National Cyber Director Chris Inglis, Cybersecurity and Infrastructure Security Agency (CISA) Executive Director Brandon Wales and Assistant Director of the FBI’s Cyber Division Bryan Vorndran spoke about the importance of raising state and local officials’ awareness of existing, free cybersecurity resources. The witnesses also urged mandatory incident reporting while acknowledging that the federal government needs to make a more streamlined and cohesive reporting process.
The hearing came on the heels of the House Committee on Oversight and Reform’s memo on ransomware released earlier that day, which reported preliminary findings of an investigation into attacks against three major victims during the past year: CNA Financial Corporation in March, Colonial Pipeline in May, and JBS Foods in June.
“We are at a tipping point, as cyberattacks have become more common and potentially more damaging,” said committee chair Rep. Carolyn Maloney.
A committee press release further underscores the scope of the problem, estimating that “ransomware-related transactions in 2021 will be higher than the previous 10 years combined.”
Fresh funding is coming down the pipeline to help combat cyber threats, with Biden’s infrastructure bill delivering $1 billion to state, local, tribal and territorial governments’ cybersecurity efforts, as well as furnishing Inglis’ new office with $21 million.
The pending Build Back Better Act also would empower CISA with more money, including with $80 million for CISA and the Federal Emergency Management Agency (FEMA) to direct to boosting state, local, territorial and tribal governments’ cybersecurity training and recruitment.
CYBER RESOURCES: FREE, BUT UNNOTICED?
Even just one employee making a small mistake, such as using a too-simple password, can be enough for hackers to gain access to the enterprise, the committee memo noted. And to fend off ransomware, it’s not enough for some individuals to adopt more cyber secure behaviors — entire organizations and communities need to get on board, too, Wales said.
But smaller organizations may not know what steps to prioritize or may lack the budgets and tools to tackle them.
Wales said there are plenty of free tools and services, including from the Multi-State Information Sharing and Analysis Center (MS-ISAC) and CISA. The latter offers supports that include an online catalog of known vulnerabilities that organizations are encouraged to prioritize patching and a stopransomware.gov website with guidance and resources, Wales said.
More work is needed to alert public officials to the available offerings, however, with Wales noting that “school districts are among the least signed up for a number of those free services” from MS-ISAC.
To that effort, CISA has 36 cybersecurity coordinators it deploys to state and local governments to help them learn about available resources, Wales said.
INCIDENT REPORTING LAW
Tools for boosting defenses against cyberattacks cannot guarantee that none will slip through, however, and cybersecurity and law enforcement agencies want to know whenever that happens — especially if the victims are in critical infrastructure.
The representatives of CISA and the FBI speaking during yesterday’s hearing called for legislation requiring victims to quickly report cybersecurity incidents to their agencies — something Wales called a “top priority.” Once alerted, the agencies can promptly move to support victims, pursue the perpetrators, and warn potential next victims.
“I can’t stress enough the importance of the FBI receiving full and immediate access to cyber incidents, so we can act on them as soon as possible” Vorndran said. “Twenty-four hours probably wouldn’t seem like a big delay to most people, but the help we can offer within that time can be the difference between a business or a piece of critical infrastructure staying afloat or being crippled.”
Better reporting could also help fill a sizable knowledge gap, with Vorndran saying the FBI believes it only detects roughly 20 percent of cyber intrusions in the U.S.
The details of what a mandatory reporting policy would look like aren’t yet finalized, with Wales saying there are several different versions of a federal cyber reporting bill currently circulating.
Another problem: even victims who intend to report can struggle to identify the right method, the memo found. Maryland Rep. Jamie Raskin said it can be unclear whether they should report to CISA, the Secret Service or the FBI and even then, which of the agency offices or channels to use.
Inglis said that improving cybersecurity communication among federal agencies is a core priority for his office. He is working to ensure that incidents reported to any of various government agencies get relayed to CISA, and that the agency can then share its findings with others.
THE KASEYA DECISION
Congress members also probed at the agencies and Biden administration’s larger cybersecurity strategies, asking about FBI ransomware response decision-making and international diplomacy.
Hacking group REvil’s July attack on IT software provider Kaseya spread to an estimated 2,000 public- and private-sector clients around the world, including Leonardtown, Md. Rep. James Comer asked why the FBI waited several weeks before revealing it had secretly obtained decryption keys to unlock infected systems.
Vorndran said that these keys had been developed by criminals, which made the FBI wary that they might also contain malicious code. The agency wanted to take time to thoroughly test the decryption tool to ensure implementing it would not also install backdoors or other vulnerabilities into victims’ systems.
INTERNATIONAL PICTURE
South Carolina’s Ralph Norman also questioned whether the U.S. should take more aggressive actions against Russia for not acting to stop ransomware perpetrators based in its country.
“At what point is this a declaration of war?” Norman said.
Inglis said that no ransomware attacks have yet been attributed to the Russian government, only to hackers based in Russia, which makes it important to present demands and give Russian officials time to respond. The White House is first seeing whether it can get change by pushing Russia to crack down on criminals in its borders who target U.S. critical sectors.
The U.S. intends to take “financial and diplomatic action” should this not achieve change, and recent international agreements over cyber norms also then give greater weight to accusations of misbehavior, Inglis said. Strategies underway include efforts to interrupt payments from reaching hackers and collaborations with other nations to arrest alleged perpetrators. Improving the nation’s cyber posture to make U.S. entities a harder target is also essential, he said.
“Defense is equally, if not more, important,” Inglis said.