Congress should not attempt to address the threat of ransomware by making ransom payments to cybercriminals illegal, a top FBI official told US lawmakers Tuesday.
Banning ransom payments could inadvertently create opportunities for further extortion by ransomware gangs, said Bryan Vorndran, assistant director of the FBI’s cyber division.
“If we ban ransom payments now, you’re putting US companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities,” Vorndran said at a Senate Judiciary Committee hearing on ransomware.
The debate over outlawing ransomware payments illustrates the broader challenge facing policymakers as they seek to clamp down on a crime that takes advantage of a victim’s financial incentives: It can often be more tempting to pay in hopes of resolving the problem quickly, cybersecurity experts say, compared to refusing to negotiate, having to restore data from backups and risking the release of sensitive information online.
While US officials have sought to discourage ransomware victims from paying, they have struggled to find effective ways to deter that behavior. The Treasury Department has made it a potential sanctions violation to send a ransomware payment to an entity under US sanction, but that restriction does not apply to non-sanctioned recipients.
The gasoline distributor Colonial Pipeline has said it researched intensively whether its $4.4 million payment to the criminal group DarkSide would run afoul of the Treasury warning — illustrating that companies motivated to pay will find a way to do so.
“It’s a really complicated conversation, but it’s our position that banning ransom payments is not the road to go down,” Vorndran added.
In April, the Institute for Security and Technology released a report by the Ransomware Task Force — which is composed of government officials, cybersecurity experts and businesses — that did not make a specific recommendation on whether to ban ransomware payments. It was the only issue not to receive a recommendation in the report.
“If we were to prohibit payments now, the ecosystem is simply not ready,” said Philip Reiner, CEO of the Institute for Security and Technology, at a House Energy and Commerce subcommittee hearing on ransomware last week.
In an interview with CNN on Tuesday, Transportation Security Administration Administrator David Pekoske said paying ransom should be a “business decision and a security decision with guidance from the government.”
TSA has unique authority over the surface transportation industry, which includes gas and hazardous liquid pipelines. In the wake of the cyber-attack on Colonial Pipeline, the agency issued two security directives, forcing owners and operators of the most critical US pipelines to adhere to cybersecurity mitigation measures, but did not include a ban on paying ransom, he said.
Pekoske urged companies to invest in cybersecurity upfront, rather than paying a ransom demand and “not getting anything in return.”
The Justice Department hopes Congress will step in by injecting some transparency into ransom trends. Businesses should have to disclose attacks to the US government that involve ransomware, critical infrastructure or “other high-impact breaches,” said Richard Downing, deputy assistant attorney general for DOJ’s criminal division.
“We think reports should be prompt and should include details of any ransom demand or payment,” Downing continued. And victims should be given legal protections for sharing the attack information with the government, he said.
DOJ’s call for mandatory reporting requirements mirrors legislation recently introduced by Sens. Mark Warner, Marco Rubio and Susan Collins that would impose a 24-hour cyber-reporting requirement on federal agencies, contractors and critical infrastructure operators.
Sen. Sheldon Whitehouse faulted industry lobbyists for helping to create the current ransomware crisis, citing the largely voluntary and self-regulatory approach surrounding cybersecurity that he said led to Colonial Pipeline’s compromise.
“Over and over again, groups like the US Chamber of Commerce have come in and said, ‘Don’t regulate us, we’re against all this cyber regulation. We don’t want any of this, make it all go away. We’re against this bill, we’re against that bill. We’re going to tell the [Senate Majority] Leader to block this legislation if it tries to go forward,’” said Whitehouse. “And so we now have a situation in which you have critical infrastructure companies fail at meeting basic standards of cyber hygiene and we’re okay with that, as a legal matter … We don’t have to regulate everybody in the world, but if you’re critical infrastructure, we should no longer tolerate this voluntary regime with big companies who know that their infrastructure is critical and who fail.”