[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
A WHOLE-OF-GOVERNMENT APPROACH TO COM-
BATTING RANSOMWARE: EXAMINING DHS'S
ROLE
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON
INTELLIGENCE AND COUNTERTERRORISM
AND THE
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND INNOVATION
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 17, 2021
__________
Serial No. 117-38
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
47-150 PDF WASHINGTON : 2022
-----------------------------------------------------------------------------------
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas John Katko, New York
James R. Langevin, Rhode Island Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey Clay Higgins, Louisiana
J. Luis Correa, California Michael Guest, Mississippi
Elissa Slotkin, Michigan Dan Bishop, North Carolina
Emanuel Cleaver, Missouri Jefferson Van Drew, New Jersey
Al Green, Texas Ralph Norman, South Carolina
Yvette D. Clarke, New York Mariannette Miller-Meeks, Iowa
Eric Swalwell, California Diana Harshbarger, Tennessee
Dina Titus, Nevada Andrew S. Clyde, Georgia
Bonnie Watson Coleman, New Jersey Carlos A. Gimenez, Florida
Kathleen M. Rice, New York Jake LaTurner, Kansas
Val Butler Demings, Florida Peter Meijer, Michigan
Nanette Diaz Barragan, California Kat Cammack, Florida
Josh Gottheimer, New Jersey August Pfluger, Texas
Elaine G. Luria, Virginia Andrew R. Garbarino, New York
Tom Malinowski, New Jersey
Ritchie Torres, New York
Hope Goins, Staff Director
Daniel Kroese, Minority Staff Director
Natalie Nixon, Clerk
------
SUBCOMMITTEE ON INTELLIGENCE AND COUNTERTERRORISM
Elissa Slotkin, Michigan, Chairwoman
Sheila Jackson Lee, Texas August Pfluger, Texas, Ranking
James R. Langevin, Rhode Island Member
Eric Swalwell, California Michael Guest, Mississippi
Josh Gottheimer, New Jersey Jefferson Van Drew, New Jersey
Tom Malinowski, New Jersey Jake LaTurner, Kansas
Bennie G. Thompson, Mississippi (ex Peter Meijer, Michigan
officio) John Katko, New York (ex officio)
Brittany Carr, Subcommittee Staff Director
Adrienne Spero, Minority Subcommittee Staff Director
Joy Zieh, Subcommittee Clerk
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND
INNOVATION
Yvette D. Clarke, New York, Chairwoman
Sheila Jackson Lee, Texas Andrew R. Garbarino, New York,
James R. Langevin, Rhode Island Ranking Member
Elissa Slotkin, Michigan Ralph Norman, South Carolina
Kathleen M. Rice, New York Diana Harshbarger, Tennessee
Ritchie Torres, New York Andrew Clyde, Georgia
Bennie G. Thompson, Mississippi (ex Jake LaTurner, Kansas
officio) John Katko, New York (ex officio)
Moira Bergin, Subcommittee Staff Director
Austin Agrella, Minority Subcommittee Staff Director
Mariah Harding, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Elissa Slotkin, a Representative in Congress From
the State of Michigan, and Chairwoman, Subcommittee on
Intelligence and Counterterrorism:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable August Pfluger, a Representative in Congress From
the State of Texas, and Ranking Member, Subcommittee on
Intelligence and Counterterrorism:
Oral Statement................................................. 4
Prepared Statement............................................. 5
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Chairwoman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 6
Prepared Statement............................................. 10
The Honorable Andrew R. Garbarino, a Representative in Congress
From the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 6
Prepared Statement............................................. 7
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Oral Statement................................................. 11
Prepared Statement............................................. 11
Witnesses
Mr. Robert Silvers, Under Secretary, Office of Strategy, Policy,
and Plans, U.S. Department of Homeland Security:
Oral Statement................................................. 12
Joint Prepared Statement....................................... 13
Mr. Brandon Wales, Executive Director, Cybersecurity and
Infrastructure Security Agency, U.S. Department of Homeland
Security:
Oral Statement................................................. 17
Joint Prepared Statement....................................... 13
Mr. Jeremy Sheridan, Assistant Director of Investigations, U.S.
Secret Service, U.S. Department of Homeland Security:
Oral Statement................................................. 19
Joint Prepared Statement....................................... 13
For the Record
The Honorable Ritchie Torres, a Representative in Congress From
the State of New York:
Security Scorecard--Using Machine Learning to Assess Ransomware
Risk......................................................... 40
A WHOLE-OF-GOVERNMENT APPROACH TO COMBATTING RANSOMWARE: EXAMINING
DHS'S ROLE
----------
Wednesday, November 17, 2021
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Intelligence and Counterterrorism, and the
Subcommittee on Cybersecurity, Infrastructure Protection,
and Innovation,
Washington, DC.
The subcommittees met, pursuant to notice, at 10 a.m., at
310 Cannon House Office Building, Hon. Elissa Slotkin
[Chairwoman of the Subcommittee on Intelligence and
Counterterrorism] presiding.
Present from the Subcommittee on Intelligence and
Counterterrorism: Representatives Slotkin, Jackson Lee,
Langevin, Torres, Malinowski, Pfluger, Guest, Van Drew,
LaTurner, and Meijer.
Present from the Subcommittee on Cybersecurity,
Infrastructure Protection, and Innovation: Representatives
Clarke, Slotkin, Jackson Lee, Langevin, Torres, Garbarino, and
LaTurner.
Also present: Representatives Thompson, and Katko.
Chairwoman Slotkin. Good morning, everyone. The
Subcommittee on Counterterrorism and on Cybersecurity,
Infrastructure, Protection, and Innovation will be in order.
Subcommittees are meeting today on ``A Whole-of-Government
Approach to Combatting Ransomware: Examining DHS's Role.''
Without objection, the Chair is authorized to declare the
subcommittees in recess at any point. This morning, I would
like to thank our witnesses from the Department of Homeland
Security for joining us today to discuss DHS's role in our
efforts to combat ransomware. I also want to recognize
Chairwoman Clarke, Ranking Members Pfluger and Garbarino, as
well as Chairman Thompson and Ranking Member Katko, who I
believe are on or coming on.
In the spirit of getting to the meat of the conversation, I
am going to encourage my fellow Members of Congress to shorten
their opening statements so that we can get right to it. I
appreciate your flexibility for our witnesses on knowing that
we have many, many hearings going on right now. Many folks
including Chairwoman Clarke in and out of an important mark-up.
So, we appreciate your understanding.
I will just say that I think ransomware is one of those
rare National security issues where you can have high-level
policy debate in Washington that directly connects to the
tangible impacts on people's lives back home in places like
Michigan and in Texas. We know that ransomware attacks have
exploded in the United States and during a year-and-a-half
where we have been more dependent than ever on digital
technology, it has really hit home for certainly most of the
citizens that I represent.
These attacks are overwhelmingly carried out by foreign
groups. So, that means our constituents are victims of foreign
attack. Ordinarily, it would not be average Americans who are,
you know, receiving a foreign attack. It would be soldiers and
tanks and planes who signed up to be on the front lines, not
the average citizen. Colonial Pipeline and JBS Foods were
certainly attacks that hit home very deeply. I would just note
that our schools, our K through 12 schools, are the places
where I have been hearing constant concern from our
superintendents because they have been particularly hard-hit. I
think we have 43 school districts in Michigan that have been
hit by ransomware attacks. Obviously, deeply disruptive on top
of a very disruptive year.
We know that Michigan State University, I represent, our
universities have been paying ransoms to get back the data of
the personal information affecting over 9,000 students. So, it
is not going away anytime soon. We know that it is extremely
profitable and we know that Secretary Mayorkas and Director
Wray and countless others have made this a National security
priority.
I think what is important to us and important to expose for
the American people is what are we doing about it? Please help
our citizens understand and help the committee understand what
DHS is doing to fight back with our citizens on the front
lines. I am pleased that we are strengthening what we are doing
against ransomware. I am glad that it is bipartisan. That is an
extremely important thing. We know that DHS is a key Federal
player in this whole conversation, particularly given your
specific role of engaging with State and locals down in our
States.
People want to know where they go when they call 9-1-1,
when they have got a ransomware attack. It is happening in
their school. It is happening in their business. It is
happening to their local government. Who do they call and how
do they take care of it?
[The statement of Chairwoman Slotkin follows:]
Statement of Chairwoman Elissa Slotkin
November 17, 2021
The threat of ransomware attacks is one of those rare National
security issues where the high-level policy debate here in DC very
directly connects to the tangible impact it's having on families back
home in our districts, every day. Ransomware attacks against the United
States have exploded in number and cost over the last few years,
especially during the COVID-19 pandemic.
During a year when we've been more reliant on digital technology
than ever, ransomware has disrupted half the fuel supply for the East
Coast, and the world's largest meat processor--in addition to countless
attacks on our hospitals, schools, police departments, and businesses.
These attacks are overwhelmingly carried out by foreign groups, but
their victims are our constituents. Ordinary Americans, not soldiers in
tanks and planes, are on the front lines of this threat.
After the attacks on the Colonial Pipeline and JBS Foods, I'd find
myself in rural communities in my district, talking about agriculture
or education--and everyone from farmers to school superintendents would
come up and ask me about what we were doing to protect them from this
onslaught of attacks.
We're seeing the impact of ransomware all over Michigan. During the
peak of the pandemic last fall, a Nation-wide attack affected hospitals
in St. Johns and Auburn Hills. And our schools have been hit
particularly hard. Our State's leading insurer of K-12 schools told me
that they've worked with 43 Michigan school districts that have been
hit by ransomware attacks, just since the start of 2019, and paid out
millions of dollars in claims.
Earlier this month, K-12 superintendents from across Michigan told
me that the ransomware risks they face have become so severe that,
according to insurers, their schools may be uninsurable by the end of
this school year. These attacks can be incredibly disruptive for
schools: Last summer, a ransomware attack on a single department at
Michigan State University, which I represent, cost the university over
a million dollars to recover from. The attack knocked labs and networks
off-line for months and caused the loss of over a year's worth of
research data--forcing some researchers to start over from scratch. And
when MSU refused to pay a $6 million ransom, the attackers leaked
personal information affecting over 9,000 students.
I know all my colleagues on this committee have heard similar
stories from their communities.
The ransomware threat isn't going away anytime soon. Over the last
5 years, we've seen the illicit infrastructure that enables ransomware
attacks metastasize, and evolve into a new business model--``ransomware
as a service.'' Under this new model, which enabled the attack on
Michigan State University, criminals no longer need the technical
skills to build ransomware themselves--they just agree to pay the
ransomware developer a licensing fee, or a cut of the ransom.
As a result, ransomware has become an incredibly profitable
business for international cyber criminals: Between 2017 and 2020, we
saw ransom payments increase from around $37 million annually, to over
$406 million per year. Taxpayers and business owners, including the
Michiganders I represent, end up paying those bills. As Secretary
Mayorkas, Director Wray, and countless others have made clear,
ransomware is a direct threat to our National security.
I was pleased to see the President lay down a marker with Vladimir
Putin, in June: That we hold Russia responsible for stopping ransomware
attacks coming out of its territory--regardless of who's conducting
them--against the 16 U.S. critical infrastructure sectors. I'm also
pleased that the Federal Government is taking aggressive steps to
combat these attacks and bring cyber criminals to justice. The
administration has required stronger cybersecurity across Federal
agencies and vendors; given ransomware investigations similar priority
to terrorism investigations; and engaged more than 30 countries to
combat international cyber crime. And earlier this year, President
Biden appointed the first National cyber director, to quarterback the
Federal response.
These efforts to go after attackers are starting to pay off: Just
last week, the Department of Justice announced the indictment and
arrest of a Ukrainian national charged with deploying ransomware to
attack U.S. businesses and Government entities--as well as the recovery
of over $6 million worth of ransom money. I'm also pleased that taking
on the ransomware threat and strengthening our cybersecurity is still a
largely bipartisan cause. On Monday, I was proud to join President
Biden as he signed the bipartisan infrastructure bill into law--
including a billion dollars in cybersecurity preparedness grants for
State, local, Tribal, and territorial governments.
I want to recognize my committee partner, Chairwoman Clarke, for
leading that provision--and I thank her for working with me to include
language that will help innovative local cybersecurity partnerships,
like the ones we have in Michigan, benefit from this transformative
investment. For its part, the Department of Homeland Security has been
a key player in Federal cybersecurity efforts and is at the center of
the country's counter-ransomware efforts. We are fortunate to have
witnesses before us today who can speak to DHS's contribution to this
whole-of-Government fight against ransomware.
I'm particularly interested in hearing about how the threat
landscape has evolved--as well as how DHS is using its technical
expertise, law enforcement and intelligence capabilities, and its
industry and international partnerships, to take on this threat. I also
look forward to discussing how DHS can help ensure that our local
communities can access the resources they need, as quickly and easily
as possible.
This year has made clear that cybersecurity isn't just a tech
issue--it's at the heart of protecting our daily lives. I look forward
to today's discussion on how DHS is leading that effort.
Chairwoman Slotkin. With that, I will recognize my partner
on the Intelligence and Counterterrorism Subcommittee, the
gentleman from Texas, Representative Pfluger, please, for an
opening statement.
Mr. Pfluger. Thank you, Chairwoman Slotkin and Chairwoman
Clarke, and also my Ranking Member colleague Garbarino for
holding this subcommittee hearing today, which I agree with
everything that was said that this is such an important time in
this country to identify the issues, to come up with solutions,
and to move forward. I would like to thank our witnesses for
joining us today as well. This impacts every place in America,
including my constituents who have recently been victims of
these types of attacks. The United States right now, I think,
faces an overwhelming threat from cyber crime, especially
ransomware. The attacks we have witnessed over the past year on
the country's critical infrastructure put the livelihood,
privacy, and our way of life, the way of life of everyday
Americans at risk.
The criminals behind these attacks are emboldened not only
by the large sums that they command for the ransoms, but also
the relative anonymity that they are able to maintain. Groups
like Hafnium, Nobelium, REvil. Those groups launched their
attacks from safe havens in Russia and China. They operate
because of the blind eye and even encouragement that these
countries offer.
I was glad to see the Department of Justice's recent
indictment of two foreign nationals charged with deploying
REvil ransomware to attack businesses and Government entities
in the United States. I look forward to hearing about the role
that DHS played in that investigation as well. Arrests like
these should serve as a warning to every cyber criminal that
the United States will bring them to justice no matter where
they are located.
I, like my colleagues on this committee, am keenly
interested in the preventative measures that American private
and public sectors should be taking to mitigate these nefarious
efforts of cyber criminals. From local school systems to
pipelines that supply vital energy to our country. Across the
country, these criminals have highlighted that everyone using
modern technology is at risk. We must all take measures to
safeguard ourselves and our businesses. However, when these
measures fail, it is up to members of our law enforcement and
our legal communities to pursue and prosecute those
responsible.
When a cyber attack occurs, every minute counts. Time is of
the essence and criminal investigators, network security
experts, must work hand-in-glove to understand the technologies
these criminals are using as well as the specific
vulnerabilities they are exploiting. As demonstrated by the
panel before us, DHS has several components dedicated to
combatting cyber crime. I am looking forward to hearing about
the many ways that these components and offices work within the
Department, as well as with other agencies to combat this
threat.
DHS is doing an incredible job and I commend them for their
continued efforts. However, cyber criminals continue growing
and evolving and we must do the same to fully protect our own
cyber networks. It is important for us to understand how law
enforcement entities within DHS and across the spectrum of the
Federal Government are working cohesively and how that
cooperative relationship works with the private entities and
how they cultivate these relationships to continue to ensure
that America's privacy is prioritized. This is a new frontier
in law enforcement, but I am inspired by the work that is
already being done.
I am also looking forward to hearing what our witnesses
forecast as the future threat. We all understand that at
present, the eminent actor is Russia, with China also playing a
role. Within the Intel and Counterterrorism Subcommittee, it is
important that we anticipate the upcoming risk. The only way
that we can properly equip ourselves with protection and
mitigation is to understand the threat that is coming. To do
that, we need to know what the cyber landscape will look like
now, but also in 3 months, 6 months, and years from now.
Madam Chair, thank you again for holding this hearing. I am
sincerely looking forward to hearing what the witnesses have to
say and the direction that we need to go and what role we can
play in Congress to support your efforts and to keep America
more secure. With that, I yield back.
[The statement of Ranking Member Pfluger follows:]
Statement of Ranking Member August Pfluger
Thank you, Madams Chairwoman Slotkin and Chairwoman Clarke, for
holding this important joint subcommittee hearing today, and thank you
to our witnesses for joining us to discuss an issue that impacts my
constituents as well as those in every other Congressional district.
The United States faces an overwhelming threat from cyber crime,
especially ransomware. The attacks we have witnessed over the past year
on the country's critical infrastructure put the livelihood, privacy,
and way of life of everyday Americans at risk.
The criminals behind these attacks are emboldened not only by the
large sums they command for their ransoms, but also by the relative
anonymity they are able to maintain. Groups like Hafnium, Nobelium, and
REvil launch their attacks from safe havens in Russia and China. They
operate because of the blind eye and even encouragement these countries
offer. I was glad to see the Department of Justice's recent indictment
of two foreign nationals charged with deploying REvil ransomware to
attack businesses and Government entities in the United States and I
look forward to hearing about the role that DHS played in that
investigation. Arrests like these should serve as a warning to every
cyber criminal that the United States will bring them to justice no
matter where they are located.
I, like my colleagues on this committee, am keenly interested in
the preventative measures the American private and public sectors
should be taking to mitigate the nefarious efforts of cyber criminals.
From local school systems to pipelines supplying vital energy resources
across the country, these criminals have highlighted that everyone
using modern technology is at risk and we all must take measures to
safeguard ourselves. However, when these measures fail, it is up to
members of our law enforcement and legal communities to pursue and
prosecute those responsible.
When a cyber attack occurs, every minute counts. Criminal
investigators and network security experts must work hand-in-glove to
understand the technologies these criminals are using, as well as the
specific vulnerabilities they are exploiting.
As demonstrated by the panel before us, DHS has several components
dedicated to combatting cyber crime. I am looking forward to hearing
about the many ways that these components and offices work within the
department, as well as with other agencies, to combat this threat. DHS
is doing an incredible job and I commend them for their continued
efforts. However, cyber criminals continue growing and evolving, and we
must do the same to fully protect our cyber networks. It is important
for us to understand how law enforcement entities within DHS and across
the Federal Government are working cohesively, how the cooperative
relationship between the Government and private entities is being
cultivated, and how American's privacy is prioritized. This is a new
frontier in law enforcement, but I am inspired by the work that is
already being done.
I am also looking forward to hearing what our witnesses forecast as
the future threat. We all understand that at present the imminent actor
is Russia, with China also playing a role. Within the Intel and
Counterterrorism subcommittee it is important that we also anticipate
the upcoming risk. The only way we can be properly equipped with
protection and mitigation measures is if we understand the threat
coming. To do that we need to know what the cyber landscape will look
like in 3 months, 9 months, and even years from now.
Madam Chairwoman, thank you again for holding this hearing. I am
sincerely looking forward to hearing the witnesses' testimonies today,
discussing what we are doing and what can be done better, and ensuring
that we have an effective, whole-of-Government plan in place to combat
the threat of ransomware.
Chairwoman Slotkin. Thank you, Mr. Pfluger. The Chair now
recognizes the Chairwoman of the Cybersecurity, Infrastructure
Protection, and Innovation Subcommittee, the gentlewoman from
New York, Ms. Clarke, for an opening statement.
Chairwoman Clarke. Good morning, everyone. I want to thank
Chairwoman Slotkin, Ranking Members Pfluger and Garbarino for
collaborating on this important timely hearing. I would like to
thank the panel of witnesses for joining us today. Earlier this
year, as Chair of our first hearing of this Congress on the
ransomware epidemic because I recognize what a serious
challenge it poses to our National security. At that hearing,
we heard from members of the Ransomware Task Force, the
president of the National Association of State Chief
Information Officers, and former CISA Director Chris Krebs
about what actions the Federal Government must take to address
this cybersecurity crisis.
Just 2 days later, Colonial Pipeline reported it was
shutting down 500--excuse me--5,500 miles of pipeline as a
precaution after being hit by a ransomware attack. Reports
about ransomware attacks had been simmering for years, but they
reached a boiling point overnight as gas shortages--excuse me.
Madam Chair, I got a little--I am having a little technical
difficulties here.
Chairwoman Slotkin. No problem. Madam Chair, we can hear
you, but would you like us to circle back with you?
Chairwoman Clarke. That would work a bit better.
Chairwoman Slotkin. Of course.
Chairwoman Clarke. I am sorry about that happening.
Chairwoman Slotkin. Of course, no problem. No problem.
Welcome to the modern era here. The Chair now recognizes the
Ranking Member on the CIPI subcommittee, Mr. Garbarino, for an
opening statement.
Mr. Garbarino. Thank you, Chairwoman Slotkin and Chairwoman
Clarke for holding this important hearing, and my good friend
and colleague from Texas Mr. Pfluger. I appreciate the
witnesses being here today to discuss the administration's
holistic efforts to combat ransomware. Over the past several
years, ransomware attacks have increased at an alarming rate.
This year alone, we have witnessed the impact of
devastating attacks on Colonial Pipeline, JBS Meats, and yet
another school district on Long Island where I am from. Earlier
this year, both the Bay Shore and Lindenhurst School Districts
in my district were hit by cyber attacks. It was recently
reported that Manhasset School District on Long Island also
experienced an attack in September. If the past year has taught
us nothing else, it is that no entity is too small or too big
to experience a ransomware attack. We all must stay vigilant to
protect ourselves and our country.
This summer, I was pleased to host a ransomware roundtable
in my district with local schools, hospitals, small businesses,
and government. CISA's Region 2 team explained how CISA can
help mitigate these attacks. CISA's regional teams are the
agency's secret weapon to fight this. CISA has the tools and
capability necessary to bolster any entity's cyber defenses
free of charge.
I am committed to continuing to work with the entities in
New York's 2d District and across the country to improve their
cybersecurity posture in the wake of increasing threats. We
must ensure DHS, particularly CISA, has the resources and
capabilities to help entities to do just that.
It is also vital that the Secret Service has the
authorities and resources to investigate ransomware attacks and
illicit financing operations. The Secret Service's National
Computer Forensics Institute provides cyber crime investigative
training to State and local law enforcement, prosecutors, and
judges. I look forward to hearing from the Secret Service how
we can continue to leverage this critical training to bolster
our defenses at the State and local level.
Ransomware attacks have devastating real-world consequences
for Americans. Every minute that a hospital goes down is a
minute of missed critical care. This life-threatening risk
poses similar concerns for almost every industry. We need to
double down in ensuring State and local entities and small
businesses--we need to double down in ensuring that State and
local entities and small businesses adopt basic cybersecurity
best practices to mitigate cyber risks. These practices can
include two-factor authentication, strong passwords, retaining
backups, developing a response plan, and updating software.
I am a proud original cosponsor of the Chairwoman's State
and Local Cybersecurity Improvement Act, which would establish
a grant program for State and local entities to improve their
cyber posture. While we know resources for our State and local
governments are necessary to reduce the threat of cyber
attacks, we must ensure these funds are spent responsibly and
have a meaningful impact on risk reduction. CISA plays a vital
role here. This important bill is a tremendous step forward in
our fight, but we can't stop there. We must adopt an all-of-
the-above approach to dealing with this challenge. There is no
single silver bullet.
I look forward to hearing from our witnesses today about
the innovative solutions Congress could consider as we work to
degrade and ultimately eliminate the viability of ransomware.
Last, I want to thank Brandan Wales for his leadership as
acting director of CISA for nearly 8 extremely turbulent
months. Mr. Wales, your work at the helm of this agency was a
tremendous benefit to our Nation. Thank you. Thank you again to
both Chairs for bringing this important issue to hearing today.
[The statement of Ranking Member Garbarino follows:]
Statement of Ranking Member Andrew Garbarino
Thank you, Chairwoman Clarke, and Chairwoman Slotkin for holding
this important hearing today. I appreciate our witnesses being here to
discuss the Department of Homeland Security's holistic effort to combat
ransomware. Over the past several years ransomware attacks have
increased at an alarming rate. This year alone we have witnessed the
impact of a devastating ransomware attack on Colonial Pipeline, which
led to gas shortages on the East Coast, attacks on JBS Meats, and
software firm Kaseya. Imagine a similar attack on a major U.S. port,
airline, or shipping company as the holidays approach.
If the past year has taught us nothing else, it's that no one is
too small, no one is too big, we all must play a part in protecting
ourselves from these attacks. Earlier this year both the Bay Shore and
Lindenhurst school districts on Long Island were hit with cyber
attacks. In August, I was pleased to host a roundtable discussion in my
district with local businesses, government, and CISA's Region 2 team.
CISA's regional teams are the agency's secret weapon in this fight, at
my roundtable the local cybersecurity advisor and regional director
explained the tools and capabilities CISA can provide to entities to
bolster their capabilities, free of charge. Ranking Member Katko and I
have been strongly advocating that fellow Members to conduct similar
roundtables and get the word out about these essential resources.
I am determined to work with hospitals, schools, and small
businesses in New York's 2d district and across the country to improve
their cybersecurity posture in the wake of increasing threats.
We must ensure the Department of Homeland Security, particularly
CISA, has the resources and capabilities to detect, prevent, and
mitigate ransomware attacks. It's also vital that the Secret Service
has the capabilities to investigate ransomware attacks, as well as the
illicit financing operations behind them. Secret Service also runs the
National Computer Forensics Institute--NCFI. Located in Hoover Alabama,
the NCFI provides training to State, local law enforcement,
prosecutors, and judges with cyber crime investigative methods, and
tools to talk the fight to the criminals. The cybersecurity
subcommittee has a long track record of supporting the NCFI, including
leading the authorization in 2017. I look forward to continuing to work
with my colleagues on this moving forward.
We also must think of new innovative ways to interrupt cyber
criminals' ability to see this as financially viable way of doing
business.
It should come as a surprise to no one in this hearing that these
ransomware attacks have devastating real-world consequences for
Americans. Every minute that a hospital goes down is a minute of missed
critical care. The same goes for almost every industry.
We must work to put a stop to this.
We need to double down on ensuring State and local entities and
small businesses are prepared and adopt basic cybersecurity best
practices to mitigate cyber risks. These practices can include, two-
factor authentication, strong passwords, retaining back-ups, developing
a response plan, and updating software.
I am a proud original cosponsor of the Chairwoman's State and Local
Cybersecurity Improvement Act. While we all can agree more resources
for our State and local governments are necessary. We also must ensure
these funds are spent responsibly, and has a meaningful impact on risk
reduction. CISA plays a vital role here. This important bill is a
tremendous step forward in our fight, but we can't stop there. I am
pleased that this was included in the recently-passed bipartisan
infrastructure bill.
We must adopt an ``all of the above'' approach to dealing with this
scourge. There is no single silver bullet.
I look forward to hearing from our witnesses today about the
innovative solutions Congress should consider as we work to degrade,
and ultimately eliminate the viability of ransomware. Thank you, Madam
Chair, for bringing this important issue before us today.
Chairwoman Slotkin. Thanks. I believe we all second that.
Madam Chairwoman, are we ready to go? Can I yield back to you?
Chairwoman Clarke. We are ready to go.
Chairwoman Slotkin. OK.
Chairwoman Clarke. We are ready to go, Madam Chair. As I
was stating, I held our first hearing of this Congress on
ransomware epidemic because I recognize what a serious
challenge it poses to our National security. At that hearing,
we heard from members of the Ransomware Task Force, the
president of the National Association of State Chief
Information Officers, and former CISA Director Chris Krebs
about what actions the Federal Government must take to address
this cybersecurity crisis.
Just 2 days later, Colonial Pipeline reported it was
shutting down 5,500 miles of pipeline as a precaution after
being hit by a ransomware attack. Reports about ransomware
attacks had been simmering for years but they reached a boiling
point overnight as gas shortages occurred across much of the
east coast. As spring wore on, we learned about ransomware
attacks against JBS Foods, Kaseya, Brenntag, and others.
Fortunately, President Biden has made combatting ransomware
a top priority since taking office. At DHS, Secretary Mayorkas
announced that ransomware would be the first of the
Department's 60-day cybersecurity sprints. CISA has continued
to lead the way in raising awareness about how to protect
against ransomware, including by supporting stopransomware.gov
[https://www.cisa.gov/stopransomware], a website with resources
for businesses and individuals with steps they can take to
reduce their risk. But these actions are not limited to DHS.
President Biden has committed to a whole-of-Government approach
that includes the Departments of State, Commerce, Justice, and
Treasury and the intelligence community. The issue of
ransomware has been a topic at high-level international
meetings both with our allies and with our adversaries,
including Russia.
I look forward to hearing from our witnesses today about
how DHS is leveraging the authorities and capabilities of its
components to contribute to the administration's broader
ransomware efforts. I am also pleased that Congress is stepping
up to provide the authorities and resources necessary to combat
ransomware. In particular, the Infrastructure Investment and
Jobs Act signed into law by President Biden on Monday, includes
my legislation, the State and Local Cybersecurity Improvement
Act, providing $1 billion in cybersecurity preparedness grants
to State, local, Tribal, and territorial governments.
Additionally, the package includes $100 million for a new
Cybersecurity Response and Recovery Fund that will complement
cybersecurity preparedness grants by providing State and local
government victims with alternatives to making ransom payments.
Together these new resources will help make ransomware a
higher-cost and lower-reward endeavor.
While I wish we had taken steps to enhance State and local
cybersecurity earlier, I am glad that with the support of
President Biden and the Senate, this year we have finally
stepped up as a partner with all levels of government to secure
our critical public networks. Furthermore, after many years of
debate in Congress, I am confident that we will finally enact
mandatory cyber incident reporting legislation as part of the
National Defense Authorization Act.
As I work with my colleagues on both sides of the aisle on
this committee and in the Senate to finalize an agreement, I am
eager to hear our witnesses' perspectives on how greater
information on cyber incidents and ransom payments would
strengthen the administration's counter ransomware efforts. It
is my hope that greater information sharing in support of the
administration's whole-of-Government approach to combatting
ransomware will help improve our viability--excuse me--
visibility into the ransomware epidemic and enhance our ability
to respond appropriately.
Again, I thank our witnesses for being here today. I thank
my colleagues for convening this very important hearing. I look
forward to your testimony here today. With that, Madam Chair, I
yield back.
[The statement of Chairwoman Clarke follows:]
Statement of Chairwoman Yvette D. Clarke
Good morning. I want to thank Chairwoman Slotkin and Ranking
Members Pfluger and Garbarino for collaborating on this important and
timely hearing. And I thank the panel of witnesses for joining us
today.
Earlier this year, as Chair of the Cybersecurity, Infrastructure
Protection, and Innovation Subcommittee, I held our first hearing of
this Congress on the ransomware epidemic because I recognize what a
serious challenge it poses to our National security.
At that hearing, we heard from members of the Ransomware Task
Force, the president of the National Association of State Chief
Information Officers, and former CISA Director Chris Krebs about what
actions the Federal Government must take to address this cybersecurity
crisis.
Just 2 days later, Colonial Pipeline reported it was shutting down
5,500 miles of pipeline as a precaution after being hit by a ransomware
attack.
Reports about ransomware attacks had been simmering for years, but
they reached a boiling point overnight as gas shortages occurred across
much of the East Coast.
As spring wore on, we learned about ransomware attacks against JBS
Foods, Kaseya, Brenntag, and others.
Fortunately, President Biden has made combatting ransomware a top
priority since taking office.
At DHS, Secretary Mayorkas announced that ransomware would be the
first of the Department's 60-day cybersecurity sprints.
And CISA has continued to lead the way in raising awareness about
how to protect against ransomware, including by supporting
StopRansomware.gov, a website with resources for businesses and
individuals with steps they can take to reduce their risk.
But, these actions are not limited to DHS. President Biden has
committed to a whole-of-Government approach that includes the
Departments of State, Commerce, Justice, and Treasury and the
intelligence community, and the issue of ransomware has been a topic at
high-level international meetings both with our allies and with our
adversaries, including Russia.
I look forward to hearing from our witnesses today about how DHS is
leveraging the authorities and capabilities of its components to
contribute to the administration's broader ransomware efforts.
I am also pleased that Congress is stepping up to provide the
authorities and resources necessary to combat ransomware.
In particular, the Infrastructure Investment and Jobs Act signed
into law by President Biden on Monday includes my legislation, the
State and Local Cybersecurity Improvement Act, providing $1 billion in
cybersecurity preparedness grants to State, local, Tribal, and
territorial governments.
Additionally, the package includes $100 million for a new
Cybersecurity Response and Recovery Fund that will complement
cybersecurity preparedness grants by providing State and local
government victims with alternatives to making ransom payments.
Together, these new resources will help make ransomware a higher-
cost and lower-reward endeavor.
While I wish we had taken steps to enhance State and local
cybersecurity earlier, I am glad that with the support of President
Biden and the Senate this year, we have finally stepped up as a partner
with all levels of government to secure our critical public networks.
Furthermore, after many years of debate in Congress, I am confident
that we will finally enact mandatory cyber incident reporting
legislation as part of the National Defense Authorization Act.
As I work with my colleagues on both sides of the aisle on this
committee and in the Senate to finalize an agreement, I am eager to
hear our witnesses' perspective on how greater information on cyber
incidents and ransom payments would strengthen the administration's
counter-ransomware efforts.
It is my hope that greater information sharing in support of the
administration's whole-of-Government approach to combatting ransomware
will help improve our visibility into the ransomware epidemic and
enhance our ability to respond appropriately.
Again, I thank the witnesses for being here today and look forward
to their testimony.
I yield back.
Chairwoman Slotkin. Thank you, Chairwoman. The Chair now
recognizes the Chairman of the full committee, the gentleman
from Mississippi, Mr. Thompson, for an opening statement.
Chairman Thompson. Thank you very much, Chairwoman Slotkin
and Chairwoman Clarke for convening this hearing and for your
leadership on this important issue.
We are here today to discuss the Department of Homeland
Security's work as part of the Biden administration's whole-of-
Government approach to countering ransomware. I am particularly
pleased that President Biden is harnessing capabilities across
the Federal Government to prevent, respond, mitigate, and
recover from ransomware attacks.
Clearly, DHS is the agency that has the capabilities and I
believe they are uniquely positioned to help address the
threats posed by ransomware as well as future attacks. I am
pleased that you are holding this hearing today and I look
forward to testimony from the witnesses between CISA, U.S.
Secret Service, and other DHS partners to protect our
communities and critical infrastructure from ransomware attack.
I yield back.
[The statement of Chairman Thompson follows:]
Statement of Chairman Bennie G. Thompson
November 17, 2021
We are here today to discuss the Department of Homeland Security's
work as part of the Biden administration's whole-of-Government approach
to countering ransomware. Under President Trump, cybersecurity was not
prioritized. Under President Trump, the position of cybersecurity
coordinator was eliminated from the National Security Council even as
we say ransomware emerge as homeland security threat to our Nation's
critical infrastructure.
Like with so many other National challenges, we lost ground during
the Trump administration with respect to preventing ransomware and our
schools, cities, pipeline, water and others in critical infrastructures
are paying the price. This year has already seen crippling and costly
ransomware attacks that have disrupted Federal, State, and local
government, our infrastructure, and more. Across the country, we have
seen hospitals struggle to carry out their life-saving work when their
systems were compromised. Many of the worst attacks originate from
Russian soil, and cyber criminals often operate with tacit knowledge,
and even approval, from Russian security services.
To his credit, President Biden is taking this threat seriously and
has repeatedly and directly called on Vladimir Putin to act with
respect to Russian hackers involved in ransomware attacks on U.S.
interests. In October, he convened a 2-day White House counter-
ransomware summit with 30 countries to put further pressure on
President Putin and announced that we ``look to the Russian government
to address ransomware criminal activity coming from actors within
Russia.'' I am particularly pleased that President Biden is harnessing
capabilities across the Federal Government to prevent, respond,
mitigate, and recover from ransomware attacks.
From what I know of the Department of Homeland Security and its
capabilities, I believe that DHS is uniquely positioned to help address
the threat posed by ransomware, prevent future attacks, and track down
the criminals engaged in ransomware attacks. I am pleased that
Chairwoman Slotkin and Chairwoman Clarke are leading on this critical
issue by holding today's hearing and I look forward to the testimony
from the witnesses and hearing more about collaboration between CISA,
the U.S. Secret Service, and other DHS partner to protect our
communities and critical infrastructure from ransomware attacks.
Chairwoman Slotkin. Thank you, Mr. Chairman. Members are
also reminded that the subcommittee will operate according to
the guidelines laid out by the Chairman and Ranking Member of
the full committee in their February 3 colloquy regarding
remote procedures. I now welcome our panel of witnesses. We got
there, guys. We got there.
Our first witness is Mr. Robert Silvers, the Under
Secretary for Strategy, Policy, and Plans at the U.S.
Department of Homeland Security. Mr. Silvers leads policy and
implementation plans across all of DHS's missions. He
previously served as DHS's assistant secretary for cyber policy
and is the Department's deputy chief of staff.
Our second witness is Mr. Brandon Wales, the executive
director of the Cybersecurity and Infrastructure Security
Agency. Mr. Wales is CISA's senior career executive and has
served in the Department of Homeland Security for over 15
years, including as was mentioned by Mr. Garbarino, the acting
CISA director, for many, many months. Thank you for that
service and DHS chief of staff.
Finally, we have Mr. Jeremy Sheridan, the assistant
director of the Office of Investigations at the U.S. Secret
Service. Mr. Sheridan has served in numerous supervisory
assignments in the field, at headquarters, and in protective
divisions including as the deputy assistant director of the
Office of Training, deputy assistant director of the Office of
Investigations, and assistant director of the Office of
Intergovernmental and Legislative Affairs.
Without objection, the witnesses' full statements will be
included for the record. I now ask each witness to summarize
his remarks for 5 minutes, beginning with Under Secretary
Silvers.
STATEMENT OF ROBERT SILVERS, UNDER SECRETARY, OFFICE OF
STRATEGY, POLICY, AND PLANS, U.S. DEPARTMENT OF HOMELAND
SECURITY
Mr. Silvers. Thank you, Chairwoman Slotkin, Chairwoman
Clarke, Ranking Member Garbarino, Ranking Member Pfluger, of
course, Chairman Thompson, as well, as well as the other
distinguished Members. Thank you for inviting me here to
testify today about ransomware. Today, I will explain the all-
hands approach that this administration is taking to combat
ransomware and to protect the American people.
Ransomware attackers require victims to pay to regain
access to critical data, to restore operations, and to prevent
disclosure of sensitive information. The downstream effects can
have National-level implications as we saw when this country's
gasoline supply was interrupted by the attack on Colonial
Pipeline. But ransomware also hits directly into communities.
It victimizes schools, hospitals, local government agencies,
and small- and medium-size businesses. I agree with your
comments, Chairwoman Slotkin, this is an issue that impacts
ordinary Americans.
As the under secretary, I am responsible for developing our
Department's approach to preventing and mitigating ransomware
and to disrupting its perpetrators. I do this together with my
colleagues from the Cybersecurity and Infrastructure Security
Agency and from the U.S. Secret Service, who I am pleased to be
joined by today. I also do this together with other Federal
agency partners and with the private sector. DHS is
spearheading much of the administration's effort to counter
ransomware. First, we are building resilience across our
critical infrastructure and private-sector businesses. We are
laser-focused on helping organizations to harden their
defenses. We are sharing ransomware threat information and
network defense best practices.
In March, Secretary Mayorkas ordered a 60-day cyber sprint
on ransomware so that we could bolster the support that we can
offer to our stakeholders. We have launched stopransomware.gov,
a one-stop shop to access Federal guidance on ransomware
protection, detection, and response. Second, we and our
partners across the administration are being aggressive in
disrupting ransomware actors. We are taking the fight to them.
We are seizing their cryptocurrency, indicting them,
sanctioning them, sanctioning the financial platforms that they
use, and taking other steps to disrupt the infrastructure that
they use to commit their crimes.
The Department of the Treasury working with other agencies
has levied its first-ever sanctions against virtual currency
exchanges that are complicit in facilitating ransomware
payments. These designations restrict the ability of ransomware
actors to launder and move ransomware proceeds. The Department
of Treasury has also sanctioned individuals associated with
REvil, the ransomware syndicate behind the attack on JBS Foods
and the IT services firm Kaseya. The Department of Justice has
seized millions of dollars in cryptocurrency from the threat
actors behind prominent attacks on Colonial Pipeline and
Kaseya, amongst others. The Secret Service investigates
ransomware attacks and interdicts ransomware payments as part
of its work on the National Cyber Investigative Joint Task
Force where it leads the Criminal Mission Center.
As our third line of effort, we are engaging with
international partners to counter ransomware. In October, the
White House hosted a counter-ransomware summit with over 30
countries. With our partners, we reinforce responsible norms of
cyber activity. We call out and confront those countries that
undermine them. We share information to protect our critical
infrastructure through CISA's CERT-to-CERT relationships around
the world. We collaborate on investigating and arresting cyber
criminals wherever they operate. All of these efforts achieve
results.
The battle against ransomware is on-going and we are
approaching it with resolve. We are taking an all-of-the-above
approach as you said, Chairman Garbarino. Building up defenses
at home, linking arms with our partner countries, and finding
and routing out the perpetrators, their infrastructure, their
money.
I thank the subcommittees for holding a hearing on this
topic today and I look forward to your questions.
[The joint prepared statement of Mr. Silvers, Mr. Wales,
and Mr. Sheridan follows:]
Joint Prepared Statement of Robert Silvers, Brandon Wales, and Jeremy
Sheridan
November 17, 2021
Chairwoman Clarke, Chairwoman Slotkin, Ranking Member Garbarino,
Ranking Member Pfluger, and distinguished Members of the Subcommittees
on Cybersecurity, Infrastructure Protection, & Innovation and on
Intelligence and Counterterrorism, thank you for inviting us to testify
regarding the continued threat of ransomware and the constant risks it
poses to the American people. Our testimony today highlights the
Department of Homeland Security's (DHS) efforts to counter these risks.
These efforts are made in coordination with the administration's
counter-ransomware initiatives, and our partners in Federal, State,
local, Tribal, and territorial governments, the private sector, and
internationally.
Our joint testimony today reinforces that we cannot approach the
problem of ransomware by looking at only one aspect of the threat. We
must tackle ransomware through a comprehensive strategy that includes
close partnerships with the private sector and integrates the
collective efforts to:
disrupt cyber criminals;
build resilience of entities and individuals;
improve oversight of and, where appropriate, enforcement
against virtual currency exchanges and on-line dark
marketplaces that enable the ransomware threat;
apply diplomatic pressure on countries that harbor
ransomware perpetrators; and
forge coalitions of like-minded countries to collectively
counter the threat.
All of these efforts involve international cooperation to eliminate
the safe havens and opportunities for ransomware actors. Please allow
us to discuss some of the efforts under way at DHS, across the U.S.
Government, and with our domestic and foreign partners to combat
ransomware.
the administration's approach to ransomware
Ransomware is a financially-motivated crime. Ransomware attackers
extort vulnerable organizations and individuals. They obligate their
victims to pay ransoms using virtual currencies in order to regain
access to critical data, restore IT functions, and prevent the stolen
data from being disclosed. But the cost to society is more than the
ransom. We have seen too frequently the operational disruptions and
downstream National impacts that can result from ransomware. We have
seen hospitals, municipal governments, schools, police departments, and
other essential businesses and organizations taken off-line. Earlier
this year we experienced a disruption to our gasoline supply resulting
from a ransomware attack against Colonial Pipeline. And we saw certain
food prices rise following an attack on a major meat processor, JBS. We
recognize the stakes and are all-in to address this scourge.
The administration is spearheading a whole-of-Government counter-
ransomware initiative that is working with partner nations to disrupt
and deter ransomware actors while simultaneously promoting resilience
and cybersecurity across our critical infrastructure and private
businesses. Through this initiative, we are targeting criminal actors
for apprehension and prosecution. We are targeting and dismantling the
infrastructure used to conduct these attacks.
We are targeting the illicit financial gains these actors seek, as
well as the unlawful financial networks used to move, launder, and
conceal illicit profits. We are increasing resilience in our critical
infrastructure, and the private and public sectors in general, through
cyber education and awareness and sharing information on tactics used
by our adversaries. One example of these efforts is the U.S. Treasury
Department's recent announcement of sanctions on the Russia-based SUEX
cryptocurrency exchange for facilitating transactions involving illicit
proceeds from at least eight ransomware variants. This was the first
time such actions were taken against a cryptocurrency exchange. We will
continue to do more to effectively disrupt this threat.
the department of homeland security's sprint to combat ransomware
We are here today to talk about the significant efforts DHS is
making to support the administration's counter-ransomware initiative.
In February 2021, Secretary Mayorkas issued a call for action to tackle
ransomware more effectively. In March, DHS launched a 60-day sprint to
combat ransomware.\1\ This was the first of 6 cyber-focused sprints and
was intended to elevate existing efforts and remove roadblocks
hampering progress. Through the Secretary's leadership and leveraging
the unique capabilities of DHS components, we took action to increase
resilience, and disrupt criminal use and development of ransomware.
---------------------------------------------------------------------------
\1\ See Secretary Mayorkas Outlines His Vision for Cybersecurity
Resilience (March 31, 2021), available at https://www.dhs.gov/news/
2021/03/31/secretary-mayorkas-outlines-his-vision-cybersecurity-
resilience.
---------------------------------------------------------------------------
During this sprint, Secretary Mayorkas and Attorney General Garland
participated in the annual Five Country Ministerial, which issued a
``Ministerial Statement Regarding the Threat of Ransomware.''\2\ Many
components within DHS played an active role. The U.S. Secret Service
held a virtual cyber incident response simulation with State and local
governments focused on ransomware, and the Cybersecurity and
Infrastructure Security Agency (CISA), in partnership with the U.S.
Treasury Department, engaged with the cyber insurance industry on
ransomware. The U.S. Coast Guard held exercises to synchronize Coast
Guard and State incident response, and numerous U.S. Immigration and
Customs Enforcement (ICE) symposia, panels, and discussions were held
on cyber crime and ransomware.
---------------------------------------------------------------------------
\2\ See Five Country Ministerial Communique (April 9, 2021),
available at https://www.homeaffairs.gov.au/news-media/archive/
article?itemId=596.
---------------------------------------------------------------------------
As a natural progression of the sprint, in July DHS led, along with
colleagues across the U.S. Government, the launch of
``StopRansomware.gov,''\3\ our official central website for resources
from across the Federal Government community to tackle ransomware more
effectively. The purpose of this website is to help public and private
organizations defend against the rise in ransomware attacks by
providing guidance on protection, detection, and response all on a
single website.
---------------------------------------------------------------------------
\3\ See New StopRansomware.gov Website--The U.S. Government's One-
Stop Location to Stop Ransomware (July 15, 2021), available at https://
us-cert.cisa.gov/ncas/current-activity/2021/07/15/new-
stopransomwaregov-website-us-governments-one-stop-location.
---------------------------------------------------------------------------
The Department's sprint efforts are on-going. Through multiple DHS
agencies, we continue to work with our State, local, Tribal, and
territorial partners to build awareness, promote preparedness, and
improve resilience. We continue to work with these same partners to
build investigative capability through programs like the National
Computer Forensic Institute (NCFI). We continue to promote preparedness
and resilience across critical infrastructure and across the private
sector.
the cybersecurity and infrastructure security agency efforts on
ransomware
One of CISA's core functions is to foster such resilience. It
played a leading role for DHS in launching ``StopRansomware.gov.'' In
January 2021, CISA launched a ``Reduce the Risk of Ransomware''
awareness campaign.\4\ This campaign promoted resources and best
practices to mitigate the risk of ransomware and focused on supporting
COVID-19 response organizations and K-12 institutions. Further, CISA
expanded its publicly available information to include a ransomware
guide, fact sheets, tool kits, on-line training resources, and
educational webinars.
---------------------------------------------------------------------------
\4\ See CISA Launches Campaign to Reduce the Risk of Ransomware
(Feb. 16, 2021), available at https://www.cisa.gov/news/2021/01/21/
cisa-launches-campaign-reduce-risk-ransomware.
---------------------------------------------------------------------------
CISA has also taken many proactive steps to prevent the ransomware
threat. These efforts include hundreds of engagements focused on
cybersecurity and combatting ransomware. CISA routinely engages with
State, local, Tribal, and territorial partners, including events
specifically for Governors and county leaders; and for the private
sector. In addition, CISA continues to release cyber alerts containing
technical details and mitigation measures. These alerts, often issued
jointly with interagency partners, provide timely information about
current security issues, vulnerabilities, and exploits. Several recent
examples include information on BlackMatter ransomware, Conti
ransomware, and on-going cyber threats to water and wastewater systems.
Effective confrontation of the ransomware threat relies on visibility
and awareness, and CISA provides that through email and other
subscription services.
Visibility and awareness also require information sharing and
collaboration. CISA launched the Joint Cyber Defense Collaborative
(JCDC) to lead the development of the Nation's cyber defense plans,
which outline activities to reduce the prevalence and the impact of
cyber intrusions such as ransomware. JCDC promotes National resilience
by coordinating actions to identify, protect against, detect, and
respond to the malicious cyber activity targeting U.S. critical
infrastructure or national interests. Building on the authorities
included in the Fiscal Year 2021 National Defense Authorization Act,
the JCDC includes the joint cyber planning office, but recognizes that
that there is a full suite of capabilities necessary to truly make a
difference for our Nation's cybersecurity posture. The JCDC will bring
together leading technology, communications, and incident response
companies, as well as all relevant Federal agencies, to unify and
integrate prevention and response planning. The JCDC is uniquely the
only Federal cyber entity that proactively provides visibility into the
common operating picture of the threat environment through partnership
with the private sector and the Federal cyber ecosystem.
the u.s. secret service efforts on ransomware
For more than 150 years, the U.S. Secret Service has investigated
financial crimes. Following the proceeds from ransomware attacks is no
different. With the support of its partners, the Secret Service has
shut down a number of illicit cryptocurrency exchangers that
facilitated the laundering of criminal proceeds, including proceeds
from ransomware. The Secret Service's successes include working with
partners to shut down Western Express in 2013 and BTC-e in 2017,\5\
both of which served as key laundering platforms for cyber criminals.
---------------------------------------------------------------------------
\5\ See Russian National And Bitcoin Exchange Charged In 21-Count
Indictment For Operating Alleged International Money Laundering Scheme
And Allegedly Laundering Funds From Hack Of Mt. Gox (July 26, 2017),
available at www.justice.gov/usao-ndca/pr/russian-national-and-bitcoin-
exchange-charged-21-count-indictment-operating-alleged.
---------------------------------------------------------------------------
Secret Service Cyber Fraud Task Forces (CFTFs), located
domestically and internationally, are at the forefront of investigating
cyber-enabled financial crimes. CFTFs partner with State, local,
Tribal, and territorial (SLTT) law enforcement, private and public
sectors, to include financial institutions, and academia. An additional
significant effort is made through the NCFI. This Federally-funded
facility provides training courses to SLTT law enforcement,
prosecutors, and judges at no cost to the attendees or their agencies.
Attendees, who receive training on cyber response and investigation, to
include ransomware, act as force multipliers for Secret Service CFTFs.
Operation Zydeco in 2019 \6\ is one such example, where SLTT members of
the Secret Service Louisiana CFTF trained by NCFI responded to a
ransomware attack targeting a sheriff's office. In October 2021, NCFI
hosted a virtual cyber incident response competition to test the
technical skills of SLTT law enforcement as a Federal/State group
responding to a ransomware incident.
---------------------------------------------------------------------------
\6\ See Louisiana Sheriff's Office Targeted in Cyberattack Attempt
(Dec. 16, 2019), available at https://apnews.com/article/
c2c78e08b8e82791ada335ce9f8dbf5f.
---------------------------------------------------------------------------
Today, the U.S. Secret Service coordinates, integrates, and shares
information on its ransomware cases through the National Cyber
Investigative Joint Task Force (NCIJTF), where a Secret Service agent
leads the Criminal Mission Center. Through the NCIJTF, the Secret
Service works hand-in-hand with partners from the Departments of
Justice, State, the Treasury, and other domestic and foreign partners.
This collaborative approach to investigating cyber crime is essential
in pooling Government resources and skill sets to best combat
ransomware actors and their networks. The Secret Service also continues
to reinforce its international partnerships.
Ransomware actors are geographically dispersed; disrupting them
requires the cooperation of international law enforcement agencies to
locate, arrest, and hold these actors accountable for criminal
activity. The Secret Service fosters collaboration, developed and built
upon years of cooperation, through direct partnership with foreign law
enforcement agencies and international law enforcement organizations
like INTERPOL and Europol. An example of this was the February
agreement of a Canadian-American citizen, Ghaleb Alaumary, to plead
guilty to two counts of conspiracy to commit money laundering,
including laundering funds from a 2019 North Korean-perpetrated cyber-
heist of a Maltese bank.\7\ In September, Alaumary was sentenced to
more than 11 years in Federal prison and was required to pay more than
$30 million in restitution to victims.\8\ This case highlights the
transnational nature of criminal organizations engaged in these sorts
of crimes.
---------------------------------------------------------------------------
\7\ See Three North Korean Military Hackers Indicted in Wide-
Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the
Globe (Feb. 17, 2021), available at https://www.justice.gov/opa/pr/
three-north-korean-military-hackers-indicted-wide-ranging-scheme-
commit-cyberattacks-and.
\8\ See International Money Launderer Sentenced to More Than 11
Years in Prison for Laundering Millions of Dollars in Cyber Crime
Schemes (Sept. 8, 2021), available at https://www.justice.gov/opa/pr/
international-money-launderer-sentenced-more-11-years-prison-
laundering-millions-dollars.
---------------------------------------------------------------------------
Efforts by the Secret Service, ICE, and other law enforcement
partners to hold criminal actors responsible are on-going, as well as
efforts to strengthen law enforcement capabilities to counter the
threat of ransomware.
international efforts
The United States cannot combat this threat alone. We must continue
to work alongside our international partners, strengthening existing
relationships, and forging new ones. Together we must stand united to
support the adoption of, and adhere to, international cyber norms and
condemn countries who violate these norms or harbor cyber criminals, or
support their criminal activities.
In late October, the United States hosted a Counter-Ransomware
Initiative meeting with like-minded international partners from more
than 30 countries. Delegates had an open discussion on common
challenges, approaches, and opportunities to advance international
cooperation to achieve shared goals. DHS, together with the Departments
of Justice, State, and the Treasury, also recently participated in the
initial meeting of the U.S.-E.U. Ransomware Working Group. This effort
is the result of an agreement between the Secretary of Homeland
Security and Commissioner Johannsen of the European Commission to
explore joint solutions to this global problem. The Department also
participates in a ransomware working group with the Republic of Korea
and through the Five Country Ministerial. These meetings and the scope
of participation confirm ransomware is not just an issue for the United
States.
The Department continues to work together with like-minded
international partners to target, identify, and prosecute cyber
criminals, disrupt their IT infrastructures, and shut down financial
networks used to launder illicit proceeds. We collaborate and share
active threat intelligence and cybersecurity best practices to
reinforce international societal norms for responsible behavior in
cyber space and call out countries who choose not to follow these norms
and instead harbor criminal cyber actors or facilitate criminal
behavior.
legislative initiatives to assist on ransomware
We commend Congress for passing the Infrastructure Investment and
Jobs Act, which includes funding to increase cyber resilience for
critical infrastructure that will help prevent ransomware attacks. We
also acknowledge and applaud some of the on-going efforts in Congress
that would significantly help in the fight against ransomware.
Cyber Incident Reporting Legislation.--Our ability as a Department
to bolster resilience and investigate criminal actors depends on us
learning about ransomware attacks and other malicious cyber activity.
As such, we support legislation requiring the reporting of cyber
incidents. This information is critical for understanding National risk
and taking actions to disrupt and deter additional malicious activity.
We cannot accurately address a problem if we do not understand its
scale and scope. Cyber incidents are underreported. Additional
legislative steps and new authorities are necessary to understanding
the full scope of the ransomware problem.
Support for the Training of State, Local, Tribal and Territorial
Law Enforcement.--We appreciate Congress' continued support for the
cyber training of SLLT law enforcement. Centers such as the NCFI
provide critical cyber investigation skills to our partners who are
often the first responders to ransomware attacks and act as force
multipliers.
Law Enforcement Capabilities to Counter Cyber Crime.--The U.S.
Secret Service and ICE's Homeland Security Investigations have robust
capabilities to investigate criminal cyber activity, including
ransomware attacks. Expanding these capabilities to include
investigating money laundering associated with digital assets would
give the Department an additional tool to prevent cyber criminals from
profiting from their illicit gains.
These legislative actions would increase our ability to address the
threat posed by ransomware.
conclusion
DHS is committed to countering the threat of ransomware facing our
country, our citizens, and our allies around the globe. We are grateful
for the continued support of Congress and to our fellow departments and
agencies for their support in this effort. Together we can increase
cyber resilience and disrupt and hold accountable those who perpetrate
these acts. Thank you again for the opportunity to testify today and we
look forward to your questions.
Chairwoman Slotkin. Thank you for your testimony. I now
recognize the Executive Director Wales to summarize his
statement for 5 minutes.
STATEMENT OF BRANDON WALES, EXECUTIVE DIRECTOR, CYBERSECURITY
AND INFRASTRUCTURE SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND
SECURITY
Mr. Wales. Thank you. Thank you, Chairwomen Slotkin and
Clarke, Ranking Members Pfluger and Garbarino, and Chairman
Thompson for the opportunity to testify today on behalf of the
Cybersecurity and Infrastructure Security Agency. I look
forward to discussing CISA's efforts to elevate the Nation's
security and resilience against ransomware attacks.
As you know, CISA is the National coordinator for critical
infrastructure, security, and resilience, responsible for
reducing risks to digital and physical infrastructure that the
American people rely on every hour of every day. Within the
overall administration's approach to countering ransomware, we
are focused on bolstering resilience. But unfortunately,
strengthening resilience to withstand ransomware attacks is
arguably the most difficult element of our collective efforts
as it ultimately relies on changing human behavior. While
certain steps such as spotting phishing attempts and
implementing multi-factor authentication or patching
vulnerabilities are easily implemented at the individual level,
they are much more difficult to implement in community,
business, or organization-wide. Building resilience requires a
long-term investment in people, processes, and technology.
Every organization that wants to avoid being a victim of
ransomware, must invest in the practices that will keep their
customers, their systems, and their data protected.
The question that we need to be asking ourselves is what we
can do to have an impact now? I point to three things. First,
we must give people the tools and guidance that they need to
increase their resilience and security. That is why CISA is
working to raise awareness and promote basic cyber hygiene
across tens of thousands of businesses and Government agencies
throughout the country. But CISA cannot raise our collective
baseline of awareness and resilience alone. Which is why CISA
partners daily with other agencies, such as the FBI and the
Secret Service, to evaluate threats and vulnerabilities,
develop guidance, conduct outreach, and respond to incidents.
For example, earlier this year, CISA and the Secret Service
conducted a Cyber Incident Response Simulation Workshop with
State and local governments focused on ransomware. As an
example of a city taking full advantage of what DHS, CISA, and
the Secret Service have to offer to manage ransomware risk, we
have provided a sustained partnership in cybersecurity support
to the city of Los Angeles and its 44 departments serving over
4 million residents in the form of cyber information sharing,
threat training, assessments, and network defense services. The
Los Angeles partnership is an example of what we can replicate
across the Nation.
Additionally, earlier this summer, we led the interagency
development and launch of stopransomware.gov, the U.S.
Government's official repository for resources from across the
interagency to help public and private organizations tackle
ransomware more effectively. To date, stopransomware.gov has
had more than 455,000 page views and our ransomware readiness
assessment tool has been downloaded nearly 15,000 times.
Second, because vulnerabilities are wide-spread across
technology environments, it is increasingly challenging for
organizations to prioritize which vulnerabilities to fix first.
Last week, we released the binding operational directive, which
established a dynamic CISA-managed catalog of more than 300
known exploited vulnerabilities and requires Federal agencies
to remediate such vulnerabilities within specific time frames.
While aimed at the Federal Government, we strongly encourage
every organization to adopt this directive and prioritize
mitigation of vulnerabilities listed in CISA's public catalog
as we continually identify newly-exploited vulnerabilities.
Third, we must drive impact at scale if we hope to achieve
the resilience we seek. Critical to that effort will be our
partnerships with key players who can help us achieve broad-
based effects. We recently launched the Joint Cyber Defense
Collaborative, or JCDC, a partnership between key Federal
agencies and private-sector companies to see across networks
and industries to help us identify emerging threats, provide
actionable information, and take action at scale to reduce the
risk of compromises of all types.
Finally, and perhaps most importantly, using our role to
leverage expansive information-sharing authorities to ensure
early warning of threats and attacks. For example, just this
morning CISA, the FBI, the Australian Cybersecurity Center, and
the U.K.'s National Cybersecurity Center released a joint
cybersecurity advisory highlighting on-going malicious activity
associated with the government of Iran. We have observed that
these actors exploit Fortinet and Microsoft Exchange proxy
shell vulnerabilities to gain initial access to systems to
advance follow-on operations, which include the deployment of
ransomware. We urge critical infrastructure organizations to
apply the recommendations listed in the advisory to mitigate
those vulnerabilities.
While this advisory is based on an analysis of multiple
incidents that CISA and the FBI supported, unfortunately today,
we receive information on only a fraction of incidents. This
hampers our ability to conduct critical analysis, spot
adversary campaigns, release mitigation guidance, and provide
timely response, leaving critical infrastructure vulnerable.
That is unacceptable. Providing incident information to CISA
and our Federal partners quickly allows us to enrich it and get
it out broadly and protecting future victims and raising the
baseline of our Nation's cybersecurity. I urge Congress to move
quickly on the urgent priority of adopting incident
notification legislation.
In closing, our Nation is facing unprecedented risk from
cyber attacks undertaken by nation-states and criminals. In
response and with your partnership and support, CISA will
continue to lead our National call to action. Thank you for the
opportunity to appear today and I look forward to your
questions.
Chairwoman Slotkin. Thank you for your testimony. I now
recognize Assistant Director Sheridan to summarize his
statement for 5 minutes.
STATEMENT OF JEREMY SHERIDAN, ASSISTANT DIRECTOR OF
INVESTIGATIONS, U.S. SECRET SERVICE, U.S. DEPARTMENT OF
HOMELAND SECURITY
Mr. Sheridan. Good morning, Chairman Thompson, Chairwoman
Clarke, Chairwoman Slotkin, Ranking Member Garbarino, and
Ranking Member Pfluger, and Members of this committee. Thank
you for inviting me to testify on the role of the Secret
Service, the risk posed by ransomware, and our approach to
countering this threat.
I lead the Secret Service's investigative teams in our 160
global offices, which are combating transnational cyber crimes
like ransomware. In fiscal year 2021, these investigative teams
responded to over 700 network intrusions, prevented over $2
billion in financial losses, and returned over $54 million to
victims through asset forfeitures. These outcomes illustrate
one aspect of the Secret Service's role in managing risk and
preventing crimes like ransomware. Since the agency's founding,
our primary investigative mission is to safeguard the integrity
of U.S. financial systems, while our protective mission
implements measures to prevent harm to the persons, locations,
and events we protect, including harm from cyber threats.
We accomplish our integrated mission by working in close
partnership with all levels of Government and private
organizations to effectively manage risk. For over 30 years,
ransomware has been used to hold computers hostage and extort
their users. Transnational cyber-criminal networks using
ransomware are enriched, emboldened, and expanded. These
criminal networks are persistent in growing threat which we can
best counter by driving down the profitability of their
criminal schemes. This requires both improving the security and
resilience of internet users and pursuing those that engage in
or enable cyber crimes.
Achieving this second aspect through criminal law
enforcement is the specialty of the Secret Service. For 40
years, the Secret Service has investigated cyber crimes, long
before they were even called cyber crimes. While technology has
rapidly evolved, our investigative approach has remained
consistent. We follow the money. In doing so, we develop
detailed evidence on transnational cyber crime networks. By
working with our partners around the globe, we use this
evidence to ensure the most significant criminals are
apprehended and face justice. Extraditing cyber criminals to
the United States disrupts, deters, and prevents future
criminal activity. It has also resulted in reforming some
experienced transnational criminals into assets in the fight
against cyber crime.
This is one reason why law enforcement action is an
essential component to our National response to transnational
cyber crime. Law enforcement investigations also provide
additional benefits by developing indicators and warnings that
we share with CISA and other partners to inform their actions.
I see three priorities for law enforcement to aid in countering
ransomware. All three of which would benefit from Congressional
action.
First, reduce the profitability of ransomware campaigns by
improving the ability of law enforcement to detect and
interdict criminal crime proceeds. With the support of
Congress, the Secret Service is making significant investments
in the tools, training, and processes to empower our cyber
fraud task forces to rapidly detect and seize the proceeds of
cyber crime. Enacting the Anti-Money Laundering Act of 2020 was
a critical component in these efforts. But further legislative
action could aid in ensuring we have the authorities and
capabilities to most effectively combat the money laundering
activity that is fueling the growth of transnational cyber
crime.
Second, law enforcement, particularly State and local law
enforcement, act as first responders to ransomware. They are a
part of our local communities and can respond quickest when
called by those affected by ransomware. Since 2008, the Secret
Service has developed the cyber investigative capabilities of
our State and local partners by training and equipping them at
the National Computer Forensics Institute. However, this
critical program requires Congressional reauthorization prior
to September 2022 to ensure that training meets the growing
demand.
Third, we must dramatically intensify international law
enforcement cooperation to investigate, arrest, and prosecute
those engaged in transnational cyber crimes, including
ransomware. The Secret Service is fortunate to have close and
collaborative relationships with numerous law enforcement
agencies around the world from Europol to South Africa to
Australia. These partnerships allow us to pursue transnational
criminals, their associates, and their assets wherever they may
reside or travel to. These partnerships depend on continued
Congressional support for our international operations.
In closing, I want to stress that ransomware is a threat to
every community. It is being used to disrupt schools, city
governments, local police departments, critical infrastructure,
and other essential services both here at home and abroad.
Progress is possible but requires a commitment to prioritize
this issue both domestically and internationally as one of
shared interest. I thank the committee for holding this
important hearing and for your continued support of the U.S.
Secret Service and our partners in countering cyber crime. I
look forward to working closely with you and with other Members
of Congress on our shared priorities and welcome your
questions.
Chairwoman Slotkin. I thank all the witnesses for their
testimony. I will remind the subcommittees that we have 5
minutes to question the panel. I will now recognize myself for
questions.
So, to the panelists, you know, in June, the President laid
down a very clear marker with Vladimir Putin that we will hold
Russia responsible for stopping ransomware attacks coming out
of its territory regardless of who is committing them against
the 16 critical U.S. infrastructure sectors. The President
noted that ``within the next 6 months to a year, we would hope
to see the impact of our engagement with Russia on
cybersecurity.'' Given what we all just said that Americans are
on the front line when it comes to ransomware attacks, can you
tell us, have we seen a change in the ransomware threat coming
out of Russia hitting U.S. critical infrastructure in the past
5 months? Have the attacks gone up, gone down, or stayed the
same? Mr. Silvers.
Mr. Silvers. Thank you, Madam Chairwoman. We have been
clear with Russia that actions will speak louder than words. On
the trends, it is difficult to assess because the vast majority
of ransomware incidents are not reported to the Government. So,
we are laser-focused on getting the data and we are doing that
two ways. One by enhancing our information-sharing programs
with the private sector so we can get more of it. The second is
by working very closely with Congress on the mandatory incident
reporting bill that is being worked as part of the NDAA
process, which would actually be transformative in this respect
in that it would get us the data we need to make these kinds of
assessments that you expect to see in your oversight role.
Chairwoman Slotkin. OK. So, we are going to get the data
and I understand we need to get more data. But based on the
data you have today in your hands, right, understanding it is
imperfect, it is 5 months after a Presidential summit, have you
seen attacks go down, go up, or stay the same?
Mr. Silvers. I can't make a definitive assessment at this
time. As we have discussed in our conversations, Madam
Chairwoman, you are correct that different experts have spoken
in different ways about what they have seen and I think for
that reason, it is important we get to ground on the data.
Chairwoman Slotkin. OK. So, we all work in jobs where we
are evaluated based on our success or failure. What are the
metrics that you can tell the American public and this
committee that you will be using to determine whether attacks
are going up or going down? Whether Russia is taking action or
not. Because it is one thing to say we are going to take action
and to demonstrate strength. It is another thing to actually
have the data to back it up. So, a year from now, if you get
all the things you want, what are the metrics that will help
you evaluate whether things are going up or going down?
Mr. Silvers. Thank you, Madam Chairwoman. I think some of
the metrics include number of ransomware strikes. We are
actively looking at sources to collect that from, including
reporting to the Federal Government, but also working with, for
example, private cybersecurity companies, with insurance
companies who have a role in the ransomware payment ecosystem,
with our monitoring of dark web forums that list ransomware
activity. Through all that, we are pulling together what we
believe are the best available data. The incident reporting
bill will be truly transformative in helping us to do that. But
I think 1 year out, we clearly will be much further along.
Chairwoman Slotkin. OK. Well, I would expect that 1 year
out from that summit, we will be back here having that
conversation with metrics to basically assess what has happened
in the year since. If the United States knew that actors,
criminal actors were emanating from our soil and attacking
another country, we would act. I don't see any evidence that
Russia is actually helping us on this score.
Turning to a different subject. I was shocked last week or
2 weeks ago to have a bunch of superintendents from Michigan, K
through 12 superintendents come into my office. Every single
one of them had been the victim of a ransomware attack. That
means they had children's personal data in their hands, these
attackers, and they had to pay the attackers in order to get
them back, to get the personal data back. Folks like Ken
Gutman, he is a superintendent of Wild Lake Consolidated
Schools in Oakland County, a part of which I represent, 13,000
students and were hit with this ransomware attack last October.
Explain to the American public how their Government helps
them when that superintendent wakes up, his data has been
ransomed, someone's asking for money, who does he call? What
does he do? What is the first move when that superintendent's
been hit?
Mr. Silvers. Thank you, Madam Chairwoman. This is a Main
Street issue. It hits communities and we have to have our
services be accessible to communities so that people who are
not incredibly sophisticated in these issues can be helped by
them. That is why we created a one-stop website,
stopransomware.gov, that State and local school districts,
police departments, hospital systems, can go to. They can find
prevention advice so they can get ahead of it. They can also
find response advice so that if they are hit, they know who to
reach out to and can avail themselves of the services that CISA
provides for response and that, for example, the Secret Service
provides for investigating the crime.
Chairwoman Slotkin. Great. Sure, do you want to add
something very, very briefly because my time has expired.
Mr. Wales. Sure, just very briefly. The most important
thing that I would hope that you can convey within your
districts to your constituents is time to focus on ransomware
is not after you have been hit. Because after you have been
hit, your options are extremely, extremely limited. There is
not a lot that anyone is going to be able to do that is going
to be able to fix underlying problems. Some adversary already
has your data----
Chairwoman Slotkin. Mm-hmm.
Mr. Wales [continuing]. In that environment. That is going
to be an extremely challenging situation for any organization
whether it is a Government, a school district, or a business.
The time to start focusing on ransomware is before. It is right
now today one of the things they can do to make that
eventuality less likely to happen.
Chairwoman Slotkin. OK. Thank you very much. I now
recognize the Ranking Member, Mr. Pfluger, for questions.
Mr. Pfluger. Thank you, Madam Chair. I appreciate the
discussion that we are having here today. I want to open up a
discussion on the time to focus on this issue, the time to
focus on preventing it. I would like to say that I think that
the most important piece of that is deterrence. We have to have
the technical capability, but we also have the political will
to hold those accountable. So, I want to ask each of you just
to respond whether or not when you look at something that
happened in the D.C. Metropolitan Police Department where they
were looking to extort the department, publish sensitive
information about officers, including personal information, is
this an act of terror? These are tactics that are commonly
used. Is this a form of terrorism? Is it a crime? Are we
getting into an act of war? What is you all's--very quickly,
because I want to explore this.
Mr. Silvers. Mr. Chairman, it is most certainly a crime and
a heinous crime and one that is not just an ordinary crime, but
also can raise to the National security level, I believe. That
is why I believe you have seen what is a National security
response. I agree on the importance of deterrence. I want to
make an important point, which is--and it also goes to
Chairwoman Slotkin's question--we have been quite direct with
the Russian Government. But we are not sitting around and
waiting for the Russian Government to act. We have communicated
that if they will not act against those taking this action from
their territory, we will take those actions. We are doing so.
Those have been announced and some have not been announced in
recent months, including cryptocurrency wallet seizures,
indicting people, putting them on the run. The noted
cybersecurity expert, Dmitri Alperovitch, has said that one of
the keys here is to making ransomware criminals feel paranoid,
scared, not trusting those around them. That is what we are
doing to disrupt.
Mr. Pfluger. I think to Madam Chair's point, we need to see
the metrics that tell us whether or not it is being taken
seriously and having an effect. Mr. Wales, is this crime? Is it
terror? Is it war? I mean, the Colonial Pipeline, had that been
a kinetic weapon that was used on the Colonial Pipeline and the
effects were the exact same, that would be an act of war in
this country.
Mr. Wales. You know, I think that is a little bit beyond
CISA's purview. But I would certainly say that it is a National
security imperative that we prevent any adversary from
disrupting our critical infrastructure. That is the kind of
work that we are doing every day in partnership with our
colleagues here at the table and elsewhere in Government.
Mr. Pfluger. From CISA's perspective, do you see this as
crime, terror, or otherwise?
Mr. Wales. You know, I think crimes are dictated by statute
and my colleagues in the law enforcement community could
probably tell you better than me what, you know, what is a
crime and what is not. But clearly, these are crimes. Clearly,
they were designed to inflict terror on their victims because
they are trying to extort money out of them. The more that they
could make their victims scared about what they are going to do
with their information or locking up their systems and
jeopardizing their businesses or the organizations they manage,
makes it more likely that a victim will pay.
I think going to your earlier point, as long as ransomware
is a viable tool to raise money, as long as they continue to be
paid, people will continue to flock to this. So, we may take
some off the table, which we have done effectively including in
the last several weeks. New people will get into this because
it continues to be a lucrative way of raising money because it
has become a matter of paying--over the last several years,
businesses have paid it as just a cost of doing business. That
has resulted in the epidemic that it is today.
Mr. Pfluger. Mr. Sheridan.
Mr. Wales. As long as it is----
Mr. Pfluger. I am sorry to interrupt.
Mr. Wales [continuing]. That kind of thing where we are
going----
Mr. Pfluger. We are limited on time. Mr. Sheridan, your
thoughts?
Mr. Sheridan. Yes, I would just expand on what my
colleagues have said. Sir, we are deterring criminal actors
through prosecution, judicial action, and asset seizure,
demonstrating that no one is beyond the reach of law. Metrics
have been brought up multiple times. It is recognized we need
better measurement for net assessment results. But we use some
quantifiable metrics in the Secret Service. We have conducted
over 937 arrests for cyber fraud activities. We prevented more
than $2 billion in fraud loss. We have seized more than 3.5
million of financial accounts that have been used for illicit
activities. Seized $129 million. Returned more than $55 million
to victims. We do have quantifiable metrics in this space. They
aren't universally applied across all law enforcement entities.
But we are making impact and I think those numbers demonstrate
that in partnership with CISA, the FBI, and other law
enforcement members.
Mr. Pfluger. Well, this is a--there is time--the time is
now for a bold moment. I think DHS needs to take the lead on
this. We need to have a discussion about what this is and how
we deter. I am very concerned about whether or not we are
actually able to hold people accountable inside Russia. We want
to see and hear and understand the specifics of those instances
and how that effect is actually being--is making headway to
prevent our businesses. I don't think it is limited to 16
categories. I think that any business, any industry, any person
that is terrorized by these tactics and held hostage and then
forced to make a payment to the benefit of a criminal
organization, terrorist organization, or State actor, is wrong.
So, we are looking for DHS to make a bold statement to make
recommendations to the President and to then have that
deterrent as rhetoric backed up with the technical capability
to prevent this. Thank you, Madam Chair.
Chairwoman Slotkin. The Chair now recognizes Chairwoman
Clarke for 5 minutes of questioning.
Chairwoman Clarke. Thank you, Madam Chair. The State and
Local Cybersecurity Improvement Act, which provides $1 billion
in grants to State, local, Tribal, and territorial governments
to enhance their cyber defenses was included recently in the
recently enacted bipartisan infrastructure package. I
introduced this legislation to give State and local governments
the ability to defend themselves against cyber criminals who
have been relentlessly attacking them.
But funding alone is not enough. CISA must assist State and
local governments in using this new funding and most
effectively and efficiently. Mr. Wales, can you share with us
about what CISA will be doing to ensure that funding is spent
in ways that effectively address State's cyber risks and that
we have a coordinated approach to enhancing State and local
cybersecurity Nationally?
Mr. Wales. Thank you, Chairwoman Clarke. I want to really
thank you for your leadership on this. We believe that the
cybersecurity grants for State and local communities is really
going to be a game-changer in dramatically enhancing the
security of our communities throughout the country. Even before
the bill was signed by the President, we had been working with
FEMA to begin to map out what the plan is to roll these grants
out over the next year.
We, within CISA, are working to better identify what are
the priorities that we want States and locals to focus on? What
does the planning architecture need to look like for States as
they develop their State's cybersecurity plan? What are the
priorities as that money flows down into local communities?
Making sure that we are thinking through how do we get our,
CISA's, field-based personnel ready to support State and locals
as they begin to think about, plan, and implement the funding
that will come along with these grants. You know, I think up
front----
Chairwoman Clarke. So, Mr. Wales,----
Mr. Wales [continuing]. There is a lot of unevenness----
Chairwoman Clarke [continuing]. Have you----
Mr. Wales [continuing]. So, it is a matter of getting
everyone to a common baseline.
Chairwoman Clarke. So, Mr. Wales, have you considered
already cybersecurity improvements that you will encourage
grantees to prioritize? Related to that, what to collaborations
with the private sector are there any recent success stories
that you can share?
Mr. Wales. Sure. So, on the first question related to the
early priorities, and I think a lot of those we hit on often,
which is how do you get to a baseline level of cybersecurity?
So, how does a State put in place and a community put in place
the right level of multi-factor authentication? How does it
shrink the number of privileged accounts? How does it put in
place a process to close vulnerabilities as soon as they are
identified? Those type of cyber essentials will be kind-of
among the first priorities that we want States to invest in and
making sure that they have a work force that is capable of
supporting and sustaining that effort.
When it comes to our relationship with the private sector,
I would say that everyday outputs that are coming from CISA are
the result of our close partnership with the private sector.
Even the recent cybersecurity advisories that we have released
related to ransomware variants like DarkSide, and BlackMatter,
and Conti ransomware, those benefit from information that we
share with the private sector. Those key companies that have
broad insight into the cybersecurity ecosystem who can provide
us enrichment and we can get that out to the entire country.
You know, in addition, I think if you look at recent
announcement from Palo Alto about the identification of
critical infrastructure entities that were compromised because
of vulnerabilities in ZOHO ManageEngine, that was a result of
information sharing from work that was done between the Coast
Guard, the FBI, and CISA, with our joint cyber defense
collaborative partners. They then took that information, went
and looked in their own system in Palo Alto, one of our plank-
holder members of the JCDC went and identified additional
critical infrastructure victims and is able to remediate, now
able to respond or remediate those vulnerabilities. We think
that this partnership both within the Government and with the
private sector is beginning to pay really tremendous dividends.
It is not just partnership. This is this true operational
collaboration.
Chairwoman Clarke. Wonderful. As part of the broader cyber
incident reporting legislation being considered in this year's
NDAA, Congress is considering a requirement that entities
report ransom payments to CISA. With an estimated 70 to 75
percent of the ransomware attacks currently unreported, this
mandate would ensure the Federal Government has the information
necessary to investigate ransomware cases and would allow for a
better understanding of the scope and patterns of ransomware
attacks across the country. Mr. Wales, how would CISA share the
information gained through this mandatory reporting to enhance
its own counter-ransomware efforts?
Mr. Wales. Sure. So, I think that when I think about what
is in the legislation, there are two pieces of it. There is the
actual cyber incident information that is going to be most
useful for CISA. We will then take that information working
with our Federal partners and with our critical infrastructure
community to get that information out in an anonymized way to
be able to spot broader campaigns and to protect future
victims. The actual ransom payment information will be
essential to our law enforcement community, the Secret Service,
the FBI, and others who can actually take that information,
investigate the criminal aspects of it, and potentially seize
funds, trace the money, go after the perpetrators. Jeremy, I
don't know if you have got additional points?
Mr. Torres. The Congresswoman's time has expired.
Congressmember Garbarino.
Chairwoman Clarke. I thank you, Mr. Chairman, and I yield
back.
Mr. Garbarino. Thank you very much, Mr. Chairman. Mr.
Wales, at the House Oversight Hearing yesterday you
participated in, there was a significant amount of discussion
regarding the mandatory cyber incident reporting bill in the
NDAA. During the hearing, Mr. Vorndran from the FBI said it was
essential for FBI to receive full and immediate access to the
cyber incidents. We understand that the FBI plays an important
role in investigating cyber crime and coordinating with CISA.
However, as you know, Congress established CISA as the lead
Federal civilian cybersecurity agency with the authority to
coordinate with the private sector. The incident reporting
legislation seeks to build on CISA's role. I am eager to hear
your thoughts, CISA's thoughts, on giving the FBI or Department
of Justice a more central role in the incident reporting
legislation being debated in Congress right now. The importance
of CISA's retaining its role as the lead Federal civilian cyber
agency.
Mr. Wales. I don't see, you know, any of the changes that
are being discussed changing CISA's fundamental role as the
lead for civilian cyber defense when it comes to responding to
incidents and supporting our critical infrastructure community.
We have a tremendously close relationship with the FBI and the
Department of Justice. Under any variation of this legislation
regardless of what is passed by Congress, we will work to
ensure that FBI and our other law enforcement partners and our
other Federal agencies that need to have this information
whether it is Treasury or Department of Energy, they will get
it as soon as possible. We will work to ensure that on our end,
as soon as the information comes in, it will get to the people
who need the information.
In many respects, that is enshrining what we do today. CISA
has not done on-site engagement with any victim that has not
been fully coordinated with the FBI ahead of time. In almost
all cases, that work is being done jointly today. So, we would
really see this in the future as strengthening that
partnership. We will have more information for both CISA, the
FBI, the Secret Service, and others when we engage with our
critical infrastructure community.
Mr. Garbarino. Mr. Silvers, do you have anything to add to
that, or?
Mr. Silvers. I agree with Executive Director Wales.
Mr. Garbarino. I appreciate that. Mr. Silvers, on Monday
the DHS finally launched the Cybersecurity Talent Management
System after it was authorized by Congress 7 years ago. While I
appreciate this new system has significant potential to bring
in the mission-critical security experts that the Department
needs, it is not a silver bullet to solving the work force
challenges at DHS and CISA. I remain concerned that despite
this innovative tool, the Department and CISA still have
onerous and duplicative vetting, elongated hiring time lines,
and a lack of robust human resources organizations. Are you
confident of the roll-out of the Cybersecurity Talent
Management System will make a difference? When do you expect to
see tangible results?
Mr. Silvers. Thank you very much, Mr. Ranking Member. I am
confident that the CTMS, as we are calling it, will achieve
tangible results. I view the hiring challenges and the
shortfall of cyber talent as a National security issue. I think
the CTMS is a critical component. I am glad we rolled it out
just a few days ago. It is not a silver bullet. We do need to
streamline other human resources processes, security clearance
processes and otherwise throughout the Department. Secretary
Mayorkas has been clear on that and is pursuing that as well.
But I do believe that the CTMS will start to show tangible
results over a period of months.
Mr. Garbarino. Great, and I have spoken to the director
recently about this and she is also very concerned. She has
some ideas of where things can move along quicker and she was
excited about CTMS coming out as well. Mr. Wales, would you
agree? Can you weigh in? You feel confident that, you know, and
I have spoken to--I was speaking to an organization of CISOs
yesterday. You know, we discussed this and the pipeline, the
employee pipeline for CISA and not having the proper people
there right now. Can you weigh in on how CISA is going to work
with CTMS?
Mr. Wales. Sure. So, you know, I think CTMS is going to be
a real and powerful tool. Already, the stats I looked at this
morning, we had over 650 applicants across all grades and all
specializations. CTMS have already put in applications into the
new CTMS system. So, we are now working to identify which of
those candidates actually passed through the assessments and
which ones can match up against job vacancies we have in the
organization. So, it really could be an extremely powerful tool
that as Under Secretary Silvers says over the next few months
we can start to see tangible results from it.
That being said, you know, we are not relying only on CTMS.
We have been on full court press on hiring for the past year.
Just in fiscal year 2021, we brought on more net gains in
fiscal year 2021 than in the previous 2 years combined times 2.
So, really aggressive in kind-of filling our billets. At the
same time, going to your point, and I mentioned this yesterday,
we are looking at the kind-of the full process to bring people
on-board and seeing what we can do internally to streamline it
and where we may need additional help from Congress. But right
now, we don't think that is the case, but if and when that
changes, we are happy to talk to you.
Mr. Torres. The gentleman's----
Mr. Garbarino. I appreciate that. I want to thank you both
for being here. Mr. Sheridan, I am just going to say your team
in New York has been phenomenal with constituent cases. So,
keep up the good work. Thank you.
Mr. Sheridan. Thank you, sir.
Mr. Torres. The gentleman's time has expired. The gentleman
from Rhode Island has 5 minutes.
Mr. Langevin. Thank you, Mr. Chairman. I want to thank our
witnesses for your testimony today for the job you are doing
protecting the country. If I could start with Secretary
Silvers. Secretary, I think part of our strategy for defending
the country against ransomware needs to be focused on improving
the security of the devices and technologies that we use. I see
an opportunity for Government-funded R&D in the space through
critical technology security centers. A recommendation of the
Cyberspace Solarium Commission, which I served also as a
commissioner. Congressman Gallagher and I actually adopted this
idea into an amendment in this year's National Defense
Authorization Act to create 4 such centers to evaluate and test
the security of devices and technologies underpinning National
critical functions.
So, Secretary Silvers, I would be curious your thoughts on
the merits of Government-funded R&D to improve the security
ecosystem and whether you agree with the need for initiatives
like critical technology security centers.
Mr. Silvers. Thank you very much, Representative Langevin.
Thank you for your leadership in the field of cybersecurity. I
strongly agree in the importance of Government-funded research
and development in the field of cybersecurity, in particular,
cybersecurity for critical technologies, National critical
functions, and other areas where you can have National-level
impact from security vulnerability. I am aware of the Solarium
Commission's support for that kind of funding and I support
that kind of funding as well. I know you are sponsoring
legislation toward that end and I would look forward to working
with you on that legislation so that we can have the kind of
robust research and development funding we need, which is done
in part at the Department's Science and Technology Directorate,
which does an amazing job in this field.
Mr. Langevin. Very good, thank you for that. Continuing
with you, if I could, Secretary, you spoke in your testimony
about the Joint Cyber Defense Collaborative, JCDC. Which I
think is a hugely important initiative at the Department of
Homeland Security. In particular, I commend Director Easterly
for her vision in wanting to create this along with the rest of
the team, yourself included. One of the key elements that I
think should be housed within the larger JCDC superstructure is
the Joint Collaborative Environment, which I worked to include
in the version of the National Defense Authorization Act that
has passed the House already.
The JCE would improve analysis of cyber threat indicators
among public and private-sector stakeholders, and in fact
having public stakeholders and private-sector entities,
especially in the areas of the most critical infrastructure
working side-by-side seeing common threat information and such.
So, can you discuss the value of the Joint Collaborative
Environment within the Joint Cyber Defense Collaborative's
broader mission and the importance of ensuring participation
from all relevant Government stakeholders including the
intelligence community?
Mr. Silvers. Thank you, Congressman. I do believe that if
Congress mandates the creation of a Joint Collaborative
Environment, that should be rolled up within the structure of
the JCDC. We should be unifying efforts wherever possible. I
also agree strongly that all elements of Government that have a
role to play should be included within those structures so that
we are not siloing our activity but instead doing all the
activity in a coordinated way.
Mr. Langevin. So, including the intelligence community,
obviously, is part of that.
Mr. Silvers. That is correct, including the intelligence
community.
Mr. Langevin. Thank you. The last question I could of you,
Secretary Silvers, is, you know, in thinking about how to
defend the Nation from ransomware, we really can't only be
thinking only about the Colonial Pipelines of the world. Small
businesses, local governments, and other community institutions
also face serious threats from cyber criminals. How has DHS
been approaching the problem of safeguarding these institutions
against ransomware? Obviously, we have seen everything from
police departments and hospitals and municipalities being
affected, but if you could just take that question.
Mr. Silvers. Thank you, Congressman. You are correct.
Ransomware reaches right into our communities including
organizations that may not have a lot of cybersecurity
resources or expertise. It is incumbent on us to make our
expertise and resources accessible to those kinds of
organizations like schools and hospitals and police
departments. That is why we set up a one-stop ransomware
website that those kinds of organizations can visit to get full
spectrum support from the prevention side, which is critical,
because you prevent it from ever happening if you can engage
the right kinds of best practices, all the way through to
response and the support we can provide through law enforcement
and through CISA in the event they are targeted.
Mr. Langevin. Very good, thank you. I know my time has
expired. I appreciate the work that you and the team at DHS are
doing to get CISA. Sorry, I didn't get to the other witnesses'
also valuable testimony you provided. Thank you, Mr. Chairman.
I yield back.
Mr. Torres. The gentleman's time has expired. The gentleman
from Kansas is recognized for 5 minutes.
Mr. LaTurner. Thank you, Mr. Chairman. Good morning. Thank
you for being here. Mr. Sheridan, I would like to start with
you. Our law enforcement performs an essential role in
bolstering American cybersecurity by investigating a wide range
of cyber crimes and apprehending and prosecuting those
responsible. When it comes to fighting cyber crime, can you
define the different roles between the Secret Service, the FBI,
and HSI? How do you all work together collectively and define
the different roles for me.
Mr. Sheridan. Certainly. The Secret Service focus by
statute is to protect the Nation's financial infrastructure and
financial payment systems. In our position, we utilize those
statutes to, through our cyber fraud task forces located
throughout the globe in order to focus primarily on payment
systems, what affects the American public and the financial
industry. For HSI, the focus is more on intellectual property,
ecommerce, and counterfeit goods. The FBI has a broader
spectrum in terms of statutory authority that touches elements
across the law enforcement community.
I do think it is important that there is that overlap
because cyber criminals do not specialize in one type of
criminal activity that assigns itself to one statute in a very
clear way. There must be overlap because ancillary crimes
associated with cyber crimes that are used to facilitate the
precipitating crimes, such as money laundering, human
trafficking, and a full spectrum of other crimes, are required
to employ other law enforcement entities in order to partner in
that overall investigation.
Mr. LaTurner. I understand the different roles, but what I
am driving at here and this issue we see it come up time and
time and time again, are having clear defined roles for all the
entities that deal with this issue and, obviously, it is a
complicated problem. We have to have different entities address
it. But how those entities work together collectively and how
the process is streamlined because for us, I talked about this
a couple weeks ago. I have a business in my district that was
held for ransom, had their data held with a ransomware attack
for $900,000. They called their insurers and their lawyers and
the technical experts and they tell them to pay. They get it
down to $600,000. They said I think we can get it down further.
He said, for heavens' sakes, we are losing a lot of money every
day, a much bigger number than $600,000. So, they pay it. I
said, at any point did they ask you to reach out to anyone at
the Federal level? They said, no. I think that is a big
problem. So, I am going to continue to talk about this because
they said no because they didn't think that the Federal
Government could help them in any way. They didn't think it was
worth their time. So, how can those different roles as defined
as they are, how can you work together better?
Mr. Sheridan. I agree with you that it is a big problem,
sir. I will answer that question in a couple different ways.
First and foremost, we have formalized structures in place for
information sharing through our cyber fraud task forces,
through our role and presence in the National Cyber
Investigative Joint Task Force, through our role in the Joint
Cyber Collaborative with CISA. Those are specifically designed
to share information related to on-going investigations.
Second, in regards to the assessment that law enforcement
can't help or the Federal Government can't help, I would
challenge that conclusion. For us, investigation is prevention.
By being brought in early in the investigative process as was
referenced earlier, there is an ability for us to identify the
vulnerabilities that caused the intrusion or the unauthorized
access. There is the ability to identify whether the adversary
is still present in the network. Our role is to assist the
organization to become whole again to resume business
operations. Of course, to be able to enact justice against
those perpetrating the crime.
Not only that, but we have mechanisms in place through
financial institutions and partnerships in order to obtain
illicit funds that are in transit or going to criminal
accounts, criminal wallets, criminal----
Mr. LaTurner. I want to get to one more question for the
others. I would disagree with it too. But I think you would
agree with the point that we have a lot of work to do.
Mr. Sheridan. Yes, sir.
Mr. LaTurner. To be better and to change the perception.
Mr. Silvers and Mr. Wales, if you would quickly comment. This
committee has been very focused on the various roles and
responsibilities in the Federal Government cyber mission,
particularly among the roles of the DHS Secretary, director of
CISA, and the National cyber director. From your perspective,
and DHS policy, what additional work needs to be done to ensure
we have clear lines of roles and responsibilities that we can
avoid missteps like we saw in the Federal Government's response
to the attacks on Colonial Pipeline? You will have to be really
quick.
Mr. Silvers. Thank you very much, Congressman. I think
actually we are working quite well together, especially since
the creation, the recent creation of the National Cyber
Director Office. I think what it is about is teamwork. We bring
different authorities to bear, but it is about being on the
same page working together and with arms linked. I think we are
doing that.
Mr. LaTurner. Thank you. Thank you, Mr. Chairman. I yield
back.
Mr. Torres. The gentleman's time has expired. The gentleman
from New Jersey is recognized for 5 minutes.
Mr. Malinowski. Thank you, Mr. Chairman. I assume you mean
this gentleman from New Jersey.
Mr. Torres. Exactly right, Congress Member Malinowski.
Mr. Malinowski. Thank you. Well, thanks to the witnesses. I
know we are talking about defense of the homeland here, but I
do want to turn our attention to the obvious fact that the
ransomware gangs that have been wreaking this havoc are not
based in Chicago or LA or New York or in England or in France.
They are based in safe havens in countries where governments
are either unable or, I think more likely, unwilling to
confront them. I wanted to ask our witnesses a couple of
questions about that.
First of all, of course, we know that a number of these
operators have been working out of Russia and countries that
are under the influence of the Russian government and I wanted
to ask any of the witnesses whether you have seen any changes
in the operations of these groups or the efforts of governments
in Russia and in that neighborhood to crack down on them since
President Biden issued some fairly direct warnings to President
Putin at their summit in the early summer?
Mr. Silvers. Thank you, Congressman Malinowski, for the
question. We have been clear with Russia that actions are going
to speak louder than words. With respect to your question about
the trends, it is quite difficult to assess after a period of
just a few months because the vast majority of ransomware
incidents are not reported to the Federal Government. So, our
focus is on accelerating our ability to collect and get at that
kind of data so we can deliver those kinds of assessments to
you. We are doing that two ways. One, through enhanced
information-sharing programs with the private sector. We are
doing that with private cybersecurity companies, the insurance
industry, and others that have a role in the ransomware
ecosystem. We are also doing that by working with Congress on
the mandatory incident reporting legislation that is currently
being part of the NDAA process. Which would candidly be
transformative and ground-breaking in terms of our ability to
get that kind of data as to incidents, as to ransomware
payments that are made, so that we can provide better clarity
on the trendlines.
Mr. Malinowski. That makes sense and I strongly support
that provision. But just to be clear, are you saying that
absent mandatory reporting, we really have no way of knowing
whether the warnings that we have issued, the efforts, public
and private that have been made to persuade those governments
to crack down are working? I mean, surely, we must have some
visibility into that.
Mr. Silvers. It is incomplete, but we do have some data and
it is more anecdotal. We work with what we have. I want to be
clear, Representative Malinowski, that we are not sitting and
waiting for Russia to act. We have communicated that we expect
them to act. But if they will not, we will take action against
those perpetrating ransomware from their territory. I think
that is exactly what we have seen in recent months as we have
announced as an administration recent ground-breaking and
innovative enforcement actions to seize cryptocurrency
proceeds, seize cryptocurrency wallets, sanction cryptocurrency
exchanges used by ransomware actors for the first time, and
indict, as such, individuals.
Mr. Malinowski. No, and I applaud that and it is fantastic
work you are doing. But, obviously, you know, Putin could shut
these operations down in a day if he wanted to. So, this is why
I focus on that. Frankly, although we don't talk about this as
much publicly, I do believe that there is an offensive, not
just defensive, capability that we need to be employing here.
Then, finally, you know, I have asked these questions about
Russia and the former Soviet countries, but isn't it also the
case that we are seeing an emergence of ransomware groups in
other parts of the world like Southeast Asia, Sub-Saharan
Africa, for example? If so, what are we doing working with
allies in those regions to share best practices and strengthen
enforcement?
Mr. Silvers. That is very much correct, Congressman. We do
see ransomware emanating from a variety of different countries.
That is why one of the most important pillars of this
administration's ransomware strategy has been a diplomatic
effort to link arms. Recently, the White House convened over 30
participating like-minded countries to rally support for the
battle against ransomware. That includes law enforcement
investigation cooperation. It means reaching the arm of the law
to those places. Building capacity for countries that might not
have the capacity or the awareness so that we can bring more of
these people to justice. That is exactly what we are doing with
the Secret Service and other partners.
Mr. Torres. The gentleman's time has expired. The gentleman
from----
Mr. Malinowski. Thank you.
Mr. Torres. The gentleman from Mississippi is recognized
for 5 minutes.
Mr. Guest. Thank you, Mr. Chairman. Gentlemen, in your
joint written testimony on page 1, you list out various
organizations that have been impacted by ransomware. The list
contains hospitals, municipal governments, schools, police
departments, other essential businesses. Then you go further
and you talk about some of the impacts that we have seen just
within the last year of ransomware. You talk about Colonial
Pipeline and the impact that it had on gas supplies and,
therefore, gas prices. We talk about JBS and the impact that
that had on food prices. We know that ransomware attacks and
cyber attacks in general are becoming more wide-spread, more
prevalent in today's society. Then today, we are talking about
a whole-of-Government approach. What we can do all levels of
government, State, local, Federal, working together.
In my home State of Mississippi, we established a cyber
working group. Within that cyber working group, you have not
only State, Federal, and local law enforcement. It encompasses
the private sector. It includes our academic universities.
Also, includes the Department of Defense and our Mississippi
National Guard. So, my question to any of you or to the panel
as a whole, is can you talk a little bit and speak of the
importance of these types of partnerships that we are seeking
to put together in States across the union and the impact that
they will have on combatting cyber threats?
Mr. Wales. I think that those kind of working groups are
essential and actually they are going to be key part of the
implementation of the cybersecurity grant program that was
recently approved as part of the infrastructure bill. Each
State is going to have to create or take an existing working
group like Mississippi may already have used the one they have
already created, make sure that there is adequate
representation of the right organizations, of the right people
at both the State and the local level that are going to help
shape the implementation of those grants and help to focus
where those go. They are going to approve the plans that are
required for each State that need to be developed before the
grants will be allocated.
So, and we are actively involved in a number of those cyber
working groups across this country using the field-based CISA
personnel, the cybersecurity advisors, and the State
cybersecurity coordinators that we have out there that are
designed to be that linkage between the State and local
community and the broader CISA services that we offer from
headquarters.
Mr. Guest. So, let me touch on something that you brought
up just a minute ago in one of your answers to Representative
Malinowski's question. You talked about it and it is also
contained in the written testimony about the Department of
Treasury's recent announcement of sanctions on a Russian-based
cryptocurrency exchange that was involved in transaction
involving illegal proceeds from various ransomware attacks. I
actually pulled the press release that the Treasury Department
issued and it said that this particular exchange that the
transactions showed that up to 40 percent of the known
transactions were associated with illicit actors. Can you speak
a little bit about those sanctions that were imposed and the
role that not just this particular currency exchange, but some
other currency exchanges are playing and what we are seeing as
the ransomware attacks that are happening across the country?
Mr. Silvers. Thank you, Congressman. It is a really
important question. There is just no question that the rise of
ransomware has been fueled by the availability of
cryptocurrencies that allow for anonymized payments. That
presents enormous challenges for law enforcement, for example.
But what we have determined is that there are certain exchanges
that are really being used by these threat actors because they
are not governed and they don't have the kinds of financial
regulatory controls that we expect to see in our financial
system. So, we have not hesitated as an administration to take
action against those kinds of exchanges. In fact, Treasury has
sanctioned two cryptocurrency platforms in recent months. That
is the first time that cryptocurrency exchanges have been
subject to sanctions. I expect to see a lot more activity. A
lot more aggressive disruptive action. For example, we have
recently as an administration, also seized cryptocurrency
wallets. Actually, seized the bitcoin or other digital tokens
that are used as ransomware proceeds. So, we are taking the
fight and going after these people's money.
Mr. Guest. Just one last follow-up. My time is almost up. I
know that the first cryptocurrency exchange that was sanctioned
was in Russia. Where was the second one located, if you know?
Mr. Wales. It was also Russia.
Mr. Silvers. Both Russia.
Mr. Guest. Thank you. Thank you, Mr. Chairman. I yield
back.
Mr. Torres. The gentleman's time has expired. I will
recognize myself for 5 minutes.
Mr. Silvers, I want to follow up on the questions that were
asked regarding Russia from Congress Member Slotkin and
Malinowski. The United States has said that it will no longer
tolerate Russia's safe harbor for ransomware attacks on the 16
areas of critical infrastructure. Is that correct? Yes or no?
Mr. Silvers. Yes, sir.
Mr. Torres. The implication is that we will tolerate
Russia's safe harbor for ransomware attacks on individuals and
institutions that fall outside the 16 areas of critical
infrastructure. You know, we would never make that distinction
in the physical realm, why should we make that distinction in
the digital realm? Like is that the policy of the United
States?
Mr. Silvers. Thank you very much, Mr. Chairman. I think the
policy of the United States is that any act of ransomware is a
crime and will be investigated and prosecuted. The direct----
Mr. Torres. I am referring to Russia, not to the particular
criminal actors. Are there consequences to Russia for a Russian
safe harbor for ransomware attacks on non-critical
infrastructure? Yes or no?
Mr. Silvers. Mr. Chairman, the direct discussions and there
have been some very direct discussions, are being led by the
National Security Council directly with the Russians. I would
defer to them on the content of those discussions.
Mr. Torres. I want to go back to I understand that there is
a lack of data, but there has been a lack of reporting for
years. But we have enough knowledge to know that ransomware has
been growing exponentially over the course of several years.
Have you seen among reported incidents have you seen an
increase in activity?
Mr. Silvers. At this point, I can't give a confident
assessment in the short period of time since then.
Mr. Torres. Even among the incidents that have been
reported to you?
Mr. Silvers. So, Congressman Torres, we have seen experts
who have spoken about it both ways.
Mr. Torres. I am referring to you. You have received
reports about ransomware. Have you seen an increase or a
decrease? It is a straightforward question.
Mr. Silvers. I would defer to colleagues from CISA and the
Secret Service as to the types of reports they have gotten and
whether there is a trend in the data that they can see.
Mr. Wales. What I would say is, and the assistant director
for the FBI made this clear yesterday, based upon the reporting
that is made to the Federal Government, at this time we have
not seen a change in the amount of ransomware being targeted
against----
Mr. Torres. So, it remains the same.
Mr. Wales. Yes.
Mr. Torres. So, there is no evidence that Russia is keeping
its promise.
Mr. Wales. That is a broad answer in terms of all
ransomware.
Mr. Torres. OK. Well, if nothing has changed, I would treat
it--I would ask this, do cyber-criminal organizations continue
to operate disproportionately in Russia based on the
intelligence that you have? Are those organizations--do those
organizations continue to be active?
Mr. Sheridan. Congressman, we have a list of countries that
have a more tolerant or offer safe harbor and in some cases
offer outright support to cybercriminals. Russia is one of
those countries. So, if your question is does Russia tolerate
this? As a general answer, the answer is yes.
Mr. Torres. Those organizations, to your knowledge, remain
active.
Mr. Sheridan. Yes, sir.
Mr. Torres. We have seen no, based on reported incidents,
we have seen no decrease. It seems to me that Russia has broken
its promise to the United States. But I am going to move on.
You know, we have known for a long time that cyber
criminals can exploit the anonymous or pseudonymous nature of
crypto for ransom payments, but we know from the experience of
Colonial Pipeline that law enforcement, particularly the FBI,
can exploit the transparency of blockchain for ransom recovery.
The FBI, it has been reported, recovered most of the $4.4
million ransom that Colonial Pipeline paid. Does the Secret
Service and HSI, does the Secret Service have the same
technical capacity to exploit the transparency of blockchain
for ransom recovery?
Mr. Sheridan. Yes, sir. I would say that blockchain by its
very nature is transparent. The reason--I can't comment on the
actual investigative techniques used for that seizure, but that
reason for that seizure was not solely technical in nature.
There was intelligence components involved.
Mr. Torres. Do you think with enough technical expertise
and enough public investment we could make ransom recovery the
rule rather than the exception? Or is it prohibitively
intensive and expensive?
Mr. Sheridan. That is a great question. I think we could
certainly be more proficient in it. The Secret Service is, you
know, employs a host of computer scientists, blockchain
analysts, crypto tracers who are very adept at that exact
activity. But we need to get better. We need to expand our
staffing. We need to increase our foreign presence. We need to
have greater technical capability in this arena. We can
certainly seize more of it. If it becomes the rule, that is
really hard to assess, sir.
Mr. Torres. I will ask one question. You know, ransomware,
the rise of ransomware has multiple causes. There is ransomware
as a service. Russia and Eastern Europe as a safe harbor. The
anonymous and pseudonymous nature of crypto. The lack of cyber
hygiene. Suppose each of you had a magic wand, which of these
causes would you make disappear in order to dramatically reduce
ransomware in the United States? I will start with Mr. Silvers,
and that will be my final question.
Mr. Silvers. That is a great question, Congressman. I think
the rise of affiliate networks, the ransomware as a service
where unrelated hackers can come together with a ransomware
developer to execute a strike has really sharply escalated the
volume that is hitting at us. So, I think disrupting that
network it would be critical and maybe I would choose that one.
I think that is what we are doing as an administration by
making ransomware actors feel like they cannot trust their
partners would be the test.
Mr. Torres. I just want a quick--Mr. Wales and Mr.
Sheridan, quickly, and then I have to move on to the next
questioner.
Mr. Wales. Well, I will stay on-brand for CISA. You know,
if we--everyone adopted basic cyber hygiene, implement the
multi-factor authentication, you would dramatically shrink the
universe of----
Mr. Torres. So, ransomware service, cyber hygiene, what
is--what is the cause you would make magically disappear?
Mr. Sheridan. Partnerships with law enforcement. We need
better information, better intelligence, and better
communication in order to respond to these incidents.
Mr. Torres. I appreciate the answers. My time has expired.
The gentleman from Michigan is recognized for 5 minutes.
Mr. Meijer. Thank you, Mr. Chairman, and to our
distinguished witnesses for your testimony and answering our
questions here today. Obviously, this is a critical subject
that we have prior hearings on and I think I had the
opportunity, Mr. Sheridan, to speak last time on the very same
subject that Mr. Torres was asking about the ransomware
utilization of cryptocurrency and in specific, my continuing
concern around the use of altcoins as a way pumping and dumping
to transfer revenue.
But I wanted to ask a bit more specifically--and I believe
we may have another Member not on mute. Just, if that Member
could mute. But, you know, we have seen foreign adversaries and
bad actors exploiting U.S.-based platforms in order to conduct
these cyber attacks to circumvent U.S. intelligence community
restrictions, you know, individual components that may have
restrictions based on domestic-based platforms relative to
international that U.S. persons carve out. What more can the
Federal Government do to prevent foreign entities, you know,
whether it is a state actor or a non-state actor, from doing an
end-run around some of these protections that we have so that
our intelligence community is not domestic-focused? What can we
do to make sure that that is not being exploited for the
purposes of cyber crime and specifically, ransomware?
Mr. Wales. I will start and there may be additional answers
here. I think the U.S. Government is coming at this primarily
from two angles. One is there was an Executive Order signed by
President Trump in the waning days of the administration that
was focused on improving the work with there was
infrastructure, those service providers, those virtual private
networks, and other cloud providers requiring them to do more
kind-of let's just shorthand it with kind-of know your
customer. So, improved due diligence when they are leasing
their infrastructure to particularly foreign accounts. Having
more due diligence on that. There was some work with the
Federal Government there.
Then, second, the work that we are doing with the Joint
Cyber Defense Collaborative bringing together those companies
that operate this kind of global cloud infrastructure and who
have broad visibility, making sure that we have got a good
partnership between the Federal Government and what we know
from the intelligence community, what we know from law
enforcement, what we know from our network defense work. What
they can see inside of their networks. The more that we can arm
them the more work that they can do inside of their networks to
protect their customers or their--or prevent their network from
being used to being weaponized against other potential victims.
So, that is part of the answer. Obviously, there is no perfect
solution. This is going to require more thought and more
engagement.
Mr. Sheridan. I would say from a law enforcement
perspective increasing staffing and infrastructure in foreign
locations. Also, compelling foreign exchangers and service
providers to respond and provide information when we have
evidence of crimes being committed. Increase accountability for
ISPs hosting malicious infrastructure or other elements of
criminal activity. Allowing legal process for suspects
identified in non-extraditable or non-friendly countries that
are willing to cooperate with U.S. law enforcement. There are
still obstacles for us to do so.
Mr. Meijer. Thank you, Mr. Sheridan. That actually feeds
very well into my next question, which was to Mr. Silvers. You
know, can you speak a little bit more how DHS may be utilizing
deterrence on the ransomware side. Obviously, on CISA there is
a strong emphasis on building up resilience on some of that
basic cyber hygiene on tracking the flows afterwards in
conjunction with the FBI or Secret Service. But can you speak
to what initiatives or efforts DHS is trying to engage on the
deterrence side to try to prevent particularly non-state actors
as well from engaging in ransomware?
Mr. Silvers. Thank you very much, Congressman, Meijer.
Absolutely a critical component of this is defense. But also
going on offense and really disrupting and candidly scaring the
ransomware actors who are doing this so that they take their
business elsewhere. I think a key component of that is law
enforcement investigation, of course. We, as an administration,
are also pursuing some very novel actions in terms of
cryptocurrency seizures, sanctioning of cryptocurrency
exchanges that are being used by these actors. As well as other
activities that we wouldn't discuss in a open session like
this. So, we agree and we are being aggressive.
Mr. Meijer. I appreciate that. Thank you for that, Mr.
Silvers. I think you will find full support on having a panoply
of options here from the offensive to the defensive to the
preventative. With that, Mr. Chairman, my time has expired and
I yield back.
Mr. Torres. The gentleman's time has expired. The
gentlewoman from Texas is recognized for 5 minutes.
Ms. Jackson Lee. Thank you so very much, Mr. Chairman.
Thank you for holding this hearing. I believe I am almost in a
ransomware experience now in the House of Representatives in
the Rayburn Building. Forgive me for the coloration of where I
am. I am almost in complete darkness, which makes this meeting
and hearing more potent than I might have imagined. Let me pose
a question that I hope that the Members will delve into
extensively. I will say that I am an author of the original
zero-day legislation that has been modified to our current set
of circumstances. But I do believe that this hearing speaks to
that potential of dealing with the whole-of-Government approach
combatting ransomware. In the United Kingdom, there is a report
that 60 percent of organizations have been hit by ransomware-
as-a-service attacks in the past 18 months. Ransomware-as-a-
service attacks are where one group builds a malicious code and
sells it to another group to use in the virtual breaking and
entering of vulnerable enterprise organization. Just a regular
successful business. This may be an attempt for groups to
create more activity to make it more difficult to find the more
malicious and dangerous ransomware attackers.
Gentlemen, if you would answer, is the United States doing
enough to collaborate with other governments to track and
disrupt this sort of increasing business source of ransomware
attack tools out on the marketplace? Are we seeing attacks of
this nature in the United States? Is this something that is
attractive and that can become very alarming? If each of you
would answer starting with Mr. Silvers and then Mr. Wales and
Mr. Sheridan. Thank you all very much for giving me the
opportunity in the midst of darkness to ask these questions.
Thank you.
Mr. Silvers. Well, thank you, Congresswoman. I appreciate
the question and to your point about the importance of
international collaboration in combatting ransomware, we could
not agree more strongly. That is why we have really formed a
coalition of the willing of like-minded countries. We assembled
over 30 of them at the White House very recently on a joint
global initiative of responsible countries to combat this. That
is going to take the form of joint cyber crime investigations.
Sharing of cyber threat intelligence across borders. Joint
actions to disrupt these criminals wherever they may operate.
We couldn't agree more on the importance of the diplomatic
component of this and we are on it.
Ms. Jackson Lee. Thank you. Mr. Wales, you want to speak to
the idea of ransom as we go tighten our efforts? Thank you.
Mr. Wales. No, and I think your point is right. The rise of
ransomware as a service is one of the--and this goes to
Congressman Torres' point earlier--it is one of the factors
that has driven the acceleration of ransomware attacks because
it has lowered the barrier to entry. I do not need to be as
sophisticated a cyber actor if I can just rent someone else's
service and use that to launch attacks. I don't need to have
the depth of technical knowledge and expertise in order to
utilize ransomware-as-a-service platforms.
So, it has featured prominently in a number of the more
significant attacks on the homeland that we have seen over the
past year are driven by these what are called affiliates that
utilize ransomware-as-a-service variance. I think it is because
of that it had helped to sharpen the strategy we have to really
go after from a law enforcement perspective working with our
international partners the central hub, so the people who
actually are ones who are designing the ransomware-as-a-service
platforms because disrupting them could have a more pervasive
effect on the ransomware ecosystem.
Ms. Jackson Lee. Thank you. Next witness, please.
Mr. Sheridan. Yes, ma'am. Just to conclude. You know, we
have 19 foreign offices located around the globe. We partner
with Interpol, Europol, European Cybercrime Center, and other
international law enforcement partners to combat this threat.
As stated by my colleagues, this is a transnational organized
problem that is being committed by really a small cadre who are
operating, organizing, and supporting the most significant
cases that we are seeing.
The ransomware actors that are the affiliates that Mr.
Wales referenced are really the street-level thugs, to use a
interpersonal crime metaphor. What we are trying to target are
the Steve Jobs or the Bill Gates of these organizations. Our
biggest challenges are the organized networks that have
extensive leadership, levels of trust, and very complicated
organizational structures. We target, investigate, extradite,
and prosecute the top-tier criminals in those organizations. We
target the networks, not just the individuals or the variants
that allow financially-motivated cyber criminals to operate
with impunity.
Ms. Jackson Lee. Thank you very much. Thank you, Mr.
Chairman, and I look forward to a legislative response to some
of the concerns that have been raised by my question and some
of the answers that have been given. Thank you so very much. I
yield back.
Mr. Torres. The gentlewoman's time has expired. I want to
enter into the record testimony from Security Score Card,
entitled, ``Using Machine Learning to Assess Ransomware Risk.''
[The information follows:]
Security Scorecard--Using Machine Learning to Assess Ransomware Risk
November 2021
Tishun Peng, PhD, Senior Data Scientist; Idin Karuei, PhD, Senior Staff
Data Scientist; Bob Sohval, PhD, VP Data Science; Department of
Data Science, SecurityScorecard
Ransomware is a rapidly growing global cybersecurity threat, with
more than 4,000 ransomware attacks daily according to the FBI. Average
ransomware payments increased by 82 percent, reaching a record high of
$570,000 in the first half of 2021 compared to 2020. Additional costs
associated with business interruption and recovery can more than double
the total cost incurred by the targeted business.
In a previous study, SecurityScorecard identified several
cybersecurity issue types that are statistically more prevalent among
ransomware victims compared to other organizations. Subsequently, we
developed a sophisticated machine learning model that estimates the
relative likelihood of a company falling victim to ransomware attack,
based on non-intrusive observations of its cybersecurity posture. The
predicted likelihood could be used to warn at-risk organizations and to
assist insurance carriers offering cyber-insurance policies.
data and features
Building a machine learning model to classify at-risk organizations
requires labeled training data with known status (i.e. ransomware
victim or non-victim).
SecurityScorecard's Threat Intelligence team continuously collects
ransomware victim data by crawling the dark web, where ransomware
perpetrators publish the names of victimized organizations that did not
pay the ransom. The ransomware data used to train the model consisted
of 963 non-paying ransomware victims covering a time period from
September 2018 to August 2021. Non-victim training data were randomly
selected from the more than 10,000,000 organizations monitored on the
SecurityScorecard platform and matched over the same time period.
SecurityScorecard continuously collects the findings for 76 active
issue types to evaluate an organization's overall cybersecurity
hygiene. For each issue type, we extracted 8 informative features,
including mean/max findings, mean/max findings normalized by digital
footprint size, mean/max issue prevalence among comparable
organizations, and the occurrences of non-zero finding and prevalence
over a 3-month period leading up to the individual ransomware events.
Additionally, digital footprint and employee count are also included as
organization-level features.
When developing a machine learning classifier to distinguish
between two classes (ransomware victim and non-victim), it is important
to include features which have different distributions for the two
classes. The greater the difference between the two distributions for a
given feature, the more it will contribute to the final model's ability
to correctly distinguish between the two classes.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The comparative distributions for two sample features are shown in
the plots above. While there is overlap between the distributions for
the ransomware and non-ransomware cohorts in both cases, TLS weak
cipher (use of a weak cryptographic cipher) exhibits better separation
than Exposed RDP Service (remote desktop protocol service exposed to
the internet), which is regarded as one of the exposed services that
ransomware attackers often exploit.
Machine learning algorithms find correlations between features and
class labels (i.e. ransomware victim and non-victim), and build an
ensemble of ``weak learners'' into a robust classifier.
This is a statistical process and it should be noted that
``correlation does not imply causation.''
Results and Discussion
Numerous machine learning models were evaluated and the random
forest classification model was selected to build the classifier. The
objective is to correctly identify as many ransomware victims as
possible (true positive rate), while simultaneously correctly
identifying as many non-victims as possible (true negative rate). The
following table shows the final performance achieved and measured using
10-fold cross validation.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The table above illustrates that the classification model correctly
identified 80 percent of ransomware victims while also correctly
identifying 87 percent of the non-victims. The 95 percent confidence
intervals on these values are also presented.
The chart below shows a list of features ranked by their
importances to classify the ransomware and non-victim cohorts. Among
them, digital footprint, exposed_personal_information, tls_weak_cipher,
csp_no_plicy, unsafe_sri are ranked among the most important features.
It is worth noting that they are also listed as the most prevalent
issues among the ransomware victims according to the blogpost and paper
published by SecurityScorecard.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Conclusion
SecurityScorecard has developed a machine learning model to measure
the susceptibility of an organization to becoming victim of a
ransomware attack. The model was trained using labeled data harvested
from the dark web and SecurityScorecard's historical cybersecurity
data. The model achieves a True Positive Rate of 80 percent and a True
Negative Rate of 87 percent. This perfomance can assist organizations
in managing the risk of ransomware attack and also help insurance
carriers monitoring cyber-insurance portfolio risk.
Mr. Torres. With that, I thank the witnesses for their
valuable testimony and the Members for their questions. The
Members of the subcommittees may have additional questions for
the witnesses and we ask that you respond expeditiously in
writing to those questions.
The Chair reminds Members that the subcommittees' record
will remain open for 10 business days. Without objection, the
subcommittees stand adjourned.
[Whereupon, at 11:38 p.m., the subcommittees were
adjourned.]
[all]