Ransomware attacks in which hackers shut down computer systems and demand payment to undo the damage are growing more brazen.
Colonial Pipeline, a company that moves gasoline along the East Coast, paid $4.4 million to restart its systems after a hack caused gasoline shortages in the spring. In June, JBS, a meat processing company, paid $11 million after a ransomware attack forced it to stop slaughtering cows at 13 of its plants.
The attacks have also hit local governments. In 2019, cybercriminals shut down Baltimore computers. The city refused to pay the ransom but ended up shelling out $18 million to recover lost data and buttress its defenses. Even so, a separate attack in November caused the city to temporarily close its public schools.
The suspicion that Russia is involved with many of the attacks prompted President Joe Biden last month to warn Russian leader Vladimir Putin that the United States would retaliate if the attacks continue.
Rep. Jim Langevin, a Rhode Island Democrat who sits on the House Homeland Security Committee’s cybersecurity panel and two years ago co-chaired a congressional commission seeking collaboration between the public and private sectors in fighting the hackers, recently joined the CQ Future podcast to talk about what the U.S. can do. An edited transcript:
Q. How did President Biden do in his meeting with Vladimir Putin?
A. It was spot-on. I think he communicated a message just the way he wanted, to get across to Vladimir Putin and to Russia that we’re not going to stand for cyberattacks and intrusions against critical infrastructure. We’re not going to tolerate Russia looking the other way when there are cybercriminals active within its borders.
Q. Is Russia the biggest problem here and, if so, how much of it is cybercriminals and how much of it is the Russian government?
A. Well, obviously the big four in terms of the challenges we have are Russia, China, Iran and North Korea. Then, on top of that, you have cybercriminals and potentially also cyberterrorist organizations. It does get complicated when you’re talking about cybercriminal organizations or individuals that are acting with either the knowledge of or the direction of, say, the Russian government. That’s harder to prove. We may never know exactly. But if our intelligence shows that there are either individuals or criminal organizations operating within Russia, then we need to hold Russia accountable. If they are going to look the other way and allow these cybercriminal organizations to act with impunity, that’s unacceptable.
Q. We’ve had private companies hit as well as the federal government and local governments. Why are we so vulnerable?
A. We are the country that makes the most use of the internet. And the internet was never built with security in mind. We’ve been constantly trying to layer security on top of this open and free architecture, and it’s a challenge.
Q. Are the companies that have been hit negligent, or can they reasonably say criminals are after us and that’s the government’s job?
A. It can be a little bit of both. Some companies are taking cybersecurity more seriously than others. If a company isn’t doing everything possible to defend their networks, they might be negligent. But it could be those companies are acting with all due diligence and there’s just a lot of attack surface to defend.
Q. Every time one of these companies pays the ransom, it incentivizes more attacks. Doesn’t that argue for a government response?
A. Paying the ransom invites more ransomware attacks because if there’s money to be had you can be sure criminals are going to be going after it. The problem is that sometimes businesses have to make the decision about whether it’s cheaper to pay the ransom and get your network and your data back, or do you have to start from scratch and reconstitute your networks, which would take time and significant resources? I think we have to have that debate in Congress about whether or not to make payments illegal, but right now it’s a real tough question.
Q. In the Colonial Pipeline case, the FBI said that it had been able to recover about half of the money that had been paid in bitcoins. What did you make of that?
A. One of the first things that a company should do is reach out to the Cybersecurity Infrastructure Security Agency, and to the FBI, and invite the government in to work with you, to try to track down the bad guys.
Q. Is the administration on the right course with how it’s helping?
A. I give high marks to the administration for the work that they’re doing on cybersecurity. They have clearly taken it much more seriously than the previous administration. They’ve created the deputy national security adviser for cyber. President Biden has appointed Chris Inglis the first ever, Senate-confirmed national cyber director.
Q. You co-chaired a commission two years ago that looked for public-private sector collaboration. Are there recommendations that need to be implemented?
A. So the Cyberspace Solarium Commission was created a couple of years back in the National Defense Authorization Act, and we were charged with creating a cybersecurity strategy for the country to better protect against cyberattacks of significant consequence. We issued our final 80 recommendations, and we turned those 80 recommendations into approximately 55 legislative proposals. And of those 55 we were able to get 27 of those bills added as an amendment to the National Defense Authorization Act last year. One of those was to create a Senate-confirmed national cyber director that’s going to be the quarterback for cyberdefense for the country and the primary liaison between government and private sector.
Q. Is part of the solution here to attack those who attack us?
A. That’s certainly one of our findings of the cyberspace commission, that we want to shape behaviors. That means working with our international partners to create international norms or rules of the road in cyberspace, and then building resilience. So we want to protect ourselves better so that we limit damage if the bad guys do get in, but then we need to impose costs. We can use cybersecurity tools to respond to those that are attacking us, but we can also use all assets of national power to respond at a time and place of our choosing. Maybe it’s cyber. Maybe it’s sanctions. Maybe it’s law enforcement actions. Or if it really crosses a red line and loss of life is involved, we could respond with kinetic action.
Q. Have we not responded aggressively enough in the past?
A. It has been part of our toolkit. We have broad capabilities. Any country that can do something to us, we could probably do something tenfold worse to them. And by the way, we have friends. That’s one thing that Russia doesn’t have. We can act in concert with our partners and allies, and our response can be much more powerful.
Q. What’s your forecast? Is this going to get worse or will we get a handle on it?
A. It very well could get worse. And that’s what I am concerned about. That’s why I think it was so important that President Biden met with President Putin and really laid down the law. We don’t want to see this escalate so that a most sensitive area of critical infrastructure is hit at a more sensitive time — say, a natural gas pipeline in the dead of winter that could cause great damage to our economy and loss of life.