[Senate Hearing 117-829]
[From the U.S. Government Publishing Office]
S. Hrg. 117-829
AMERICA UNDER CYBER SIEGE: PREVENTING
AND RESPONDING TO RANSOMWARE ATTACKS
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED SEVENTEENTH CONGRESS
FIRST SESSION
__________
JULY 27, 2021
__________
Serial No. J-117-30
__________
Printed for the use of the Committee on the Judiciary
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
www.judiciary.senate.gov
www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
54-737 WASHINGTON : 2026
-----------------------------------------------------------------------------------
COMMITTEE ON THE JUDICIARY
RICHARD J. DURBIN, Illinois, Chair
PATRICK J. LEAHY, Vermont CHARLES E. GRASSLEY, Iowa, Ranking
DIANNE FEINSTEIN, California Member
SHELDON WHITEHOUSE, Rhode Island LINDSEY O. GRAHAM, South Carolina
AMY KLOBUCHAR, Minnesota JOHN CORNYN, Texas
CHRISTOPHER A. COONS, Delaware MICHAEL S. LEE, Utah
RICHARD BLUMENTHAL, Connecticut TED CRUZ, Texas
MAZIE K. HIRONO, Hawaii BEN SASSE, Nebraska
CORY A. BOOKER, New Jersey JOSH HAWLEY, Missouri
ALEX PADILLA, California TOM COTTON, Arkansas
JON OSSOFF, Georgia JOHN KENNEDY, Louisiana
THOM TILLIS, North Carolina
MARSHA BLACKBURN, Tennessee
Joseph Zogby, Chief Counsel and Staff Director
Kolan L. Davis, Republican Chief Counsel and Staff Director
C O N T E N T S
----------
OPENING STATEMENTS
Page
Durbin, Hon. Richard J........................................... 1
Grassley, Hon. Charles E......................................... 3
Feinstein, Hon. Dianne........................................... 4
WITNESSES
Downing, Richard W............................................... 5
Prepared statement........................................... 39
Responses to written questions............................... 85
Goldstein, Eric.................................................. 8
Prepared statement........................................... 55
Responses to written questions............................... 99
Sheridan, Jeremy................................................. 10
Prepared statement........................................... 62
Responses to written questions............................... 113
Vorndran, Bryan A................................................ 6
Prepared statement........................................... 69
Questions submitted with no response returned................ 79
APPENDIX
Items submitted for the record................................... 171
AMERICA UNDER CYBER SIEGE: PREVENTING
AND RESPONDING TO RANSOMWARE ATTACKS
----------
TUESDAY, JULY 27, 2021
Unites States Senate,
Committee on the Judiciary,
Washington, DC.
The Committee met, pursuant to notice, at 10 a.m., in Room
226, Dirksen Senate Office Building, Hon. Richard J. Durbin,
Chair of the Committee, presiding.
Present: Senators Durbin [presiding], Feinstein,
Whitehouse, Klobuchar, Coons, Blumenthal, Hirono, Booker,
Ossoff, Grassley, Graham, Cornyn, Cruz, Sasse, Hawley, Cotton,
Tillis, and Blackburn.
OPENING STATEMENT OF HON. RICHARD J. DURBIN,
A U.S. SENATOR FROM THE STATE OF ILLINOIS
Chair Durbin. The hearing will come to order. Today, the
Committee will discuss the growing number of ransomware attacks
which are increasingly disrupting our economy and our lives.
Today's hearing is the first ever Full Committee hearing of the
Judiciary Committee on ransomware. Marks the first
congressional testimony this year by the Justice Department and
FBI on this threat.
Majority Leader Schumer asked the Senate Committees to
review how the agencies under their jurisdiction are responding
to the ransomware threat. Ranking Member Grassley also
requested today's hearing, and we consulted with his staff on
choosing the witness panel. We'll hear from a panel of experts
from the Department of Justice, the FBI, Cybersecurity and
Infrastructure Security Agency, a.k.a. CISA, I believe, and the
Secret Service.
They will discuss the scope of the threat and what the
agencies are doing to prevent it. They'll also provide guidance
on best practices on how businesses and organizations can
protect themselves. Before we get started, I'd like to turn to
a brief video that gives us a sense of the ransomware threat.
[Video is shown.]
Chair Durbin. It's about more than money and inconvenience.
The harm of ransomware can affect real lives. An example: On
October 28th of last year, an oncology nurse named Colleen
Kargil was preparing a patient for a chemotherapy infusion when
she made an unsettling discovery. She couldn't log in to her
computer. Every time she typed in her credentials, the system
would boot her out. She tried logging in from a back-up
computer. That didn't work either. Instead, she was greeted by
a red circle with a diagonal line drawn through it.
At that moment, she realized that her hospital, the largest
medical system in the State of Vermont, had been infiltrated.
The network had been shut down. The hackers behind the attack
were holding the hospital's data hostage, which meant Colleen
and her colleagues couldn't access patient data for their
cancer patients. They had to try to recreate patient
chemotherapy protocols from memory and copies of old faxes. The
hospital's electronic medical system would remain offline for
nearly a month.
Colleen told the New York Times those weeks were the worst
of her life. She's not alone. Colleen and her patients are just
a few of the many Americans who've been victimized by
ransomware attacks.
Nearly every organization and industry is vulnerable.
Hospitals, school districts, local governments, nonprofits,
businesses large and small. Here's how it works: Hackers break
into your computer system, lock up your data, demand a ransom
payment, often through untraceable cryptocurrency, for the
return of the data. Though any person or entity can be targeted
in a ransomware attack, it's been estimated that small
businesses make up over half of the victims.
These attacks can have permanent damage. Last year, it took
an average of 9 months for a business to fully recover from a
ransomware attack. Even the biggest and most profitable
companies in the world are at risk. Earlier this year, we
remember the cybercrime syndicate knocking out Colonial
Pipeline, the largest pipeline operator in the United States.
That shutdown sparked a nationwide panic that had customers
waiting in line at gas stations for hours. The incident brought
the ransomware attack into plain view.
They're becoming more frequent, more destructive. The tools
needed to commit them are easily accessible. Last year, global
ransom payments reached $350 million. A recent New Yorker piece
talked about the average payment for ransomware; 2018, average
payment, $7,000. 2019, $41,000; 2020, somewhere between $200
and $300,000.
In recent months, barely a day has gone by without news of
a ransomware attack. By one estimate, American businesses,
healthcare facilities and organizations and State and local
governments are projected to endure more than 65,000 ransomware
attacks this year alone.
This is a criminal business model that is spreading. If
someone wants to commit an attack, they can easily purchase or
lease ready-to-use ransomware. According to one expert, it's
quote ``way too easy to get into this. Just hire it out.''
There's been an incredible commoditization of the entire
process. I'm concerned, as well, that ransomware criminals
often operate with impunity in Russia and other nations. Those
nations are unwilling to prosecute or pursue the evildoers.
We need to attack this new reality. We need new protocols
for preventing and responds--responding to ransomware attacks.
The President understands it. His administration is taking a
whole-of-Government approach to prevent, deter, and respond.
They recently launched a cross-Government task force to
coordinate offensive and defensive measures against these
attacks and to help businesses. The administration also
launched stopransomeware.gov, a new website that provides one
central location for ransomware resources.
These efforts are welcome because when it comes to
ransomware, it's not just our money that's at stake. It's
sensitive information, a personal sense of security, and,
truthfully, our Nation's security. It's a critical challenge,
and this Committee will do its part to meet it, starting with
today's hearing. I turn to my friend and Ranking Member, Chuck
Grassley.
STATEMENT OF HON. CHARLES E. GRASSLEY,
A U.S. SENATOR FROM THE STATE OF IOWA
Senator Grassley. Thank you, Chairman Durbin, for holding
this hearing. I thank you for agreeing--I'd better turn this
off. I thank you for agreeing to hold this hearing, an
important bipartisan hearing on a problem of ransomware. You
hear about it every day. I've appreciated working with you on
this subject and look forward to continuing to work if we
decide that legislation is necessary.
The threat that we face from ransomware is increasing.
Criminal actors are using techniques like phishing emails to
gain access to data of business, nonprofit or government. The
criminal actors then lock the data down and demand a large
ransom. Usually very difficult to trace. Virtual currency like
Bitcoin is used to pay for it. Yet paying the ransom is no
guarantee that the victim will have their data returned, and
that they will not be victimized again and asked to pay yet
another ransom.
Earlier this year, we had FBI director, Chris Wray, compare
the challenge of fighting ransomware to those we faced after 9/
11. Estimates on the amount of ransom paid in 2020 ran into the
hundreds of millions of dollars. Ransomware has targeted
schools, local governments, and during this pandemic, can you
believe it, even hospitals and healthcare providers.
In May, two massive ransomware attacks hit a critical
supply of gas, the Colonial Pipeline and a major supplier of
meat, the JBS slaughtering operation. These events created very
disturbing questions about the security of our supply of
essential goods like fuels and food.
Since that time, I've received questions from many Iowans
about what we can do as a nation and as individuals to fight
the threat of ransomware. This hearing will help us answer
those questions.
Ransomware does not just affect the deeper pockets of large
companies like Colonial Pipeline and JBS. An estimated three
out of every four victims of ransomware is a small business.
Small businesses already operate on thin margins, and many have
been pushed to a brink by the pandemic. I'm glad that we'll be
hearing today what Government agencies like Cybersecurity and
Infrastructure Security Agency at the Department of Homeland
Security can do to help small business owners to practice good
cyber protection to avoid ransomware attacks.
We will also be hearing which investigators like FBI and
the Secret Service can do for those who have been victimized.
Ransomware often originates from countries with permissive law
enforcement environments that allow these cybercriminals to
flourish. So-called ransomware as a service is a business
model--can you believe that? Employed by Congress--criminal
networks, such as Dark Side and Revil. Dark Side and Revil are
behind many of the recent acts--recent attacks.
These criminal organizations work like illicit software
providers, creating ransomware and leasing it to other criminal
actors like--known as affiliates for a share of the profits. We
will be hearing from the Department of Justice how these
criminal actors can be targeted and punished.
The situation would be dire enough if ransomware was used
only by sophisticated criminal actors in countries unwilling to
help bring them to justice. However, just last week, the Biden
administration and many countries which are allies of the
United States formally blamed China for a massive hack of
Microsoft Exchange email servers. Hackers operating under the
umbrella of China's own Ministry of State Security appeared to
have used the hack to engage in ransomware schemes for their
own profit. They will have extorted millions in ransom from our
own U.S. victims.
I have spoken many times on the dangers of cyberattacks,
theft of intellectual property, and other aggressive behavior
by China. I fear that ransomware will be a new method used by
the Chinese Communist Party against Americans and I will be
pursuing opportunities to combat that danger. I look forward to
hearing the testimony about what the executive branch agencies
are doing to fight ransomware and what we as a country can do,
and I thank all of our witnesses for attending.
Chair Durbin. Thanks, Senator Grassley. Senator Feinstein
asked to say a few words.
STATEMENT OF HON. DIANNE FEINSTEIN,
A U.S. SENATOR FROM THE STATE OF CALIFORNIA
Senator Feinstein. Yes. Just a brief comment, Mr. Chairman.
I've been on this Committee a long time. It's really not often
that you pick up your binder and something in it immediate
alerts you. Ransomware immediately alerts me to a real problem.
We've had 2,474 complaints related to them presented to the
FBI, and all I wanted to say is that I think we've got to take
this very seriously and pass some legislation to deal with it.
Thank you.
Chair Durbin. Thank you, Senator. I want to thank this
panel of four witnesses. We have extraordinary career Federal
employees who are involved in pursuing this issue.
Richard Downing served since 2015 as the Deputy Assistant
Attorney General for the Criminal Division in the Department of
Justice. He oversees the work of the Criminal Division's
computer crime and intellectual property section, child
exploitations, obscenity section.
Bryan Vorndran is appointed Assistant Director for the
FBI's Cyber Division in March. Previously Deputy Assistant
Director of Criminal Investigation, the Assistant Special Agent
in charge of cyber and counter-intelligence programs in
Baltimore.
Eric Goldstein, appointed in February as the Executive
Assistant Director for Cybersecurity at the Cybersecurity and
Infrastructure Security Agency within the Department of
Homeland Security.
Finally, Jeremy Sheridan, appointed in April as the
Assistant Director of the Office of Investigations at the
United States Secret Service.
Each witness will have 5 minutes, and then there will be
follow-up questions asked for 5 minutes by each member of the
panel. We start this off with swearing in the witnesses. Ask
you all please rise. Raise your right hand.
[Witnesses are sworn in.]
Chair Durbin. May the record reflect that the witnesses
agreed in the affirmative. Mr. Downing, you're first up.
STATEMENT OF RICHARD W. DOWNING, DEPUTY
ASSISTANT ATTORNEY GENERAL CRIMINAL DIVISION,
U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC
Mr. Downing. Good morning, Chairman Durbin, Ranking Member
Grassley, and Members of the Committee. Thank you for the
opportunity to testify about the Department of Justice's
efforts against ransomware.
I'd like to emphasize three themes from my statement for
the record. First, ransomware is a very serious problem, but it
is also a tough problem to solve. Second, the Department has
had some recent successes in addressing that problem, but we
are redoubling our efforts. Third, Congress can help.
The ransomware attacks over the past months have made it
very clear that ransomware is a serious threat to our public
safety and our national and economic security. It has been used
to attack governments, police departments, and even hospitals
during the pandemic. The number of attacks and the size of
demands has skyrocketed in the last year. Some demands now
exceed $50 million. Even worse, many actors now steal
information from victims, like trade secrets or client files,
and release that information on the internet if the ransom is
not paid.
A number of factors make it hard to solve this problem in
the way that we might normally address a crime problem.
Ransomware attacks are often committed by offenders outside our
borders. Investigators often need to make requests for
assistance to foreign law enforcement agencies to gather
evidence in other countries, a process that can be cumbersome
and time-consuming. Countries like Russia have refused to
extradite offenders living within their borders or prosecute
them themselves.
To make matters worse, many of these crimes involve
anonymizing technologies, such as the Tor network and
anonymity-enhanced cryptocurrencies, making it hard to identify
perpetrators.
Finally, investigations are hindered because many victim
companies choose not to report to Federal authorities. I'll
touch on this more in a moment.
Despite these difficulties, we have had some recent
successes, and we're keenly focused on doing more. In May, most
of the ransom paid by the Colonial Pipeline was recovered. In
January, the United States, Canada, and Bulgaria disrupted
NetWalker, a ransomware variant that was used to attack
hospitals during the pandemic. Also in January, the Department
and international partners disrupted Emotet, a Botnet that was
used to send ransomware to victim computers.
We are not resting on these laurels. Department leadership
created a ransomware and digital exploitation task force to
focus attention on this problem. This task force will help to
make sure that the Department is doing all it can to arrest
offenders and disrupt their crimes, as well as to assure robust
coordination with partners across the Federal Government and
within the private sector. It is a key part of what must be a
whole-of-Government solution. We are committed to working with
partner agencies across the executive branch to address the
threat.
What can Congress do to help? First and foremost, we face a
gap in reporting from victims. Without prompt reporting,
investigative opportunities are lost. Our ability to assist
other victims facing the same attacks is degraded, and the
Government and Congress does not have a full picture of the
threat facing American companies. Congress should enact
legislation to require victims to report.
We recommend that a reporting requirement include
ransomware attacks, critical infrastructure attacks and other
high impact breaches. We think reports should be prompt and
should include details about any ransom demand or payment.
Legislation should designate a single point where victims can
file reports, with immediate sharing to all Federal--relevant
Federal agencies. Victims should not be worse off for helping
the Government. They should maintain whatever legal privilege
they had on that information prior to sharing the information.
Finally, we would ask Congress to enact legislation that
would help the Department disrupt ransomware and mass hacking.
This legislation would give courts the authority to enjoin
ransomware and botnets affecting 100 or more computers. Our
proposal also contains other helpful amendments that would
enhance our ability to charge offenders and disrupt attacks.
I want to thank the Committee again for providing me the
opportunity to discuss these important issues, and I'm happy to
answer your questions when that time comes. Thank you.
[The prepared statement of Mr. Downing appears as a
submission for the record.]
Chair Durbin. Thanks, Mr. Downing. Mr. Vorndran.
STATEMENT OF BRYAN A. VORNDRAN, ASSISTANT
DIRECTOR, CYBER DIVISION, FEDERAL BUREAU
OF INVESTIGATION, WASHINGTON, DC
Mr. Vorndran. Good morning, Chairman Durbin, Ranking Member
Grassley, and Members of this Committee. Thank you for the
opportunity to be here to represent the FBI in our cyber
program, and to sit with our Federal partners as a unified
front against this growing ransomware threat in the country.
As you know, this hearing comes at an important time. Your
title says it all. As the cyber community learns from past
incidents and works to ensure all the Nation's people,
companies, and levels of government are protected from future
ransomware attacks.
At the FBI, we've been sounding the alarm on ransomware for
some time now. The 5-year cyber strategy Director Wray
announced last year gives us a road map to continue to mitigate
this threat. Using this strategy, our goal is to not only
pursue our own actions, but also work seamlessly with our
domestic and international partners to defend our networks,
attribute malicious activity, sanction bad behavior, and take
the fight to our adversaries overseas. Our success relies on
our ability together to impose risk and consequences on
malicious cyber actors, and to do so through joint operations
sequence for maximum, durable impact.
We have to target the entire criminal ecosystem, including
malware developers, money launderers, and shady infrastructure
providers, and bring together the insight of Government
partners, cyber security firms, service providers, and victims
in this common fight.
Two successes made possible by our cyber strategy were the
recent Emotet and NetWalker disruptions, as mentioned by Mr.
Downing. In January, in coordination with the Intelligence
Community, an unprecedented number of foreign law enforcement
partners in the private sector, we disrupted Emotet, one of the
longest lasting, costly, and sophisticated cybercrime services.
In the 9-months leading up to the takedown, it's estimated
Emotet caused hundreds of millions of dollars in damage and
infected more that 1.6 million computers. That same month, we
also worked with international partners to disrupt the
NetWalker ransomware variant, which had been responsible for
impacting numerous victim companies, municipalities, and
schools. As part of that operation, we obtained Federal
charges, a subject was arrested, and we seized nearly $27.5
million in cryptocurrency.
Today, you'll hear from four agencies working together on
the front lines of this fight, but ransomware has become so
widespread it can't be solved by Federal action alone. We need
Congress and the public to assist. We need a Federal cyber
incident-reporting standard for breaches that pose significant
risks because inconsistent voluntary reporting is simply not
enough. We need affected entities to report to the Federal
Government as promptly as possible and within a defined
timeframe because we must act swiftly.
We need ransomware reports to include all information about
the ransom demand and any potential ransom payment information
because we can't let cybercriminals extort victims without
repercussions.
This may scare some folks out there. We understand why you
may be hesitant to report an attack and to work with law
enforcement. We do get that. I want you to know we're here to
help you. As the FBI does with all victims we encounter in our
work, we aim to inform, support, and assist ransomware victims
in navigating the aftermath of crime and the criminal justice
process with dignity and resilience.
We want to empower victims of cybercrime because by working
with law enforcement you move us closer to the day when the
people who victimized you can't strike again. When we receive
information from you, we're going to use it to help limit
damage to you and others, to improve our national security, and
to keep others from being victimized. When victims work with
us, everybody wins except the bad guys.
You all have constituents who have been hurt by ransomware,
and I had personal experience with this issue as an FBI Special
Agent in charge. When I was in New Orleans in 2019, the
Louisiana Governor's office declared two separate states of
emergency following a wave of ransomware attacks against school
districts across the State and Government Agencies. As the
father of school-age children, this hits home.
We're here today to inform you, your constituents, and the
American public about ransomware to make sure everyone knows
this is a whole-of-Government, but perhaps more importantly, a
whole-of-society issue, and to make it clear what people can do
to protect themselves and how to respond if they unfortunately
become a victim. Again, thank you for inviting us to address
this important topic, and I look forward to answering your
questions.
[The prepared statement of Mr. Vorndran appears as a
submission for the record.]
Chair Durbin. Thank you, Mr. Vorndran. Mr. Goldstein.
STATEMENT OF ERIC GOLDSTEIN, EXECUTIVE
ASSISTANT DIRECTOR FOR CYBERSECURITY,
CYBERSECURITY AND INFRASTRUCTURE SECURITY
AGENCY, ARLINGTON, VIRGINIA
Mr. Goldstein. Chairman Durbin, Ranking Member Grassley,
Members of the Committee, thank you for the chance to speak
with you today on behalf of CISA and about this urgent threat.
Thank you, Mr. Chairman, for your opening video, which really
reflects the urgency of this issue, and the fact that
ransomware intrusions can now impact the national critical
functions upon which American families, businesses, and all
levels of government depend.
As the lead agency for civilian cybersecurity, CISA plays a
key role in managing the risk of ransomware. We don't do it
alone. One theme today will be that this is truly a whole-of-
Government and whole-of-Nation effort in which all agencies are
aligned toward a shared outcome, reducing the prevalence and
impact of ransomware intrusions affecting our country.
Many of CISA's efforts to mitigate ransomware are focused
on ensuring that all organizations in this country, big and
small, across sectors, understand three key points. The first
is that ransomware intrusions can affect any organization, from
a small business to a Fortune 100 corporation. The second is
that ransomware intrusions can cause prolonged downtime,
significant financial implications, and potential impacts to
public health and safety. The third is that investing in
cybersecurity best practices has been shown to be demonstrably
effective in reducing the prevalence and impact of these
intrusions.
To this latter point, Chairman, as you mentioned, just last
week, CISA and our partners across the interagency, including
the FBI and the Secret Service, launched stopransomware.gov a
new whole-of-Government website intended to provide
organizations across the country with access to resources to
prevent intrusions, respond to intrusions, and report them when
they occur. This website builds upon our earlier campaigns on
this topic, including our secretary's Ransomware Sprint and our
earlier Reduce the Risk of Ransomware campaign.
We also offer a variety of no-cost voluntary services that
businesses around the can take advantage of to help secure
their networks and identify risks. In particular, I'll call out
a ransomware readiness assessment, which is a self-assessment
tool that helps organizations identify their preparedness for
responding to and managing a ransomware intrusion.
Going forward, it is very clear that we, as a Government
and as a Nation, need to do more to address ransomware
intrusions and the broader cybersecurity risks we face. The
stakes are simply too high.
First, CISA and our partners across Government must gain
increased visibility into cybersecurity intrusions and threats
affecting our Nation's businesses and State, local, Tribal, and
Territorial entities. Without this visibility, we are unable to
effectively share information, develop timely alerts, help
victims, and understand impacts of these intrusions to the
national critical functions upon which we all depend.
As my colleagues have noted, we look forward to working
with Congress on incident-reporting legislation that will
significantly increase the volume of incidents that are
reported to CISA and our Government partners today to ensure
that we can act with urgency to render assistance and
understand the breadth of these campaigns affecting American
companies.
Second, we must continue to invest in and mature our
voluntary partnerships with the private sector and our State
and local partners across the country. Over the past several
months, the interagency has worked in collaboration with the
private sector to focus on cyber-defense against known
ransomware campaigns, and, going forward, we are shortly
launching our new cyber-defense collaboration effort, as
established by last year's NDAA to formalize and bring together
the private sector and Government in a way that will allow us
to exercise the best of the private sector and Government in
managing these risks.
Last, we must recognize that at least in the near term, we
cannot prevent all intrusions and must drive a focus on
resilience and functional continuity to ensure that intrusions
don't impact the critical functions upon which Americans
depend. To this end, the Cyber Response and Recovery Fund, an
effort recommended by the Cyberspace Solarium Commission, and
recently passed by the Senate, would provide CISA with
additional resources and capacity to respond rapidly to
catastrophic cyber incidents.
Our Nation is facing unprecedented risk from these kind of
intrusions. CISA and our partners across the agency are deeply
focused on this risk, and we all must continue to redouble this
focus, working with the private sector, with our State, local,
Tribal, and Territorial partners, and with Congress to make
sure that we are minimizing risks to our people, to our
businesses, and to our Government.
Thank you again for the chance to be here, and I very much
look forward to your questions.
[The prepared statement of Mr. Goldstein appears as a
submission for the record.]
Chair Durbin. Thanks, Mr. Goldstein. Mr. Sheridan.
STATEMENT OF JEREMY SHERIDAN, ASSISTANT
DIRECTOR, OFFICE OF INVESTIGATIONS, UNITED
STATES SECRET SERVICE, WASHINGTON, DC
Mr. Sheridan. Good morning, Chairman Durbin, Ranking Member
Grassley, and Members of this Committee. Thank you for inviting
me to testify on the threat of ransomware, the growing risks it
poses to the American people, and the work of the U.S. Secret
Service and our partners to hold criminal actors accountable.
In my role as the Assistant Director of Investigations, I
lead our more than 160 global field offices and direct our
network of cyber fraud task forces. I work to ensure that we
are effectively detecting and arresting those actors engaging
in the criminal violations we are authorized to investigate,
while fully supporting our diverse protective requirements
across the world.
The U.S. Secret Service is a relatively small, specialized
agency within the broader Federal law enforcement community.
Our investigative expertise capabilities and statutory
authorities are all focused on our mission to protect America's
financial infrastructure and payment systems from criminal
abuse.
The Secret Service's distinct focus allows us to keep pace
with rapid changes in the financial sector, and with the
criminal schemes seeking to exploit those changes. Indeed, the
Secret Service has been conducting investigations of cybercrime
since well before they were even called cybercrimes.
Our approach has remained consistent over the decades. By
pursuing a list of proceeds, developing detailed evidence on
transnational cybercrime networks, and by working with our
partners around the globe, we have brought to justice some of
the world's most infamous cybercriminals, including many who
were thought to be beyond the reach of law enforcement. In
particular, we have prioritized the investigation of key
enablers of cybercrime, such as illicit digital money
platforms, dark web forums, and other services that enable
transnational cybercriminal activities, like the use of
ransomware.
Our long investigative tradition focused specifically on
financial crimes leads us to view today's ransomware crisis
through a historical lens, one driven by three complex and
interrelated factors.
First, the swelling profitability of these attacks, largely
as the result of the growth of cryptocurrencies as a form of
extortion payment. Second, the inadequate security systems
connected to the internet. Third, perhaps most importantly, the
maturation of a cybercriminal ecosystem that we have not
sufficiently suppressed and is now engaged in increasingly
brazen attacks.
It does us no service to sugar coat the reality of today's
situation. Cybercriminal networks are emboldening and
expanding. Today, ransomware is menacing our economy and our
Homeland Security. Cybercriminals are making more money and
doing more harm to our society than ever before. They are
creating a highly destabilizing force in international
relations and risking unintended escalation as States look to
consider their response options.
To reiterate what my colleagues here today have all
emphasized, there's no silver bullet for addressing the
ransomware threat or our mounting cybersecurity risks. Federal
law enforcement can act in meaningful ways to improve the
current situation.
First, we must reduce the profitability of ransomware
campaigns by improving our ability to detect and interdict
cybercrime proceeds. This will require a significant investment
in tools, training, and personnel at home, as well as
strengthened partnerships overseas.
Second, we must work with technology companies and internet
users to improve their defenses and resilience against cyber
threats.
Third, we must dramatically intensify our national and
international efforts to investigate, arrest, and prosecute
those engaged in transnational cybercrimes, including
ransomware.
Absent these combined efforts, I anticipate an increase in
both the severity and frequency of highly disruptive ransomware
attacks. Attacks that will make recent incidents seem rather
mild by comparison. This should not be a political or
geopolitical debate. Ransomware is endangering us all.
Criminals are not targeting just big businesses, but schools,
city governments, local police departments, and other services
upon which the American people depend.
Progress is possible. The Secret Service's successful
investigations of the recent ransomware attacks on the
Washington, DC, Metropolitan Police Department and the City of
Atlanta show that we can hold criminals accountable.
Our March, 2020 alert, which notified dozens of U.S.
hospitals and healthcare providers of criminal presence in
their networks, potentially preventing numerous ransomware
attacks shows the ways that proactive information sharing can
tangibly reduce cybersecurity risk. However, going forward,
meaningful gains will require a renewed commitment on the part
of the international community to make it clear that such
destructive criminal activities are acceptable in a civilized
world.
Thank you again for the opportunity to appear before you
today, and for your continued support of the U.S. Secret
Service. I look forward to working closely with this Committee
and with other Members of Congress on our shared priorities and
welcome your questions.
[The prepared statement of Mr. Sheridan appears as a
submission for the record.]
Chair Durbin. Thank you very much, Mr. Sheridan. Mr.
Downing, on June 7th, the Department of Justice announced that
it seized $2.3 million in cryptocurrency paid to the hackers
behind the May ransomware attack on Colonial Pipeline. The
criminal syndicate named Dark Side demanded a ransom in
Bitcoins and Colonial Pipeline paid it. According to DOJ press
release, law enforcement was able to review the Bitcoin public
ledger, track transfers of Bitcoin, and identify $2.3 million
in proceeds from these ransom payments.
It seems, for lack of a better reference, that
cryptocurrency and Bitcoins are the coin of the realm when it
comes to this ransomware. What can we do? What specific laws
should we enact in the United States to be responsive to this
and diminish the role of cryptocurrency?
Mr. Downing. Thank you very much for the question. I agree
completely that the cryptocurrency has, unfortunately, fueled
this rise of crime. It has two key aspects to it. It's often
anonymous and it is nonreversible. That is, once it's passed to
the criminals, it's very difficult claw it back.
We do not have a current proposal to enhance our authority
to track or to interdict these kinds of things, but it's
something that's very much under consideration. We definitely
see this as an increased problem and look to the laws that we
already have on the books, like the Bank Secrecy Act, to
enforce the rules and regulations that are already applying to
cryptocurrency exchanges and other actors in this space.
Chair Durbin. That's exactly the point. We enacted laws so
that the transfer of certain amounts really required
disclosures to the Government so we could monitor those. It's
not a perfect system by any means. It would seem that the
Bitcoin and cryptocurrency need to be subject to some sort of
review, surveillance, or regulation, as well.
Let me ask you another question and to the panel, and maybe
someone else would like to take it on. There was an article on
June 7th in the New Yorker entitled, ``The Go-Between,'' by
Rachel Monroe. It talked about the similarities between
kidnapping and ransomware, and she wrote that about three-
quarters of Fortune 500 companies eventually invested in kidnap
and ransom insurance. There was some discomfort in the industry
that they were funneling money to the mafia, terrorist groups,
and criminal gangs, but by establishing some sort of a method
to this madness, they were able to recover 97 percent of the
kidnap victims without harm.
Several countries went an extra step. Particularly Italy,
Colombia, and the United Kingdom banned kidnap and ransom
insurance. The argument was made in this article that that
really had a negative impact. Countries that banned kidnap
insurance drove negotiations underground.
We're dealing in a world of cyber-insurance, and those who
are trying to buy some protection through the insurance
mechanism for their vulnerability. Is there any value to
looking at the kidnapping experience in banning that insurance
and deciding whether that has any beneficial aspects to it?
Mr. Vorndran. Sir, I can start the conversation on that
question. When we go back several years, it's at least our
belief and understanding from public records that the insurance
industry really started within cyber so that we could drive
better cyber hygiene. You know, I think the question that we
should all be asking ourselves: Is that what has actually
happened? Has the implementation of cybersecurity insurance
driven better cyber hygiene?
From our perspective with dealing with target entities or
victims, when we talk with them, the insurance availability is
a big piece of their decision calculus about whether they do or
don't pay, and my opinion would be that within the interagency,
there's ongoing conversations about the value or lack thereof
insurance. I think it's probably a conversation that should be
had within this Committee, as well.
Chair Durbin. It certainly would--is an important one, and
I suppose I can argue both sides. I'm glad to see you're making
a review of it at this point. It seems to me it facilitates the
payment in these circumstances, and it may set up the mechanism
therefore, too, with the kidnap insurance, I don't know. What
is your impression? Are there special negotiators in this
ransomware world that try to diminish the amounts that are
being paid with any effect?
Mr. Vorndran. There are special negotiators in this space
for private sector companies that take on the negotiations with
the cyber-adversaries that are overseas. From our conversations
with people making decisions in companies about whether to pay
or not to pay, we would ensure you that the insurance
availability or lack thereof becomes a relevant component of
their decision-making.
Chair Durbin. Thank you. Senator Grassley.
Senator Grassley. Yes. Mr. Goldstein, I'm going to start
with you. I understand that CISA helps businesses large and
small in preventing ransomware attacks. This is partially
through a recently launched one-stop website called
stopransomware.gov. Can you describe the services you offer
directly to small businesses beyond advice on best practices,
and are businesses able to reach out to CISA for help and
support if they have questions?
Mr. Goldstein. Senator, thank you so much for that
question. One of the core elements of CISA's mission is
providing proactive assistance to organizations, particularly
and including small and medium businesses across the country
before an intrusion occurs. Because we know once an intrusion
happens, there's already likely going to be some damage done.
Our goal is to get there and deliver guidance, best practices,
and services before the ransomware intrusion happens.
We offer a variety of services to this end. One option that
we offer is self-assessment tools, via our stopransomware.gov
website, so that an organization that wants to assess their own
cybersecurity can download an easy-to-use tool, walk through a
process, and understand the work that they have to do.
If an organization also wants CISA's technical help, we
offer assistance in identifying cybersecurity vulnerabilities,
conducting technical penetration tests or even red team
assessments of an organization's infrastructure, looking at the
security of design architectures of a given network and on down
the line.
Of course, when an incident does occur, we work closely
with our colleagues in Federal law enforcement to provide
incident response and threat hunting services to determine
where the adversary went, what they did, and get them out.
All of these services can be easily accessed via the
stopransomware.gov portal. They are all, of course, free of
charge, and we encourage any organization in the country,
public or private, to take advantage of our services, many of
which can be delivered through our field personnel assigned
throughout the country.
Senator Grassley. I'm going to go to Mr. Downing. Cyber
threats from China are sadly nothing new. From stealing our
intellectual property to hacking records of Government
employees, the Chinese are clearly comfortable using
cyberattacks. On July 19th, the present administration
announced that Chinese government-affiliated hackers were
responsible for hacking the Microsoft Exchange email server and
launching a number of cyber ransomware attacks against U.S.-
based companies.
Do you--I'm concerned that the Department of Justice's
China Initiative, a successful initiative to focus resources on
combating Chinese espionage from the Trump administration may
not be continued in the Biden administration. Would maintaining
the China Initiative be helpful in combating cyber offensives
from China?
Mr. Downing. Thank you very much for the question, Senator.
I would like to reassure you that, indeed, the Department
continues to be keenly focused on the problem of the theft of
intellectual property by Chinese actors and by the Chinese
government. We have a close partnership between our National
Security Division and the Criminal Division, where I work,
which continues to look at these questions and to aggressively
investigate and prosecute individuals who are responsible for
them, both inside the United States and outside.
We use this--we see this as part of a larger effort that,
of course, the Biden administration is very concerned about
Chinese overreach, and is aggressively looking at these
questions, as well.
Senator Grassley. Also, do you--ransomware--ransomware as a
service is basically a form of high-tech organized crime. It's
a business model where cybercriminals design a product,
ransomware, which can be leased to other criminal actors. Some
ransomware as a service provider even provide tech help like
black market IT solution providers. Do you--are traditional
cyber and organized crime tools available to fight ransomware
as a service, or are new tools needed?
Mr. Downing. Thank you for that question, as well. The--it
is true that many of these cyberorganizations have organized
structures not unlike traditional organized crime. We have
aggressively prosecuted them, as well, using the tools that we
have today.
I don't have a particular proposal that addresses that
point that has been cleared for--by the interagency, but we
would continue to look at that and work with the Committee
absolutely on that question.
Senator Grassley. Does it mean that you have interagency
conversations that you're thinking about something along that
line if it gets clearance?
Mr. Downing. We are always looking at all different kinds
of tools and shortcomings to the extent that they exist in our
authorities. We have put forward a couple of those kinds of
shortcomings for the Committee's consideration as part of my
statement for the record, and we very much look forward to
working with you on that.
Chair Durbin. Thank you, Senator Grassley. Senator
Feinstein.
Senator Feinstein. I'm not a lawyer, but I'm really
perplexed by this because what it says to me is that there is a
criminal organization operating this process, and we can't do
anything about it. If I understand it, in 2020, the FBI
received 2,500 complaints relating to ransomware, with adjusted
losses of over $29.1 million. This figure probably
underestimates the severity of the problem because victims of
these attacks are not record--are not required to report their
data breaches to the FBI.
For example, one private security firm reported last year
there were nearly 2,400 attacks against United States State and
local governments. They're attacking the government, as well.
Healthcare facilities and schools alone, with 1,300 companies
around the world losing intellectual property or sensitive
information to attack.
Why can they just exist, and we can't do anything about it?
What can we do? It seems to me it's a criminal operation.
Mr. Vorndran. Thank you for the question, Senator. You
described the problem correctly, and we would articulate to you
that many of the people who attack U.S.-based equities, whether
that's small government, municipality government, small
businesses, all of your constituents, most of them are
overseas. Some of them are in hard-to-reach countries while
others are not in hard-to-reach countries.
I think from the FBI's perspective, this brings the value
proposition in focus about our international reach. Secret
Service has a similar international reach. Through the
Department of Justice, we have had success in cooperative
third-party countries that aren't Russia, right, in terms of
safe harboring criminals. Those people have been brought to
justice. They may be on criminal charges in a different
country, and they may----
Senator Feinstein. Excuse me. Could you just speak to what
the FBI advises us to do?
Mr. Vorndran. Very simply put, the FBI's advisement is
build a relationship with your field office leader as soon as
possible for cyber incidents. Then, second, if you
unfortunately become a victim, report those incidents to the
FBI or any of our counterparts here, and we will immediately
share with the rest of our counterparts.
The last thing I would offer is that's very, very important
for each of the companies or municipal governments to have
well-rehearsed incident response plans. That they understand
who to call when they become a victim, they understand the
scope of those incident response plans, and to routinely
exercise those would be some important messages to share with
your constituents.
Senator Feinstein. Thank you.
Chair Durbin. Senator Graham.
Senator Graham. Thank you all. As a matter of fact, I think
one of the proposals you have is taking a couple of bills that
we've introduced, Senator Whitehouse and myself, and we'd like
to work with you on that. The bottom line, from the Secret
Service point of view, if cryptocurrency didn't exist, would it
be harder to do ransomware attacks and get paid for it?
Mr. Sheridan. That's an interesting question, sir. It would
be harder to facilitate the payment of the attacks. The
crypto--excuse me, the ransomware attacks themselves would
still occur, it would just be through a different payment
mechanism.
Senator Graham. If you took cryptocurrency off the table,
how would they get paid?
Mr. Sheridan. They would utilize other payment structures.
Regular fiat currency, the traditional financing of crime that
has occurred for all existence prior to cryptocurrency.
Senator Graham. If they ask for cash, would that be tougher
on them?
Mr. Sheridan. It would be more difficult for them to
facilitate, yes, sir.
Senator Graham. Okay. How many ransomware attacks are there
every year against Russian businesses?
Mr. Sheridan. I don't have that information, sir.
Senator Graham. What about Chinese businesses?
Mr. Sheridan. Similarly, I'd have to research that.
Senator Graham. What about Iran?
Mr. Sheridan. Same answer, sir.
Senator Graham. What about North Korea? Same?
Mr. Sheridan. Yes, sir.
Senator Graham. I bet you not many. The point is that we
have criminal enterprises interconnected to nation-states. Do
you agree with that from a Secret Service point of view?
Mr. Sheridan. Yes, sir, that's accurate.
Senator Graham. If we've compiled a terrorist list of
state-sponsored terrorism, do we have such a list for state
sponsors or safe havens for cyberterrorists?
Mr. Sheridan. We have a list of suspects and identified
individuals that----
Senator Graham. Do you have--do you think it would be
helpful for the United States to create a list of countries
that we believe are aiding and abetting ransomware attacks
throughout the free world?
Mr. Sheridan. From a law enforcement perspective, we focus
more on the individual than the country, sir. I would defer to
a larger geopolitical discussion about that.
Senator Graham. Would it help the FBI?
Mr. Vorndran. Sir, we have a very good handle on what
countries are behaving in what way----
Senator Graham. We have a list of terrorist organizations,
right? Every year, the State Department----
Mr. Vorndran. Correct, sir.
Senator Graham [continuing]. And coordination comes out
with a list of terrorist groups. I think we have a list of
state-sponsored terrorism every year, is that correct?
Mr. Vorndran. Yes, sir.
Senator Graham. Is that right, Mr. Downing?
Mr. Downing. Yes, sir.
Senator Graham. How about let's look at putting a list of
state-sponsored or aiding and abetting countries when it comes
to ransomware and cyberattacks. Does that make sense?
Mr. Downing. Perhaps I could jump in on that one. It's
something that I don't know that I've thoroughly considered, so
I'm not ready to give you a quick answer, but I do think that
finding ways to press the countries that are harboring these
criminals is important.
Senator Graham. Let's make a list of those countries. Who
are they?
Mr. Downing. Certainly, Russia is at the tope of the list.
They have been consistently----
Senator Graham. Let's stop right there. Russia is at the
top of list of aiding and abetting ransomware attacks and other
cybercrimes, do you agree with that?
Mr. Downing. Sir, aiding and abetting has a particular
legal definition. I wouldn't say that the government of Russia
is behind these attacks. However, we do believe that they are
not doing what they could be to suppressing them within their
borders.
Senator Graham. Why aren't they doing what they could be
doing?
Mr. Downing. There probably are various different reasons
for that that I could speculate on, including that, as you
pointed out, sir----
Senator Graham. Have we had--have we ever seen a connection
between the cybercriminals and Russian intelligence agencies?
Mr. Downing. At times, yes, sir, we have found----
Senator Graham. As a matter of fact, we found more than one
time where the Russian Intelligence Agency Members were
actually involved in cybercrimes, right?
Mr. Downing. That also is true, sir. We----
Senator Graham. I don't know what they're moonlighting
policy is, but it seems to me--I don't know what the CIA does
in their off time, but--I think the point we're trying to make
is that deterrence has been lost when it comes to cybercrime,
particularly ransomware. Do you all agree?
Mr. Downing. Sir, I would say we have a significant
deterrence. Could we do more? Yes, we would need to do more.
Senator Graham. Is it working?
Mr. Downing. It is having some effect, but it is not
solving the problem----
Senator Graham. Are the crimes going up or down?
Mr. Downing. Up, sir.
Senator Graham. Dramatically up or slightly up?
Mr. Downing. Certainly, significantly up. Yes, sir.
Senator Graham. Seems to me that deterrence is not working.
From a Secret Service point of view, do you believe the network
of laws we have today create enough deterrence in this space?
Mr. Sheridan. I believe the network of laws does, sir. I
think there needs to be greater enforcement of those laws.
Greater resources----
Senator Graham. It's an enforcement problem, not legal
authority problem?
Mr. Sheridan. From my perspective, sir, it's resourcing and
enforcement of those laws and better equipping those law
enforcement agencies that are tasked with----
Senator Graham. You really don't need much help from us.
Mr. Sheridan. We need significant help, sir, in authorities
and in----
Senator Graham. You just said two different things.
Mr. Sheridan [continuing]. In authorities related to----
Senator Graham. Thank you, thank you.
Chair Durbin. Senator Whitehouse.
Senator Whitehouse. Thank you, Chairman. First, I'm
delighted to be following Senator Graham in the order of
questioning, because we have a bill with Senator Blumenthal and
Senator Tillis. It looks to me a lot like the Appendix A, Mr.
Downing, that you have attached as your proposed legislation.
Has a section two that is essentially the same as our section
four and has a section three that is essentially the same as
our section six. I'm wondering if you might sit down with us
and come the rest of the way. We're glad you've made these two
steps, we'd like to understand why you didn't recommend the
entire bill. If there are technical changes that you think we
should make, then we're eager to work that out. We think that
this is a bill that has bipartisan support that could
potentially move by unanimous consent, and we'd like to get
this straightened out.
Again, our appreciation for copying our two sections. Let's
try to get together on all of them if we can. Can you do that?
Mr. Downing. Thank you, Senator. We really appreciate your
and Senator Graham's leadership on this. We----
Senator Whitehouse. Senator Blumenthal and Tillis.
Mr. Downing. And Tillis.
Senator Whitehouse. We have Tillis right here.
Mr. Downing. Sir. Of course, we would be more than happy to
work with your staff on these questions. Absolutely, sir.
Senator Whitehouse. Great. This is kind of a moment of
frustration for me, as well, because we have known about
critical infrastructure as a prime target since I wrote the
original Intelligence Committee cyber report probably a decade
ago.
We've known for years and years and years and years that
ransomware was a method for attacking. We have spent billions
of dollars, particularly at Homeland Security on trying to
solve the problem of protecting critical infrastructure, and
boom, what happens? A bunch of people in a basement someplace
are able to take down Colonial Pipeline, a significant piece of
Colonial infrastructure, with a ransomware attack.
That's not a success story. That's a failure story. That's
something is wrong in the way we're doing business right now.
It strikes me that the thing that is wrong in the way we're
doing business right now is that you can be critical
infrastructure in this country, providing essential services to
our economy and to our national security, and not have to meet
any real standards.
I think we've shown in the defense industrial base that,
with the right kind of pressures, companies can step up and do
a better than average job. I think we've shown in the financial
sector that, with regulators looking over the shoulders of the
big banks, they have stepped up and done a better job than
average. Here we sit with Colonial Pipeline, with your
voluntary, Mr. Goldstein, your voluntary standards. The NIST
Framework and the C3 and your offers. It obviously failed. I
mean a total face-plant failure.
What I would like to ask is that you and Homeland Security
provide to this Committee a summary of what Colonial Pipeline
accepted by way of all those voluntary offers that you talked
about. How vigorous were they about participating in your
voluntary programs? How was the response? I think if there is
ever a moment where we have a case study of a failure of
critical infrastructure from cyberattack, this is it.
I think we're entitled to a bit of a test case here on this
voluntary method that we followed and how it's working. Because
it sure didn't work for Colonial Pipeline, and I'd like to know
what they did and did not take up of your series of offers. Can
you get that information to us?
Mr. Goldstein. Thank you, sir. We'd be glad to provide you
with that, and I will note we fully agree that the environment
for critical infrastructure that's essential in national
critical functions is able to operate insecurely with no
insecurity weaknesses, as we know is often the case throughout
this country, is untenable. We as a nation need to act.
I will note that if you wait----
Senator Whitehouse. I'm angry right now, you know, at you
because of this situation. I actually understand that it's not
your fault. The fault is here in Congress, where over and over
again, groups like the U.S. Chamber of Commerce have come in
and said, ``Don't regulate us. We're against all this cyber
regulation. We don't want any of this. Make it all go away.
We're against this bill. We're against that bill. We're going
to tell the leader to, you know, block this legislation if it
tries to go forward.''
We now have a situation in which you can have critical
infrastructure companies fail at meeting basic standards of
cyber hygiene, and we're okay with that. As a legal matter,
we're okay with that. We shouldn't be okay with that. We don't
have to regulate everybody in the world, but if you're critical
infrastructure, we should no longer tolerate this voluntary
regime with big companies who know that their infrastructure is
critical, and who fail.
Mr. Goldstein. Yes, sir. Could I ask the Chairman for a
response?
Chair Durbin. Sure.
Mr. Goldstein. Thank you, sir. Senator, as you are aware,
in the wake of the Colonial Pipeline intrusion, CISA worked
closely with our colleagues at TSA and the security regulator
for the pipeline sector to push out two security directives,
the first of which required reporting of security incidents to
CISA, the second of which required entities covered by the
directive to undertake mandatory security controls.
We view this as a good model to drive the right level of
security investment among the most critical entities in this
country. We look forward to working with Congress and our
partners across the interagency to ensure that we are rapidly
raising the bar for cybersecurity across entities that provide
national critical functions, wherever they may be.
Senator Whitehouse. I thank you for that answer, and I
would focus particularly on the words, ``in the wake of.''
Chair Durbin. Thank you, Senator Whitehouse. Senator Sasse.
Senator Sasse. Thank you, Chairman. Thank you all for being
here. How large is the universe of known ransomware gangs?
Mr. Vorndran. Senator, thank you for the question. The FBI
is tracking more than 100 different variants. When I say
variants, that would be a brand name, such as Sodinokibi, which
also is known as Revil. That would be one. Please understand
that there are similar actors that cross-cut multiple different
variants. But to answer your question, there's more than 100
different variants is how many we track.
Senator Sasse. Can you--thank you for that. Can you size
them a little bit for us, and I understand that some of them
are duplicate brands, but kind of issue spot how big the
biggest are, how big are the mediums, what's the barrier to
entry below which people are not likely able to have competent
technologists to be able to execute an attack?
Chair Durbin. Senator, before he responds, would each of
the witnesses pull the microphone a little closer?
Mr. Vorndran. Senator, the answer to your question is we
have an entire interagency algorithm that essentially
prioritizes from one to 101 the level of impact that each
variant has had on the United States, its economy, and its
other various equities. The largest one that we know of--we
would estimate that their revenue from attacks exceeds $200
million, to give you some type of scope on the value
proposition.
Your last question about barriers to entry is a little bit
of a difficult one to answer. What I would say is that we see
affiliates using the ransomware variants that are going to be
most effective at compromising potentially vulnerable
infrastructure--information technology infrastructure.
Certainly happy to follow-up on the barriers to entry
conversation, but that would be the best answer I can give you
today.
Senator Sasse. Who owns that data set? I see Senator Cornyn
has just arrived. He and I are both active on this issue from
the Intel Committee side, as well. If we wanted a briefing, who
is the one person in the U.S. Government who is responsible for
owning that data?
Mr. Vorndran. The roll-up of the data is owned by the FBI
through the interagency, but the model was built by the
interagency, and every interagency component has input into the
model to finalize the prioritization of it.
Senator Sasse. Returning to Senator Graham's line of
questioning, how many of those 100 are Russian-allied?
Mr. Vorndran. I don't know that answer. Certainly can
respond at a later time with a more precise answer, but what I
can say is that while the developers may be Russia-based, the
affiliates that deploy the ransomware may or may not be Russia-
based. It's a little bit of a complicated question, but if it's
okay with you, sir, we can--we can get back to you with the
precise number to answer your question properly.
Senator Sasse. We'd love it, and in addition to whatever
print response you want to give us, I think there are a few of
us that overlap between this Committee and CISE, who would love
to have an actual briefing on it.
Senator Graham has left, but I'd like to pursue the
question he asked you about deterrents, because the actual rate
of growth is about 300 percent annually right now. Why do we
think any of our deterrents is working? It's not a hostile
question at any of you personally, but you all swung this as if
there is some success here. It's pretty hard to see that from
where we sit.
Mr. Vorndran. I can lead the conversation that--my answer
from the FBI's perspective would be that we are doing as much
as we can with what we have to deter. I can appreciate why from
your perspective, Senator, that it's not having as significant
an impact as you would want, but there are dedicated men and
women in the FBI, all the partnerships here, that are devoting
hundreds of hours a week to this problem set and helping.
If the question is are we having a large enough impact? I
understand that question. Please understand, the answer to our
question about why we're having an impact is because we have
great men and women who are doing this work every day, doing
prosecutions, infrastructure disruptions, you know,
cryptocurrency seizures, and not just within the FBI, but
certainly in the agencies that sit here today and the
international community--international community and the
Intelligence Community, as well, sir.
Senator Sasse. So--go ahead.
Mr. Downing. If I may. Just to add to that, I think
focusing on law enforcement deterrents is an important piece of
this puzzle, and I agree with you that, though, it alone is not
going to be enough. That's why I think we all need to focus on
a whole-of-Government response. That is, that we have our
colleagues in the Treasury Department looking at how to enhance
our position on the cryptocurrency front. We have our friends
in CISA building cyber hygiene to slow down the threat. We have
our friends in the State Department who are building
international consensus against it and putting pressure on
Russia.
Yes, investigation and prosecution is an important piece of
this, but it cannot be the only piece, I think, if we are going
to succeed against this threat.
Senator Sasse. Strongly agree that Putin's cronies who
moonlight outside not just the official intel services, but
across the oligarchs like little rent an intel service on the
side, clearly, they don't fear us, and that deterrent problem
is well above your pay grade. Nobody's faulting you here for
that. Sir, I recognize you're obviously right that there are a
lot of hardworking patriots inside the organization, but that's
a different question than whether or not we have the right
national strategy. Thank you.
Chair Durbin. Thank you, Senator Sasse. Senator Klobuchar.
Senator Klobuchar. Thank you very much, Mister Chair. Thank
you all for the work you're doing. When I think back to my
early confrontations with this issue as a prosecutor, I always
remember a case we had. It was a child porn case, but it
involved computers, and it was a little suburb. The police went
to the scene, and they had not been trained. They pushed some
buttons on the computer, and all our evidence disappeared.
Now, let me bring this to our current situation that we're
in. It is so much worse and so much bigger. It is workforce as
well as all these other challenges that my colleagues have laid
out. Maybe the numbers I have: An estimated 3.5 million
cybersecurity jobs will be available but unfilled by--in 2021.
Approximately one in three cybersecurity jobs in the Federal
level going unfilled. Talk to me about how we're going to get
people from the private sector, perhaps--Senator Thune and I
had a bill on this--to come here so we are as sophisticated as
the bad guys trying to ransom and do all kinds of bad stuff to
disrupt our critical infrastructure. How are going to get the
people in and what should we do to help?
Mr. Sheridan. Senator, thank you for that question. I'll
turn it over to Mr. Goldstein to partner on this answer. I do
want to address your opening statement, though, related to
State and local capabilities. As has been stated multiple
times, this is whole-of-Government approach. The Secret Service
has the National Computer Forensics Institute that has trained
and equipped more that 16,000 State, local, Territorial, Tribal
officers as well as judges and prosecutors. We train more than
3,000 a year and these really are the first line of defense. I
think this goes to Senator Feinstein's questions about what
people can do to be more resilient.
My colleague, Mr. Vorndran has mentioned relationships.
This is where the relationship forms with those that you know
in your community, your constituents, to have that level of
trust, that level of communication, to be the first responder
in these types of incidents.
That institution, as you may be aware, is due to sunset in
2022. We'd greatly appreciate Congress' support for allowing us
to train as many as we have, but we need to seek
reauthorization as well as growth, not only domestically, but
internationally for that facility to, as you said, make sure
we're better prepared on the State and local level.
Senator Klobuchar. Okay. Then if we could get the question
of the unfilled jobs and how we're going to get people into
this area. Young people and the like with a call to service, I
hope. Mr. Goldstein.
Mr. Goldstein. Absolutely. Senator, thank you for calling
out this critical question. There is no bigger challenge facing
the future of our Nation's cybersecurity than building a deep
and diverse workforce to meet the threats we are facing now and
facing tomorrow.
At CISA, we're looking at this as really having three
components. The first is how do we build cybersecurity and STEM
education into our K12 students today? At CISA, we have a grant
program where we provide cybersecurity curriculum and training
to K12 teachers across the country. Obviously, that is a large
population. We need to scale and do more. The first question is
how do we ensure that across elementary, middle, and high
schools across this country our students are learning first and
foremost the importance of cybersecurity, and then the basic
skills to pursue this as an avocation from a very young age.
That will require some very fundamental changes how we think
about educating our children in this country.
The second is how do we resource those leaving secondary
education going to 2-year institutions, HBCUs, trade schools,
all the way to 4-year universities, ensuring that those
universities have the programs where they're turning out
graduates that are able to take jobs at the leading
cybersecurity entities in our country, whether Secret Service,
CISA, or the FBI, or the private sector. Because, frankly, we
are all in the same fight here. Here at CISA again provides
curriculum and training to a select group of entities, largely
serving underserved communities. We need to do more there.
The third piece is how do we make it easier to enter public
service as a cybersecurity practitioner. The cybersecurity
market today is extraordinarily competitive, and we need an
urgent call to action to make sure that the best and brightest
are joining our agencies to help defend our country against
these threats.
Senator Klobuchar. Got it. I think some of our model is
people stay forever in the Government, and we may have a
situation where we have a call to action to come to our
Government for a while. Maybe they go somewhere else after
that, but we're just going to fall behind if we can't get
people to do it. Did you want to add anything, Mr. Vorndran?
Mr. Vorndran. Senator, very briefly, just rough numbers. A
computer scientist graduating college with a 4-year bachelor's
degree can earn about $100,000. The entry position, certainly
within the Department of Justice, is about $63,000. We can't
incentivize that year over year right now, so just to highlight
the focus of your concern and the recruiting retention problem.
It is a significant barrier.
Senator Klobuchar. Senator Thune and I had a bill a few
years ago that would allow people to go into certain areas. You
have all kinds of issues, especially with the FBI with then
classified, private sector people coming in. I think we should
revisit that for certain positions, it is--but we've got to
figure this out, so we get the people.
I have some other questions--I'm out of time--about small
businesses with the 51 percent not being able to have any
resources to cybersecurity themselves, and how we're going to
build that up. I can ask that on the record, or maybe my
colleagues will. Thank you.
Chair Durbin. Thanks, Senator Klobuchar. Senator Tillis.
Senator Tillis. Thank you, Mr. Chairman. Gentlemen, thank
you for being here. Mr. Sheridan, wanted to give you an
opportunity to respond to Senator Graham's question. You were
talking about authorities and other resources that you need,
so, if you would hit that quickly.
Mr. Sheridan. Thank you very much, Senator. Regards to
authorities, as I mentioned, our National Computer Forensics
Institute reauthorization is extremely important, not just for
us, but for the whole-of-Government approach. As well, our
authorities within the Secret Service related to
investigations, specifically for statutory authority on money
laundering, structured payments, and unlicensed money
transmitters would be very beneficial for us to strengthen our
investigative mission. Thank you, sir.
Senator Tillis. Thank you. Mr. Goldstein, in my office, I
was a part of a practice that did ethical hack testing at
Pricewaterhouse back in the late 1990's and early 2000's and
followed this pretty closely. In my office, I have a Hacking
for Dummies, which is a great book, and every business should
read it and understand how vulnerable they are. I believe that
businesses--a part of what we're doing here is to provide you
all with better tools to seek out bad actors and hold them
accountable, but businesses have benefited mightily from the
internet and electronic systems. They need to harden their
systems the way that they harden their physical presences, with
alarm systems, burglar bars, whatever it takes to secure a
physical premise.
I think one thing we have to do is make it very clear to
business that we alone, the Federal Government, or the whole-
of-Government, are not responsible for securing their business
enterprise. We're there when somebody breaks in to bring them
to justice.
Is it still the case that the vast majority of these hacks
are attributed to human error? That there's a click on a link?
Is that still the case in your research that we've got to
better educate people, that they're the weak link in most of
these successful hack events?
Mr. Goldstein. Thank you, Senator, for that question. It is
certainly still the case that particularly with ransomware
intrusions, most of the events that we are seeing are
attributable to known security weaknesses. It might be the case
that an employee clicks on a phishing link. It might also be
the case, as has been reported publicly with Colonial Pipeline,
that the adversary exploited a legacy remote access device that
was using a known password. Certainly, this is why we are so
focused on driving adoption of these basic practices because we
know that these can demonstrably reduce the likelihood that a
business will be exploited by a ransomware intruder.
Senator Tillis. Why shouldn't we--I fall short of mandating
what the private sector does and to provide them best
practices, but why shouldn't we as a matter of Federal policy
require everyone who does business with the Federal Government
to adopt and implement these practices as a price of admission
for doing business with the Federal Government?
Mr. Goldstein. That's a great question, sir. President
Biden's cybersecurity executive order, issued earlier this
year, required CISA to work with our partners in Government to
do exactly that, to prescribe new contract clauses that will be
adopted into Federal acquisition law and will provide a floor
for the kinds of security controls that we expect to see from
Federal vendors.
Senator Tillis. The administration already has that
authority? Congress doesn't need to do anything more to push
the point?
Mr. Goldstein. My understanding, sir, is that today we can
do what we need to do in that space. That's correct.
Senator Tillis. Mr. Vorndran, what about the concept of--I
think maybe Senator Whitehouse and Daines have introduced the
concept of a hackback to basically allow private sector to go
after those who are holding them or requesting ransom. What's
the--what's the Department's opinion about really encouraging
businesses to go back after these people? Hackback.
Mr. Vorndran. You want me to? Senator, do you mind if I
defer that question to Department?
Senator Tillis. Yes.
Mr. Vorndran. Thank you.
Mr. Downing. Sir, on the Hackback question, the Department
has long held the position that it is ill-advised to encourage
or permit private sector people to hackback. Couple of reasons:
First, there's a real risk to innocent users. Very often, the
infrastructure that's involved is not the offenders that
they're going after, but instead innocent third parties.
Second, there is a real problem with the interference with
ongoing criminal or intelligence investigations when you have
private sector people monkeying around in these groups and
these organizations. Third, very often at the early stages of
an investigation, we don't know who's behind it, and so, if you
happen to be hacking back from, let's say, a film company that
is invaded, and it turns out later that it's North Korea, as
has happened, that's a particularly sensitive situation where
you want to make sure that the government actors are the ones
in charge of how we are going to take those steps and not have
it be done by private sector people who are not in a position
to understand the full picture or the geopolitical situation.
Our long-standing position has been that that is not a
helpful road to go down. Instead, report to us, report to the
FBI. We can take steps. We have authorities to have an effect
and an impact, and that's the better approach.
Senator Tillis. Thank you all. Thank you, Mister----
Chair Durbin. Thank you, Senator Tillis. Senator Hirono.
Senator Hirono. Thank you, Mister Chairman. I think the
panel of all--you all agreed that there is a causal
relationship between the growth in cryptocurrencies helping to
drive the increase in ransomware attacks. I think that you
generally agreed yes. We're not quite sure what to do about it,
but aside from things like considering the U.S. banning
cryptocurrencies, what about should we make ransomware payments
illegal? Anybody want to answer that?
Mr. Vorndran. Senator, thank you for the question. It's our
opinion that banning ransomware payments is not the road to go
down, and there's really a prime reason for that. Right now,
what was shared in the opening remarks is that ransomware has a
single extortion model. Essentially, we would hold your data
ransom until you pay for that data. In the very recent past,
actors have moved to a double extortion model. First, they
exfil data and threaten to leak it on a tour site for sensitive
information. The second prong of the extortion is the ransom
for the encrypted data.
It would be our opinion that if we ban ransom payments, now
you're putting U.S. companies in a position to face yet another
extortion, which is being blackmailed for paying the ransom and
not sharing that with authorities. It's a really complicated
conversation, but it's our position that banning ransom
payments is not the road to go down.
Mr. Sheridan. If I could add, ma'am, as well----
Senator Hirono. Yes.
Mr. Sheridan. Reporting is one of our biggest challenges
related to this.
Senator Hirono. I'm sorry, what is?
Mr. Sheridan. Reporting.
Senator Hirono. Yes.
Mr. Sheridan. As was stated by several of my colleagues.
Banning the payments would further push any reporting to law
enforcement into obscurity and make it virtually impossible for
us to have that relationship.
Senator Hirono. This is quite the conundrum for all of us,
and I note that we're going to need a workforce that is very
attuned to the need for--to have an understanding of
cybersecurity issues and sim backgrounds. You noted, I think
it's Mr. Downing, that we need a whole-of-Government response.
That means that we should be across departments. Does that
include the Department of Education? Because I note that Mr.
Goldstein said that we need to really have curriculum in our
elementary schools that focuses on STEM and that provides an
understanding of cybersecurity. Is the Department of Education
involved in this whole-of-Government approach that you all
talked about?
Mr. Goldstein. Thank you, ma'am, yes, absolutely. CISA
works very closely with our colleagues at Education, as well as
at the National Science Foundation and other agencies to make
sure that all partners in Government with a role in promoting a
curriculum that meets the challenges of today and tomorrow are
onboard. This is really a whole-of-Government effort. Our goal
is to make sure that those individuals in school today are
prepared to take on the jobs that we'll need them to to face
this challenge going forward.
Senator Hirono. Is this kind of curriculum already in our
elementary public schools?
Mr. Goldstein. That's correct in some cases. Certainly, it
is not ubiquitous across the country yet, but this is part of,
of course, a broad focus on STEM education. Part of ensuring
that--that children in school in this country are focusing on
STEM education is the cybersecurity aspect of that challenge.
Making sure that we are encouraging both STEM as a basic focus
and then cybersecurity as an aspect thereof will be critical
going forward.
Senator Hirono. I actually would like to see an actual
curriculum in our elementary schools that focuses on STEM. What
about engaging with our allies because it's not just the U.S.
Government, whole-of-Government, but we really need to engage
with our allies in how to prevent these kinds of crimes from
occurring, so how are we doing on that score?
Mr. Goldstein. Sure. I'll offer a first thought and then
I'll hand off to my colleagues. From our perspective at CISA,
we work very closely with international computer emergency
response teams, or CERTs, who are the network defenders
globally to protect their countries' private and public
networks, and we share information with them continuously on
new ransomware threats that we can then share to help protect
businesses and government networks in our country.
Senator Hirono. Is the----
Mr. Downing. If the----
Senator Hirono. Go ahead.
Mr. Downing. If I may, there are a number--you're exactly
right that international collaboration is critical to what we
do, and there are a number of factors that are in play here. We
strongly support, for example, the Convention on Cybercrime, to
encourage appropriate laws around the world, and that's been
building over the years.
Partnerships with foreign law enforcement agencies are
critical. The Secret Service and the FBI have personnel
stationed in foreign countries, and we work extremely well with
international agencies like Europol, with some very effective
results.
Third, for the Department of Justice, we have a program
called the ICHIPs, the International Computer Hacking and
Intellectual Property coordinators stationed in various
countries. We find that having prosecutors in foreign countries
also helps to build those relationships which have proven to be
so effective when we've done takedowns like that NetWalker and
Emotet ones that I mentioned earlier.
It's that international collaboration that is key to many
of the successes that we've had.
Senator Hirono. Thank you. Thank you, Mr. Chairman.
Chair Durbin. Senator Cornyn.
Senator Cornyn. Thank you, Mr. Chairman for holding this
very important hearing. I think we're suffering from many of
the same silos we--we identified on 9/11. We find that there's
a number of different parts of the Federal Government that are
dealing with the same problem in different ways, and we're
depending on the executive branch depending on--from
administration to administration to come up with a coherent
strategy which uses the all of government approach that Mr.
Downing and others have advocated.
Let me start with a basic--very basic question. When
somebody gets hacked, should they be required to notify the
Federal Government? Mr. Goldstein, perhaps CISA? Or the FBI?
Mr. Goldstein. Certainly. Our view is that any efforts to
increase the volume of incident reporting to CISA and, to be
sure, with our partners in Federal law enforcement, is
absolutely essential. Absent this reporting, we are unable to
offer assistance, we are unable to address many of the
questions that you and your colleagues have raised today to
understand the breadth and scope of the problem, and we're
unable to develop information that we can share effectively to
prevent other intrusions. Certainly, steps taken to increase
reporting across the country will be highly beneficial. We look
forward to working with Congress toward that important goal.
Senator Cornyn. Mr. Vorndran.
Mr. Vorndran. Senator, thank you for the question. If I can
just amplify Mr. Goldstein's remarks. As is memorialized in Mr.
Downing's statement for the record and my statement for the
record, we are very significant advocates for mandatory breach
reporting. There's really three reasons for that.
Right. We need sufficient information about tactical
information, ransom requested, where to pay the ransom, how to
contact the actors. The information must be shared promptly so
that we can respond accordingly, and then there needs to be a
requirement to immediately share across the interagency.
Admittedly, sir, that already happens today, but anything we
can collectively do to increase reporting is going to be very
helpful in this problem area.
Our estimates are that between 25 and 30 percent of
incidents get reported to Federal law enforcement at this time.
Senator Cornyn. I know there are at least two bills that
are currently out there. One from the Homeland Security and
Governmental Affairs Committee, a bipartisan bill. Senator
Portman, Senator Peters. Then there's also an Intel Committee
bill that Senator Warner and a number of us are working on to
require that because it seems like in the past we've relied on
the business community, for example, to make a report and
perhaps they feel like because reputational considerations or
some others, they may just want to not report it, and because
once it gets into the public domain, then maybe people don't
feel comfortable doing business with them. Or maybe they go to
a competitor or the like.
It strikes me as absolutely critical, and I'm glad to hear
your answer that we get the universe--universal picture, and
then to give you and other authorities the opportunity to deal
with it.
There ought to be some sort of confidential means to do
that, and one that perhaps provides some liability protection,
much as we've done in the past with some of the programs
through the National Security Agency when it comes to
collecting information from phone companies and the like.
How big a problem is attribution? Mr. Vorndran.
Mr. Vorndran. Senator, that's an excellent question. The
response to your question is that it's very challenging,
especially in the criminal cyber element, moved away sometimes
from the Nation's State cyber element. In the criminal cyber
element, it is extremely challenging to gain attribution down
to a keyboard or an actor behind a keyboard. I would estimate
that about half of our cases don't have accurate attribution
because of the complexity involved.
Senator Cornyn. That's part of the tradecraft of the cyber
offender, correct? Hiding their identity?
Mr. Vorndran. Yes, sir. I mean, it's very easy to
masquerade as a Mandarin keyboard in Brazil that would
potentially probe a network. The person behind that keyboard is
probably not in Brazil, and they may or may not speak Mandarin.
Senator Cornyn. I agree with you and Mr. Downing that the
law enforcement--law enforcement model is an important
component, but only a component of what our response should be.
Indeed, after the 2016 Russian interference and cyberattacks on
the DNC server and leaking that, General Nakasone and the folks
out at Cyber Command and NSA undertook a way to try to protect
our voting systems in 2018, and we had remarkably improved
protection of our voting systems.
We know that we have the capability to do it, we just need
to figure out how to come up with a strategy. Perhaps something
like we did on Congress past 5G and beyond, which basically
mandated that the executive branch come up with a comprehensive
strategy, working with Congress because frankly, we're so--as I
mentioned at the beginning--siloed here.
We've got different Committees of different jurisdiction
and different levels of information about these issues and
different perspectives depending on if you're the Judiciary
Committee, focusing on law enforcement, as opposed to maybe the
Intel Committee looking at the espionage threat. Or the
Governmental Affairs Committee looking at some other aspect of
it.
Having a plan I think is really important because right
now, notwithstanding our outstanding capabilities, I think
we're getting our lunch eaten on a regular basis, and we've got
to up our game. That's not a comment on what you do or the
people that work with you. I think it's up to Congress and the
policymakers to come up with a policy that you can then
implement to do the job that you're trained to do, and that
you're trying to do every day. Thank you.
Chair Durbin. Thanks, Senator Cornyn. Senator Blumenthal.
Senator Blumenthal. Thanks, Mr. Chairman, and I want to
join in thanking you and the Ranking Member for this hearing
and thank you all the law enforcement members of this panel.
You have definitely upped your game. There's no question about
your recent record, and I'm sure it reflects long-standing work
on putting together the infrastructure that's necessary to do
that law enforcement, and the skills, and the equipment, and so
forth.
As has been mentioned, Senators Whitehouse, Graham, Tillis,
and I have a measure that we've introduced, the International
Cybercrime Prevent Act, which is intended to provide you with
more tools. Maybe mandatory reporting ought to be one of them.
A number of our colleagues have asked for liability
protections in connection with that reporting, and I would
welcome the opportunity to consult with you as to ways there
may be to protect the confidentiality of information that is
provided in the course of reporting because I think that's one
of the concerns that may discourage more reporting.
We've just--some of us come from a hearing in the Commerce
Committee, where I asked the head of TSA about reporting, and
he testified that there is reluctance because of the fear of
publicity. That is a common thread in law enforcement, as you
well know, that prevents reporting of rape, it prevents
reporting by seniors about financial crimes, it prevents all
kinds of reporting. We need to overcome that obstacle.
I want to ask about the harboring of these cybercriminals
in Russia and China. I was very impressed and appreciated
President Biden raising this issue in his meeting with Vladimir
Putin. The Russian government's hacking and its providing safe
haven to criminal elements that, in turn, have attacked us. He
was very dramatic in his telling Russia, according to the
readout of the recent Biden call with Putin this month, that we
will take quote ``any action necessary to defend our people and
our critical infrastructure.''
Have you seen any change in the amount or severity of
cybercrime from Russia in this last month?
Mr. Downing. Perhaps I could take that one, Senator. I
don't believe there has been a measurable drop. No, I don't
think that is a change.
Senator Blumenthal. Essentially, there's no evidence that
Putin is heeding this warning as yet, correct?
Mr. Downing. I think that's fair, yes.
Senator Blumenthal. How about on the part of China? Is it
getting the message?
Mr. Downing. With respect to China, that's a complex
situation. We continue to press on that issue from the
Department of Justice's perspective in investigating and
prosecuting those crimes aggressively.
Senator Blumenthal. Let me be somewhat simplistic. What I'm
hearing is that Russia and China essentially are taking no real
action in cracking down on these criminal gangs or the
malicious cyberattacks that make us the target, correct?
Mr. Goldstein. Senator, I would just add that, as my
colleague noted, we believe that only about a quarter of
ransomware intrusions are actually reported. The question of
are we seeing a change in trend is a very hard one to answer.
It certainly could be the case that some ransomware actors have
changed behavior for a variety of reasons. We simply don't have
the data to be able to answer the question with any level of
authority.
Senator Blumenthal. Okay, but we have to act on the basis
of what we know, not what we don't know. From what we know, and
you have the best knowledge in the business, there has been no
perceptible change in behavior on the part of either China or
Russia in cracking down on these criminal actors.
Mr. Goldstein. Based upon available data, we have not seen
a change in a trendline of intrusions overall.
Senator Blumenthal. The available data that you'd need
would be more reporting of these attacks?
Mr. Goldstein. That's correct, sir.
Senator Blumenthal. Do you have a way of knowing about
these attacks without their being reported?
Mr. Goldstein. We do not, sir, not reliably.
Senator Blumenthal. Is there conceivably a way
technologically to know?
Mr. Goldstein. I defer to my colleagues in law enforcement
if they have any methods. To reference from our point of view,
hearing from the victims will be the most authoritative way to
understand the breadth of these intrusions.
Senator Blumenthal. Only a quarter of them are telling you
when they are victims.
Mr. Goldstein. Again, sir, that's a rough estimate since we
don't know the incidents that we are not hearing about.
Senator Blumenthal. You don't know what you don't know, but
I guess what I'm taking away from what I've heard from you and
what I've heard in the Commerce Committee--the companies of
America, our corporate sector really is failing in its
responsibility to protect our national security by refusing to
report these instances of cyberattack. Am I overstating it?
Mr. Goldstein. In this case, sir, it is truly needs to be a
whole-of-Nation effort, with Government and industry working
together around this shared challenge, and the more the
companies report their intrusions to the Government, the better
job we can do in managing this risk.
Senator Blumenthal. I interpret that as a yes. Thank you.
Thanks, Mr. Chairman.
Chair Durbin. Thank you, Senator Blumenthal. Senator Cruz.
Senator Cruz. Thank you, Mister Chairman. Ransomware
attacks have become more and more common, and more and more
dangerous. In May of this year, hackers based in Russia shut
down Colonial Pipeline, a pipeline that carries gasoline to the
southeastern United States. What did the Biden administration
do? Next to nothing. The administration sat around as gas lines
formed up and down the eastern seaboard and the White House
deputy national security advisor tried to absolve the Biden
administration, tried to absolve the President from any
responsibility whatsoever, saying quote, ``Colonial is a
private company, and we'll defer information regarding their
decision on paying a ransom to them.''
Later, after Colonial paid a $4.4 million ransom, President
Biden decided to reward Russia for allowing this hack. He
greenlighted the Nord Stream 2 pipeline, a natural-gas pipeline
from Russia to Germany that will put billions of dollars in the
pockets of Vladimir Putin, and then he sat down with Putin and
told him that only certain parts of America's critical
infrastructure should be off limits. He specified 16 parts that
were off limits. Call me crazy, but I think all of our critical
infrastructure should be off limits to Russian hacking. And
when the President enumerates 16 that matter, that is an
invitation to hack every other part of our infrastructure.
Mr. Downing, does paying ransom encourage more ransomware
attacks?
Mr. Downing. I think it's fair to say that when criminals
profit, they draw more criminals into that space and so, the
paying of ransoms is certainly one thing that fuels the
increase of ransomware attacks that we've seen.
Senator Cruz. Does telling Putin that only certain parts of
our infrastructure are off limits--does that have the potential
to encourage more attacks like the Colonial Pipeline attack?
Mr. Downing. I would have to say that the President's
communications with Putin are outside of my purview. However, I
can assure you that we are continuing to press for results, and
we are not waiting around, from a law enforcement perspective,
to see what would happen there. We are pursuing the cases and
the investigations and the activities that we would in order to
do the very best that we can to drive deterrents and to arrest
and disrupt these operations.
Senator Cruz. Mr. Goldstein, is attacking a pipeline a new
concept or have we seen this before?
Mr. Goldstein. Senator, this--the attack of Colonial
Pipeline is the first incidence that we have certainly seen in
this country of an intrusion causing a disruption to pipeline
infrastructure.
Senator Cruz. Your organization just recently issued a
release stating that between 2011 and 2013, Chinese state-
sponsored actors targeted 23 U.S. natural-gas pipeline
operators. Is that right?
Mr. Goldstein. That's correct, sir. That refers to
targeting rather than an intrusion resulting in an actual
disruption.
Senator Cruz. The idea that malevolent actors would go
after infrastructure like pipelines, that is a threat we've
been aware of for some time.
Mr. Goldstein. That's correct, Senator.
Senator Cruz. China has repeatedly used ransomware and
cyberattacks to harm America. Not only has it attacked
pipelines in an effort to cause physical damage, but just this
year, hackers affiliated with the Chinese--Chinese government
attacked tens of thousands of computers across tens of
thousands of organizations, including a significant number of
small businesses, towns, cities, and local governments.
Once again, unfortunately, the Biden administration
responded to extreme threats with extreme weakness. The Biden
administration has not imposed any sanctions on China. Instead,
the administration announced that is dropping criminal cases
against five Chinese scientists who, with the help of consular
officials, hid their affiliations with China's military in
order to infiltrate our Nation.
Mr. Downing, why is this administration refusing to
prosecute Chinese scientists who lied about their ties to the
Chinese military in order to come to this country and gain
access to information?
Mr. Downing. Senator, thank you for the question. I would
have to say that, from my position in the Criminal Division, I
am not responsible for those decisions. However, it is
something that I'd be happy to take back and get you an answer
for.
Senator Cruz. Let me ask anyone on the panel. Do you have
an answer as to why the administration has not sanctioned China
for repeated cyberattacks over and over and over again against
the United States?
I think that's a question that administration should
answer. Showing weakness to China and weakness to Russia only
invites more aggression and more cyberattacks attacking our
Nation. Thank you.
Chair Durbin. Senator Ossoff.
Senator Ossoff. Thank you, Mr. Chairman. Thank you to our
panelists. One of the benefits of bringing a whole-of-
Government approach to a national security issue such as this
is that it can bring the full force of the U.S. Government. One
of the risks is jurisdictional ambiguity, a lack of a clear
chain of command, and organization responsibility. What I'd
like to ask first is for each of you--and forgive me, I can't
see how you're arrayed beneath the dais. Beginning with you,
Mr. Downing, and then proceeding sequentially, to identify what
it is that your agency, your component has lead responsibility
for in preventing and responding to ransomware attacks that
none of the other components or agencies represented here has
lead responsibility for. What are you uniquely responsible for
ensuring happens and gets done to protect our cybersecurity?
Mr. Downing. Thank you very much for the question, Senator.
At the Department of Justice, we have two Divisions that are
responsible in part for responding to the ransomware attacks.
My Division, the Criminal Division, is responsible to--for
those attacks that are identified as being from criminal
actors. We have taken the lead on a very large number of the
recent ransomware attacks.
We bring charges, we make charging decisions, we work on
the legal side to make sure that the law enforcement agencies
are able to obtain the evidence that they need, and we pursue
extraditions through our Office of International Affairs in
order to get them back to the United States.
My colleagues in the National Security Division support
that work through a lot of different means related to national
security authorities. However, when the actors responsible are
nation-states, or proxies for nation-states, then they would
have the key role in all of the same ways that I mentioned,
gathering evidence, bringing charges, and seeing those charges
through to court.
Senator Ossoff. Thank you. Mr. Vorndran, please.
Mr. Vorndran. Thank you for the question, Senator. In
response to your question, we would reference Presidential
policy directive 41 from 2016. That was the first ever national
policy on this topic and sought to define a significant cyber
incident. In answer to your exact question, who's in charge?
Instead of naming a single agency, it recognized shared
responsibility across U.S. Government, and it defined threat
response as involving investigation, attribution, and threat
pursuit, and named the Department of Justice acting through the
FBI and the National Cyber Investigative Joint Task Force as
the lead agency for this line of effort during a significant
incident. I'll certainly let Mr. Goldstein reference CISA's
role. ODNI has a role in PPD 41, but I think another key----
Senator Ossoff. I appreciate there's a broad spectrum of
responsibilities here. My question is: what is FBI's role that
is distinct from every other agency represented here today.
What do you do, and your personnel do that nobody else does?
Mr. Vorndran. In PPD 41, investigate, attribute, threat
pursuit for a ransomware incident.
Senator Ossoff. Thank you, Mr. Vorndran. Mr. Goldstein,
please.
Mr. Goldstein. Thank you, Senator. CISA is uniquely focused
on the cyber-defense mission. In the context of incident
response, we are focused exclusively on mitigating impacts to
the victim and deriving network defense information that we can
share with others.
We also focused significantly on what we would call left of
boom, focusing on sharing information and providing services to
reduce the prevalence and impact of cybersecurity intrusions
before they occur for critical infrastructure, small, medium
businesses, and SLTT partners across the country.
Senator Ossoff. Understand. Is it fair to say that
prevention and adaptation? Is that what you're suggesting is
your unique institutional role at CISA?
Mr. Goldstein. I would frame it, Senator, as prevention,
resilience, and then, in the context of an incident,
mitigation.
Senator Ossoff. Mr. Sheridan.
Mr. Sheridan. Thank you, Senator. The Secret Service is
focused on protecting the Nation's financial infrastructure and
financial payment systems.
Senator Ossoff. You all have some responsibility for
protecting those aspects of critical infrastructure, correct?
My question is what does the U.S. Secret Service lead on, or
what operations do you conduct, what mission do you execute
that is distinct from the other missions represented by your
colleagues at other agencies?
Mr. Sheridan. Our distinction is that our statutory
authority is focused on financial payment systems, the Nation's
financial infrastructure, and I think the distinction of trying
to make singular entities is diluting the concept about this
being a team sport.
There is necessary overlap to provide defense in-depth, to
ensure there's not a single point of failure that the adversary
can exploit. We do have some overlapping authorities. The
Secret Service focuses on financial payment systems and the
Nation's financial infrastructure, which does have some shared
responsibility, but we are the leading agency related to those
investigations.
Senator Ossoff. Thank you, Mr. Sheridan. No doubt,
collaboration is important--is clarity of purpose. In the
aftermath of recent significant cybersecurity failures, what
I'm trying to establish is where there is sufficient clarity.
Mr. Goldstein, would you please comment on how various sectors
across the U.S., private and public sectors--so, for example,
the defense industrial base, the financial services industry,
local governmental entities, the energy sector that's
represented, for example, by the recent Colonial Pipeline
breach--how would you rank or contrast their respective levels
of appropriate investment, preparation, and whether they engage
in the kind of prudent, and vigilant, and disciplined, and
well-resourced cybersecurity efforts necessary to protect their
networks?
Mr. Goldstein. Thank you, Senator. I'll start by just
noting that, apart from the agencies participating here today,
there are a variety of other agencies across the Federal
Government called sector risk management agencies that have
unique expertise in promoting prudent risk management, both
cyber and otherwise, across sectors of the U.S. economy that do
play a critical role in this team sport, as Mr. Sheridan noted.
Across sectors, there is certainly significant divergence
in cybersecurity maturity, both across sectors, but also within
sectors. Certainly, we have seen significant investment in
cybersecurity measures and best practices in the financial
sector, the defense industrial base, and the energy sector.
That is not to say, of course, that every entity in those
sectors is equally or even appropriately secure.
We certainly need to focus on each sector, and really shift
our focus, as well, on national critical functions. Because we
know that a function upon which Americans depend--so just
keeping the lights on, that relies not only on the energy
utilities, but also the cross-sector entities upon which they
depend.
By looking at a functional approach, we can begin to ensure
that the services that we all rely on remain resilient and
secure against cyber intrusions.
Senator Ossoff. Thank you, Mr. Goldstein. Thank you, Mr.
Chairman.
Chair Durbin. Thank you, Senator Ossoff. Senator, you're
now recognized.
Senator Blackburn. Thank you, Mr. Chairman. Thank you to
each of you. You know, it's been so interesting. We're having a
pipeline cybersecurity hearing in Commerce this morning, so
this is our focus today.
Director Sheridan, I'd like to come to you. We hear all
this information, conflicting things between cryptocurrencies
and cyberattacks. Some people say cryptocurrency is used
because it's less traceable. Others say, well, it always leaves
a digital trail, but that law enforcement is not using
blockchain or other technologies that would work through this.
We've recently started a financial innovation caucus. I'd love
to hear from you on this. With cryptocurrency, does it make it
harder for tracing ransomware attacks?
Mr. Sheridan. The interesting contradiction is that it
actually makes it somewhat easier because, as you said, there
is a digital trail. There are privacy coins and anonymizing
techniques, such as chain swapping, chain hopping, peel chain
methodologies and various technological approaches that can add
layers to that digital trail.
In that sense, it makes it more difficult. If I handed you
a $5 bill and asked you where it's been, it would be almost
impossible to tell. If I handed you a Bitcoin wallet address,
we would be able to tell what's gone in and what's gone out
because of the digital evidence.
It is possible to trace. To your point, we do need to
expand our resources related to that. We have a very strong
workforce, a very technically capable workforce, of computer
scientists, watching analysts, crypto tracers, but we need more
of them. We need to get better equipped, better trained, and
expand our presence domestically and internationally related to
those capabilities.
Senator Blackburn. Do you have a timeline for moving
forward with having--being able to set some standards? Have you
all looked at what this would take? What will it take as far as
man hours, personnel, training?
Mr. Sheridan. We do have a very detailed projection in
terms of timeline, resources, and budget for our ransomware
approach as it relates to cryptocurrency and other digital
monies. I----
Senator Blackburn. Is that information you could share with
us, with the Committee?
Mr. Sheridan. Yes, ma'am, I would be happy to.
Senator Blackburn. I think that would be helpful.
Director Vorndran, let me ask you. Has the FBI looked into
using new technologies and blockchain to track and remediate
some of the ransomware attacks and transactions?
Mr. Vorndran. Thank you for the question, Senator. To
amplify what Jeremy Sheridan said, we use the blockchain
daily----
Senator Blackburn. Okay.
Mr. Vorndran [continuing]. Across the organization to
track--trace Bitcoin, and I think Mr. Sheridan's comments are
spot on, that in certain cases, it actually makes the tracing
easier. In certain cases, it makes it more challenging. His
reference to a $5 bill and understanding its traceability is a
very good analogy.
We have many FBI agents, FBI analysts, data operation
specialists, and other types of personnel in the organization
that use the blockchain on a daily basis.
Senator Blackburn. General Downing, let me come to you with
this. Bulletproof hosters. Hearing about these and the data
centers, and the companies that allow ransomware to be
transacted on their servers. Of course, this is something that
is troubling. That they're setting up overseas and largely
outside of U.S. law.
Are there more steps that you all can take to better track
and shut down these bulletproof hosting operations, at least
domestically?
Mr. Downing. Thank you for the question. You've put your
finger on it. In order for us to have an effective response to
the ransomware problem, we need to look at all parts of the
ecosystem. Bulletproof hosting is a particularly--is one of
those parts. We have at times brought criminal prosecutions
against the owners of these kinds of bulletproof hosters, where
we can show that they are well aware that they are contributing
to criminal activity, but it is, like many parts of this
problem, made more difficult by the international side of it.
These actors are very often overseas, and so, we have to
take steps to build our international partnerships in order to
arrest them. Those are things we are focused on, though, and we
will continue to be as part of the overall response to the
ransomware threat.
Senator Blackburn. Thank you. Thank you, Mr. Chairman.
Chair Durbin. Thanks, Senator. Senator Cotton.
Senator Cotton. Thank you, Mister Chairman. Mr. Vorndran.
Thank you. Both Russia and China have tried to undermine
multiple American industries through sabotage, intellectual
property theft. American agriculture is no exception. In just
the last few years, we've seen several hyperbolic examples of
this.
In 2016, Chinese researchers were sentenced to Federal
prison for attempting to steal patented corn seeds and trade
secrets from American farms. In 2018, Chinese researchers were
sentenced to Federal prison for trying to steal trade secrets
from the USDA Dale Bumpers National Rice Research Center, and
from American Biotech Company. In 2019, a Chinese national was
indicted on economic espionage charges when he stole a copy of
a proprietary algorithm for optimizing agricultural
productivity for farmers.
This has happened in my home State. There's open
indictments against Chinese nationals for trying to steal rice-
related intellectual property. I assume they have absconded
back to mainland China by now. The efforts aren't limited to
espionage. Just a few weeks ago, a Russian-linked group
launched cyberattacks against JBS, one of the largest
meatpackers in the United States. The ransomware attack
temporarily shut down JBS's cattle slaughtering and resulted in
JBS paying a Bitcoin ransom of almost $11 million.
These type of attacks and espionage against agriculture
don't just threaten the livelihoods of American farmers and
companies. They also threaten our food supply chain. Do you
think--do you agree that American agriculture is a target for
foreign cyber actors who are looking for opportunities to
attack?
Mr. Vorndran. Senator, thanks for the question. The answer
to your question is yes, we believe they are a target. We
believe everybody is a target. Whoever has a vulnerability,
there is an adversary out there that will try to exploit it for
any number of reasons. Number 1 reason: financial gain.
Senator Cotton. Thank you. Mr. Goldstein, do you agree that
American agriculture is a target for attack?
Mr. Goldstein. As my colleague noted, absolutely, but for
the same reasons as noted. Organizations that are vulnerable
and can be exploited for profit are certainly a target for
these adversaries.
Senator Cotton. Mr. Downing, I wasn't going to ask this
question, but you committed the cardinal sin of a witness,
clearly nodding your head. Directing fire in your way----
Mr. Downing. All right.
Senator Cotton [continuing]. Now, I'll say do you agree, as
well?
Mr. Downing. Yes, no, I think that's exactly right. My--the
section I supervise were part of some of those prosecutions,
and we have had some successes in bringing Chinese actors to
justice in the United States courts.
Senator Cotton. Since I'm with you, Mr. Downing, then,
would you agree that it would improve the security of American
agriculture if the industry and the regulators in Government
had better and faster information about the threats that they
might face from foreign cyber actors?
Mr. Downing. Yes, as we've said repeatedly today, reporting
from victims is critical. We strongly support the idea that
Congress take up this issue and to pass legislation that would
require reporting of a variety of different kinds of attack,
particularly ransomware, of course, the subject of this issue.
Also attacks on our critical infrastructures and other high-
risk attacks that would affect especially a wider circle other
than just the victim.
Senator Cotton. I'm glad to hear you say that you think
Congress should take up legislation because I have a bill that
will do just that. My Agricultural Intelligence Measures Act
would ensure the USDA has streamlined access to threat
information relevant to key players in American agriculture. I
think it's time that we step up and protect America's farmers
and ranchers from the foreign threats that seek to destroy our
food supply chain.
Let me turn to a topic in my time left that I know that
Senator Klobuchar raised, which is cyber talent recruiting. I
think, Mr. Vorndran, I'll address this to you, as well. You
have two types of positions at the FBI is my understanding,
computer scientists and forensic examiners, that are especially
important for responding to cyberattacks and investigating the
hunt--to hunt for cybercriminals who committed them. Cyber
threats are constantly evolving, of course, and therefore our
response to those threats also requires to have tech talent
that is on the cutting edge, is that right?
Mr. Vorndran. Yes, Senator, that is accurate.
Senator Cotton. You have to compete for those folks with
some pretty big companies that can pay pretty generous
salaries, like Google, Apple, Amazon, Microsoft, Oracle,
Facebook, and innumerable startups. That's not even mentioning
other top cybersecurity companies. Do you find that the high
demand for the country's best graduates in science, technology,
engineering, math, and related fields makes it harder to
recruit and retain some of the best cyber experts?
Mr. Vorndran. Senator, we have an amazing workforce, and I
can't underscore that enough. People dedicated to the mission
and protection of this country. To your question, yes, sir, it
is hard to recruit the number of people that we need with those
skill sets.
Senator Cotton. My office has been in touch with the FBI on
this issue, and I do respect greatly the workforce you have. I
do think there are some things that we could do to provide the
FBI more tools to get the very best talent in our country, and
to retain them, as well.
I would liken some of the challenges that you might face to
stuff I've heard on Armed Services Committee from Air Force
pilots, who leave the Air Force, not only because they can make
more pay in the private sector, but because they're not getting
to do enough of what they joined the Air Force to do, to fly
high-performance aircraft to focus on bad guys. The
Government's never going to be able to pay as much as the
airlines pay, and I suspect the Department of Justice is never
going to be able to pay as much as Silicon Valley pays, but we
want to give you every tool possible in the toolkit to make
sure that we have the very best people working on this problem,
and that they are fulfilled and rewarded in their job, and want
to make it a long-term proposition, not a career. My time's
expired.
Chair Durbin. Thank you, Senator Cotton. Thanks to the
witnesses for joining us today. While we cannot stop ransomware
attacks completely, we can certainly be better prepared. We
learned today that preventative measures are more cost-
effective and have greater impact on stemming the rise of these
attacks than in just increased enforcement alone.
We also learned how critical information sharing is between
private and public sectors across Government agencies. What
struck me about this hearing was there was a general bipartisan
consensus on this side of the table. I like that. I think
that's a positive thing, and I hope it leads--I think it will--
to specific legislation to deal with this.
There was one dissenting voice who blamed the Biden
administration for the problems of Colonial Pipeline and such.
I think fairness requires us to be candid about other aspects
of previous administrations, such as Solarwinds, which was a
massive breach that affected thousands of companies and the
U.S. Government. It was discovered not by the U.S. Cyber
Command, but by another private entity, I understand, named
FireEye. It's an indication that we can and should strive to do
better.
It also is important to note that it wasn't until this
administration in April made the public declaration connecting
the Russians to Solarwinds, that that statement became
accepted. I think that's an indication of the intent of this
administration, I hope every administration, to keep America
safe.
We need to view this problem with a sense of urgency. I
think that the legislation which you propose, Mr. Downing, is a
beginning of a conversation with the administration on doing
this, and as you notice from Senator Whitehouse, Graham,
Tillis, and Blumenthal, they're anxious to move this forward.
We want this Committee to facilitate that conversation.
The hearing record will remain open for 1 week for
statements. Questions for the record may be submitted by 5 p.m.
on Tuesday, August 3rd. I thank the witnesses again for being
here. The hearing is adjourned.
[Whereupon, at 11:58 a.m., the hearing was adjourned.]
[Additional material submitted for the record follows.]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
A P P E N D I X
to
AMERICA UNDER CYBER SIEGE:
PREVENTING AND RESPONDING
TO RANSOMWARE ATTACKS
Chamber of Digital Commerce, July 27, 2021, statement............ 166
Ransomware 2021, July 2021....................................... 125
[all]