay them off. Instead, this data is fragmented across multiple federal agencies, limiting tools capable of warding off national security threats. The conclusion? This environment limits both private and federal abilities to help cybercrime victims.
“Cryptocurrencies – which allow criminals to quickly extort huge sums of money, can be anonymized, and do not have consistently enforced compliance with regulations, especially for foreign-based attackers – have further enabled cybercriminals to commit disruptive ransomware attacks that threaten our national and economic security,” Peters said. “My report shows that the federal government lacks the necessary information to deter and prevent these attacks and to hold foreign adversaries and cybercriminals accountable for perpetrating them. My bill that was recently signed into law to require critical infrastructure to report cyber-attacks and ransomware payments will be a significant step to ensuring our government has better data to understand the scope of this threat, disrupt the incentive virtual currencies provide for cybercriminals to commit attacks, and help victims quickly recover after breaches.”
In March, a provision based on Peters’ Cyber Incident Reporting Act was included in government funding legislation. That provision gives critical infrastructure owners and operators 72 hours to report a substantial cyberattack to the Cybersecurity and Infrastructure Security Agency (CISA) and 24 hours to report ransomware payments. CISA was also empowered to subpoena those who fail to report these events and launch a program warning organizations of vulnerabilities criminals might exploit.
In this new report, Peters recommended that the Biden administration quickly implement the requirements of the March provision. He also pushed the federal government to standardize existing federal data on both ransomware incidents and ransom payments for greater analysis. At the same time, he urged Congress to create new public-private initiatives to investigate the ransomware economy and encourage information sharing about attacks.