US lawmakers have recently begun discussing the need for a federal plan to find out what types of cash payments are made after ransomware attacks. Cyberattacks have been ramping up in recent months, with each one underscoring the nation’s under-preparedness. The digital infrastructure of private companies and government organizations have plenty of vulnerabilities, and their responses to damaging attacks have been frantically improvised. Worsening the situation are the significant delays in responding to cyberattacks, an inevitable consequence of the fact that the federal government has no uniform approach to combating malicious hackers.
In May 2021, $4.4 million in Bitcoin was paid in ransom by Colonial Pipeline, the victim of ransomware attacks from cybercriminal group ‘The Darkside’. When the Colonial Pipeline's computer systems were infiltrated, the 5,500-mile pipeline supplying approximately 45 percent of fuel on the East Coast was shut down.
According to the American Automobile Association (AAA), this shutdown caused fuel prices to reach their highest level since 2014, and the panic buying that ensued led to fuel shortages and the closure of thousands of gas stations in Alabama, Delaware, Georgia, Florida, Louisiana, Maryland, Mississippi, North Carolina, Pennsylvania, South Carolina, Tennessee, and Virginia and D.C. A company spokesperson said that the decision to pay the ransom "was not made lightly" and that "tens of millions of Americans rely on Colonial: hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the traveling public."
While succumbing to cybercriminals' demands is highly discouraged as negotiations legitimize and reward illicit operations, instances of hacking have become exceedingly sophisticated and frequent in the digital age. Ransomware attacks alone, which block access to a victim’s computer systems until a specified sum is paid, have increased by 485% between 2019 and 2020 according to a recent Bitdefender report. It is believed that this increase is partially due to a shift towards remote working during the COVID-19 pandemic, as company engineers access system controls from their home computers.
Private firms are not unique targets of ransomware attacks. While 2020 figures are still being tallied, over 70 government agencies faced attacks just in the last year. Also, ransomware is just one potential threat that organizations face, as data breaches have likewise been skyrocketing with the average cost being $8.64 million per breach, according to IBM. Chris Krebs, the former head of the US Cybersecurity and Infrastructure Security Agency (CISA), said “We have to have a broader set of tools to stop this stuff, because it is systematically undermining the state and local governments’ ability to provide services.”
In December 2020, a cyberattack and massive data breach conducted by Russian-linked hackers went undetected for months. This attack impacted dozens of organizations across both state and federal governments and agencies. Targeted were the Pentagon, the Department of Defense, the Department of Justice, and the Department of Homeland Security. The sheer duration of time that the hackers maintained their infiltration and the reality that they had access to heavily protected information demonstrates the obvious vulnerability of American cybersecurity.
America could look towards the European Union for help forming their strategy, where our allies have achieved uniformity in cybersecurity practices across its member-states by creating a shared certification system. This means that cybersecurity techniques and evaluations of risk apply across all member-states, encouraging cooperation for cybersecurity technology development and preventing economic barriers for companies operating in multiple countries. The EU has also created a ‘Cybercrime Centre’ within Europol, allocating funding to this specific cause and allowing experts in the field to lead responses to attacks. There should also be rules addressing the payment of ransoms, outlining whether they are legal and if so, a requirement for payment amounts to be disclosed to the federal government.
Since the extent and potential of crimes in cyberspace have likely not yet been fully witnessed, policymakers should establish a uniform and robust standard in cybersecurity attack response. The Cybersecurity and Infrastructure Security Agency, which was recently established in November 2018, and other government investigative and security agencies must severely ramp up their protective measures against cybercrimes.
The current ad-hoc approach to responding to cyber-attacks is insufficient and often too late in times of crisis. A comprehensive plan for cyber-attack prevention and a national cyber response framework is necessary as technologies continue to accelerate and become more sophisticated.
Caroline Wang writes on policy topics for the American Consumer Institute.