Senate Committee Chair: ‘Ransomware Has Changed the Equation’

When Sen. Gary Peters, D-Mich., talks about cybersecurity, his sense of urgency is palpable.

Peters, who is chairman of the Senate Homeland Security and Governmental Affairs Committee, listed a range of issues the committee is addressing in an interview with the Washington Post that was livestreamed on Oct. 26. “We have an awful lot on our plate,” he said. Peters named border security, the rise of violent extremist groups, and the Federal Emergency Management Agency’s role in responding to fires, storms and the pandemic as examples.

But, he added, “Cybersecurity for me is central – perhaps one of the most central threats we face in the homeland.”

Peters said the sudden public visibility of the effects of ransomware, as in the JBS Foods and Colonial Pipeline attacks earlier this year, has shifted attitudes about cybersecurity.

“Ransomware has changed the equation, clearly,” he said. While there have been widely publicized hacking incidents, often involving the theft of financial and personal information on sometimes millions of people, the potential consequences were far less visible.

“The stealing of private information can be monetized … but the Colonial Pipeline hack clearly showed what could happen,” he said. “It’s also pretty easy to wrap your head around it. [It’s] like a bank robbery. ‘Give me your money and I’ll give you your data back.’ It’s very tangible.”

Peters said the FBI has been very clear that companies should not pay ransomware demands. He pointed out that the CEO of Colonial Pipeline said that even though the company paid the ransom and got the decryption key for its data, it would take 12 to 18 months to get systems fully back in place. Many small companies don’t have the wherewithal to survive that long.

“I hear from small businesses all the time that are getting hit by ransomware attacks. If a small business gets hit, 60% are out of business in a year or a year and a half,” Peters said. “I hope we get to a point where companies realize there are other responses available to them” than to pay the ransom. He said it is possible there will be legislation to ban ransomware payments, but for now he hopes companies will work with the Cybersecurity and Infrastructure Security Agency, or CISA, to report such attacks early and get assistance in responding to them.

Peters said there are several areas where his committee is taking legislative action. For instance, the Senate passed the bipartisan “hard” infrastructure bill, which includes $1 billion to help state, local, tribal and territorial governments deter cyberattacks and modernize their IT systems. 

Earlier this month, the committee approved a bipartisan bill to update the Federal Information Security Modernization Act (FISMA), and another bipartisan bill to require critical infrastructure owners, operators and federal civilian agencies to report cyberattacks to CISA within 72 hours.

Peters acknowledged there has been debate over that 72-hour window, with some in Congress and industry saying it should be a shorter period of allotted time. He pointed out that companies can report faster than that, but they first need the time to respond to attacks, and in many cases they have to confirm that an attack is actually taking place. “Otherwise you get a lot of noise. That’s not going to help,” he said.

The committee also is looking at the use of cryptocurrency in ransomware attacks. “Most of these payments are made with cryptocurrency, and that’s why we’ve started investigating it,” he said. “How do we better understand that and take measures?”

Peters said he has discussed the need for a coordinated government-industry response to cyberattacks with President Biden, including stronger deterrence measures.

“We also have to be able to go after the bad guys. Whether they’re criminal organizations, state sanctioned organizations or nation-states themselves, we need to have a deterrence factor,” he added.