“The scale of this problem is one that I think the country has to come to terms with,” he added.
Wray’s remarks reflect a developing consensus within the Biden administration that ransomware ranks among the gravest threats to national security the United States has ever faced. And it is part of a broader, all-hands effort by the White House to convince the public it has control of the situation — even as some cybersecurity experts say the executive branch is limited in what it can do unilaterally to stop the attacks.
Deputy Attorney General Lisa Monaco also underlined the gravity of the problem in an interview on Friday.
“I absolutely agree we need to treat ransomware and cyberattacks like the national security threat that they are,” she told CNBC. “That’s why we need to have a national picture, and we need to bring all our tools to bear.”
“We know that indeed the most recent attacks against JBS Foods and Colonial Pipeline are linked to criminal actors, criminal groups that are known to law enforcement that have ties to Russia,” Monaco said, adding: “We cannot give any quarter and no country should be harboring criminal actors of any type.”
15,000 ransomware incidents in the last year
The United States was hit by more than 15,000 ransomware incidents against organizations last year alone, according to Brett Callow, a threat analyst at the cybersecurity firm Emsisoft. The attacks cost the US between an estimated $596 million and $2.3 billion in 2020 in ransom payments and lost productivity, Callow said. The true figures may likely be even higher, he added, because Emsisoft’s estimates only account for confirmed cases of ransomware incidents.
In the last several years, threat actors have been increasingly successful at hitting larger enterprises in newsworthy attacks, according to Callow.
Thursday’s DOJ memo directs US prosecutors to report internally all ransomware investigations they may be working on, in a move designed to better coordinate the US government’s tracking of online criminals.
The memo cites ransomware — malicious software that seizes control of a computer until the victim pays a fee — as an urgent threat to the nation’s interests.
“We must enhance and centralize our internal tracking of investigations and prosecutions of ransomware groups and the infrastructure and networks that allow these threats to persist,” Monaco wrote.
And in a letter sent out from the White House, the National Security Council’s top cyber official, Anne Neuberger, wrote to corporate executives and business leaders that the private sector needs to better understand its critical role.
“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” Neuberger wrote. “We urge you to take ransomware crime seriously and ensure your corporate cyber defense match the threat.”
US businesses of all sizes should immediately implement security measures such as creating offline backups of critical data, implementing multi-factor authentication and deploying encryption to scramble sensitive information, Neuberger said.
In the Journal interview, Wray singled out the Russian government for allowing the cyber actors that the United States and others believe are behind the recent Colonial and JBS attacks to continue operating in Russia.
“Time and time again, a huge portion of those traced back to actors in Russia. And so, if the Russian government wants to show that it’s serious about this issue, there’s a lot of room for them to demonstrate some real progress that we’re not seeing right now,” Wray said.
Attacks on the agenda when Biden meets Putin
The administration is not “taking any options off the table” in response to the JBS incident, press secretary Jen Psaki said at a press briefing this week.
Those announcements follow weeks of other moves by the administration designed to show how aggressively it is confronting the threat of cybercrime and foreign hacking.
In April, the Justice Department launched an internal task force dedicated to hunting down ransomware criminals and disrupting their financial networks. The White House announced a 100-day sprint to assess the cybersecurity of the country’s electric grid, working with utilities to install monitoring technology that can scan for signs of hacking.
After the Colonial Pipeline shutdown, the Department of Homeland Security took emergency measures to force the critical pipeline industry to report cybersecurity incidents to the federal government within 12 hours and designate a “24/7, always available” cybersecurity coordinator. Within 30 days, companies must also assess how their practices line up with TSA’s long-standing pipeline security guidelines.
Officials acknowledged that this was just a first step in the wake of the attack that prompted a halt to operations of one of America’s most important fuel pipelines.
Meanwhile, the US government has undertaken some offensive steps in recent months in response to ransomware, according to two sources familiar with the situation. The moves include compromising and surveilling cybercriminal networks and, in some cases, identifying individual actors involved in specific attacks within a matter of hours.
US government capabilities are limited
But even as the Biden administration takes a tougher stance on ransomware, it is struggling with the limits of its capabilities. The government’s power to penetrate ransomware gangs is “situationally dependent” on the criminals’ own sophistication and defensive measures, the sources told CNN.
Asked Wednesday if he planned to retaliate against Russia for the JBS ransomware attack that the administration linked to Russia, Biden told pool reporters: “We’re looking closely at that issue.”
US officials have been drawing comparisons between the hacking threat and terrorism for years.
In 2018, President Donald Trump’s Director of National Intelligence Dan Coats warned that the system was again “blinking red” as foreign actors conduct a range of cyber intrusions and attacks against targets in the United States, a reference to the alarming activity seen ahead of 9/11.
“And here we are nearly two decades later, and I’m here to say the warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack,” he said at the time.
At a strategic level, moves by the administration to appoint senior cybersecurity officials or impose sanctions on governments that harbor cybercriminals may have important long-term effects — such as creating stronger international norms discouraging hacking — but are unlikely to change ransomware actors’ short-term financial incentives, said Alexis Serfaty, a senior analyst at the Eurasia Group, a political risk consulting firm.
The administration must also grapple with limits on its authority imposed by law, as well as gaps in the law that Congress has neglected to fill for years.
It simply isn’t feasible for the Biden administration to impose a single, standard set of cybersecurity regulations governing the entire range of critical infrastructure sectors such as pipelines, airlines, telecom networks and more, legal and industry experts say. The complexity of each industry, and their relationship to the wider US economy, speaks to how difficult it is to design cybersecurity regulations, let alone enforce them.
“You’ve got, you know, this patchwork, checkerboard of, regulatory requirements, contractual obligations. And it’s just not easy to get to kind of a standard setting of cyber minimum requirements that you’d apply across all 16 [critical infrastructure sectors],” said Chris Cummiskey, former DHS acting under secretary.
Where the executive branch enjoys some of the most leverage with the private sector is in its immense procurement power. By establishing cybersecurity rules for federal agencies, Biden can indirectly shape commercial cybersecurity by winnowing out contractors that don’t meet the standard, Cummiskey added.
The administration could do more to expand commercial incentives, said Ed Amoroso, CEO of the cybersecurity firm TAG Cyber. For example, Amoroso said, the US government could subsidize training for new cybersecurity professionals in order to help organizations implement the latest best practices.
“In every sector, there’s not enough people that know how to do this,” Amoroso said. “I’ve been begging the administration to please turn the crank up on a cyber corps program.”
Congress has its own role to play. For years, lawmakers have struggled to design a single, federal law laying out when and how companies must report data breaches. While many states have their own breach notification rules, and some rules exist at the federal level in specific contexts, such as securities regulation, the US has largely been governed by a patchwork of data breach rules.
Meanwhile, federal agencies charged with regulating specific sectors of the economy each have their own congressional charter that lays out what they are empowered to do, and in some cases, the same agency may be required to regulate one industry differently from another. All of that makes it harder to develop mandatory cybersecurity regulations.
The result is a difficult conversation about who should bear responsibility for protecting the public from cyberattacks — the government, or the private sector, according to cybersecurity experts.
“The struggle right now is to understand who is going to manage that risk,” said Sergio Caltagirone, VP of threat intelligence at the cybersecurity firm Dragos. “Is the US government going to come in and protect critical infrastructure, or should the US government be providing more tools and capabilities and approaches for these companies to do it themselves?”
CNN’s Alex Marquardt and Jamie Crawford contributed to this report.