Democratic Sen. Sheldon Whitehouse of Rhode Island is furious with the federal government’s management of critical infrastructure cybersecurity and blasted the Biden administration’s touted accomplishments on Tuesday.
At a Senate Judiciary Committee hearing, Mr. Whitehouse said the ransomware attack against Colonial Pipeline in May revealed that the government’s security standards for private companies aren’t tough enough.
“A bunch of people in a basement someplace are able to take down Colonial Pipeline, a significant piece of Colonial infrastructure, with a ransomware attack,” Mr. Whitehouse said. “That’s not a success story, that’s a failure story. That’s [indicating] something is wrong in the way we’re doing business right now.”
He characterized the problem this way: “You can be critical infrastructure in this country, providing essential services to our economy and national security, and not have to meet any real standards.”
Biden administration officials promoted their work against ransomware to the committee, with deputy Assistant Attorney General Richard Downing citing a list of the administration’s purported accomplishments. His list included the federal government’s work to recover much of the ransom payment made by Colonial Pipeline, a major fuel supplier, to cyberattackers holding the company’s systems hostage in an extortion scheme.
The pipeline company temporarily halted its flow of fuel in May amid the cyber assault that led to shortages and gas lines along the East Coast. The Biden administration portrayed its response in recovering the company’s funds from the criminals as a success story, but Mr. Whitehouse made clear he thought the federal government had failed miserably.
Mr. Whitehouse also said the government has known for years about the threat of ransomware attacks targeting critical infrastructure, and has spent billions of dollars by the Department of Homeland Security to little avail.
While Mr. Whitehouse trained much of his ire on the Department of Homeland Security, he also lamented Congress’ role in failing to set standards for critical infrastructure entities’ cybersecurity. And he blamed “groups like the U.S. Chamber of Commerce” for successfully obstructing previous cybersecurity regulatory efforts by lawmakers.
Christopher Roberti, a senior vice president at U.S. Chamber of Commerce, challenged Mr. Whitehouse’s criticism in a statement, saying his group worked with the government and business communities on legislation to diminish ransomware’s damage.
“Many sectors are already heavily regulated regarding cybersecurity, including incident reporting, and additional strict government mandates are not the solution,” said Mr. Roberti in a statement. “We will continue to work with willing parties to advance productive ideas to strengthen critical infrastructure without defaulting to counterproductive approaches that don’t keep up with the rapidly evolving threats facing the private sector today.”
Prior to Mr. Whitehouse’s rebuke, Mr. Downing also cited the government’s work to disrupt ransomware gangs in recent months. He said the administration was not “resting on these laurels,” pointing to the Justice Department’s creation of a new ransomware task force.
Administration officials and Democrats in Congress are studying numerous avenues for new regulation in cyberspace, including targeting the cyber insurance industry that has helped to facilitate negotiations between ransomware attackers and their victims.
Ransomware involves cyberattacks holding data and systems hostage until victims pay up. The federal government’s public position is that victims should not pay, and that doing so only encourages more attacks.
Companies, organizations, and other victims often have cyber insurance that helps them overcome the financial pain inflicted by ransomware attackers. According to cybersecurity professionals, the cyber insurance industry has helped direct victims to technologically savvy negotiators that understand how to persuade the attackers to release the data held hostage or lower the cost of doing so.
At the committee meeting, Sen. Dick Durbin, Illinois Democrat, noted that some countries have previously banned kidnap and ransom insurance for non-cyber crimes. He questioned administration officials about whether a similar ban in cyberspace would have value.
Bryan Vorndran, assistant director in the FBI’s cyber division, said various federal government agencies were reviewing the cyber insurance industry, and he encouraged federal lawmakers to do so, too.
“From our perspective, dealing with targeted entities or victims, when we talk with them, the insurance availability is a big piece of their decision calculus about whether they do or don’t pay,” Mr. Vorndran told the committee. “Within the interagency, there’s ongoing conversations about the value, or lack thereof, [in] insurance and I think it’s probably a conversation that should be had within this committee as well.”
In recent days, several senators have pushed new proposals aimed at increasing the information flow between the federal government and private sector with responsibility for critical infrastructure.
First, a bipartisan group of 15 senators introduced the “Cyber Incident Notification Act of 2021” last week to force federal agencies, government contractors, and critical infrastructure entities to disclose breaches of their cyber defenses.
A bipartisan group of four senators also announced they were pushing a bill to put the Cybersecurity and Infrastructure Security Agency (CISA) in charge of identifying and responding to threats against industrial control systems. The proposal seeks to make the agency share information about threats with the private sector and to brief lawmakers about the agency’s ability to respond.