Members of the Senate’s bipartisan cybersecurity caucus received a classified briefing Dec. 4 on the ransomware threat and how Congress can help businesses, states and local governments mitigate it.
Senators heard from Chris Krebs, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency — an agency tasked with protecting the nation’s critical infrastructure from cyberattacks. Senators who attended said the briefing was productive.
“Today’s classified briefing was a helpful conversation to aid us in grappling with the complexities of the threats we face and what we can do to address them,” said Sen. Maggie Hassan, D-N.H., who recently joined the caucus, in a statement.
Sen. Angus King, I-Maine, said that senators learned the ransomware was “widespread and increasing." He also said that they learned that companies and state and local governments “have to take active measures” to protect themselves.
But the outstanding question is what exactly the federal government can do to help states and companies recover from ransomware attacks.
“The federal government can’t provide support for every institution in America that’s subject to ransomware," said King, speaking to Fifth Domain just off the Senate floor. "They’ve got to protect themselves. We can provide guidance, a template, information ... and I think that’s the direction that we’ll be moving in.”
Information sharing is a common refrain in cybersecurity, and one that CISA relies heavily on to help its state and local partners secure their election infrastructure. But over the last year ransomware attacks have increased significantly, closing schools and hospitals across the country.
“Our small businesses, in particular, are being impacted by this and you’ll see a large percentage of those that get hit by it oftentimes don’t survive it and end up going out of business,” Sen. Gary Peters, D-Mich., told reporters.
CISA is working extensively to help support state governments during the presidential election next year. Krebs had said continuously the last few months that one of his biggest concerns is a ransomware attack on a voter registration database.
Peters, the ranking member on the Senate Homeland Security Committee and cybersecurity caucus member, didn’t attend the briefing, but said that his committee should hold a public hearing on ransomware.
“It definitely has to be addressed,” Peters said, who added that public hearings would be used to figure out the scope of the problem and what possible solutions there are that the Senate could help provide.
King is also a member of the Cyberspace Solarium Commission, which is working on recommendations for a national strategy on cyberspace. He said that the commission will make recommendations regarding guidance, but said the commission hasn’t decided what support looks like for the states. The threat, however, has captured the attention of the Senate. Recently, the Louisiana state government was the victim of a ransomware attack.
“The continued prevalence of ransomware should really capture our attention. It’s costly, devastatingly high-impact, growing and, in most cases, easily preventable with basic responsible cybersecurity practices," said Sen. Cory Gardner, R-Colo., and Sen. Mark Warner, D-Va., in a joint statement.
There are several cybersecurity bills floating around Capitol Hill, including a bill Hassan introduced with Gardner and Warner to establish minimum security requirements for internet of things devices bought by the federal government.
“As individuals continue to become more dependent on technology and software, we need to make sure that we adequately understand the foreign and domestic cyberthreats facing our nation, and that we’re ready to confront these evolving threats with innovative, commonsense solutions," said Sen. Mark Warner, D-Va., in a statement.