Politics Lawmakers rally around cyber legislation following string of attacks
U.S. Cyber Tools Are Being Turned Against Americans, Limiting Biden's Options on Russia
"Technically, a lot of these tools that are being leveraged for ransomware are tools that were leaked from our own organization," one cybersecurity official told Newsweek on the condition of anonymity."Technically, a lot of these tools that are being leveraged for ransomware are tools that were leaked from our own organization," a cybersecurity official who spoke on the condition of anonymity told Newsweek.
Lawmakers on Capitol Hill are scrambling to introduce legislation to address a devastating spike in ransomware and other cyberattacks on critical organizations such as Colonial Pipeline and JBS USA.
The effort marks a rare area of bipartisanship in an increasingly divided Congress, with lawmakers under pressure to confront cyber threats emanating from both foreign nations and cybercriminal groups making millions from holding companies for ransom.
"We think it's essential for us to get our hands around this issue of ransomware, Colonial Pipeline is the biggest example, and then JBS, the meatpacking company, but it happens every day, and it happens to smaller companies too and individuals," Senate Homeland Security and Governmental Affairs Committee ranking member Rob Portman (R-Ohio) told The Hill Thursday.
Ransomware is the top cybersecurity threat we face, warns cyber chief
NCSC CEO Lindy Cameron issues warning over growing danger of cyber criminal ransomware operations and how improving cyber reliance is needed to prevent attacks.Ransomware is one of the key cybersecurity threats facing the UK and the cyber criminal groups behind them are becoming more dangerous, the UK's cyber chief is to warn.
"We need a better federal defense and offense on it, and we need to be sure it's a partnership with the private sector," he added.
Portman is currently working with Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) on legislation to address the increase in ransomware and other crippling cyberattacks on critical organizations.
Peters told reporters last week that the legislation would be "comprehensive" and was necessary as cyberattacks have increasingly become "attacks on our very way of life."
"I think every member on this committee agrees that this committee will focus our collective attention and resources on dealing with this problem," Peters testified at committee hearing last week.
The bipartisan bill is part of a larger effort by Congress to address the rapidly expanding cyber threats, which have been in the spotlight in recent months due to both foreign and cybercriminal attacks.
Biden's cyber budget good, but still insufficient to meet the threats
America needs proactive, forward-looking investment that both mitigates the past year’s problems and prevents next year’s.The White House is requesting a 14 percent increase in federal civilian cybersecurity spending, or $9.8 billion all together. This comes on top of the FY2021 11 percent spending growth among major civilian departments and agencies. The $1.2 billion annual increase includes an additional $750 million for "agencies affected by recent, significant cyber incidents.
Ransomware attacks disrupted operations in May at both Colonial Pipeline, the provider of 45 percent of the East Coast's fuel, and JBS USA, the largest beef supplier in the nation, endangering critical supply chains.
These attacks came as the federal government continued to recover from the SolarWinds hack, in which Russian-government-backed hackers compromised nine federal agencies, and vulnerabilities on Microsoft's Exchange Server application that potentially compromised thousands of groups.
In the wake of these attacks, Senate Majority Leader Charles Schumer (D-N.Y.) last week called on Peters and other Senate committee leaders to conduct a "government-wide review" of the incidents and make rolling out legislation to strengthen U.S. cybersecurity a priority.
"We in Congress have a responsibility to conduct oversight and determine whether our government needs an additional authority and resource to take the fight to cyber criminals and foreign intelligence services," Schumer said on the Senate floor.
Hillicon Valley: Senate unanimously confirms Chris Inglis as first White House cyber czar | Scrutiny mounts on Microsoft's surveillance technology | Senators unveil bill to crack down on cyber criminals
Welcome to Hillicon Valley, The Hill's newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you don't already, be sure to sign up for our newsletter by clicking HERE. Welcome and Happy Thursday! Follow our cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@chrisismills) and Rebecca Klar (@rebeccaklar), for more coverage. ***NOTE:*** Hillicon Valley will not publish Friday, June 18 due to the Juneteenth holiday. We will return Monday, June 21.
Peters is not the only committee leader working to put together cyber legislation.
Senate Intelligence Committee Chairman Mark Warner (D-Va.), Vice Chairman Marco Rubio (R-Fla.), and committee member Sen. Susan Collins (R-Maine) are circulating draft legislation meant to tackle the threat of ransomware attacks, first reported by CNN on Wednesday.
The draft bill, which was obtained by The Hill, would require federal agencies, federal contractors, and owners and operators of critical infrastructure to report cybersecurity incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA).
It would give CISA 180 days after the bill became law to establish a reporting system to compile these reports and require the agency to submit annual potentially classified reports to Congress on all incidents.
The bill would critically also grant liability protections to groups that report breaches, with current voluntary standards for reporting often complicating the reporting process in recent years.
"I haven't compared theirs and ours, it's just based on our work in Intel and what we've learned, and as far as the rollout, we'd love to have it next week, but if not it will probably be after we come back in July," Rubio told The Hill on Thursday.
Estonia is a global leader on all things cyber. Now it's offering to teach other countries
When people like the German Chancellor Angela Merkel or the King of Belgium want to learn more about cybersecurity, they go to Estonia. © Inta Kalnins/Reuters People look at the visualisation during the Locked Shields, cyber defence exercise organized by the NATO Cooperative Cyber Defence Centre of Exellence in Tallinn. The Baltic country runs on the internet. From filing taxes and voting, to registering the birth of a new baby, nearly everything a person might want or need from the government can be done online. It's an approach that's incredibly convenient for Estonia's 1.
In a separate effort, Sens. Lindsey Graham (R-S.C.), Sheldon Whitehouse (D-R.I.), Richard Blumenthal (D-Conn.), and Thom Tillis (R-N.C.) on Thursday reintroduced legislation originally rolled out in 2018 that would crack down on cyber criminals.
Their bill, the International Cybercrime Prevention Act, would tighten consequences for hacking a critical infrastructure organization, such as a dam or a hospital, along with expanding the Justice Department's ability to go after botnet groups.
"What we're seeing here is not just a weed, it's an invasive species, it's comparable to an invasive species that needs to be stopped in your garden before it takes over everything in that garden," Blumenthal told reporters of cyber threats at a Capitol Hill press conference Thursday. "Here the garden will succumb to that invasive species if we don't stop it."
Graham said at the same press conference that he would "insist" on adding it to any infrastructure package the Senate potentially agrees on as a way to move it through Congress quickly.
"Now we've got a moment in time when we can't ignore it anymore, I now deem this infrastructure," Graham said.
One key issue being looked at by both Capitol Hill and the Biden administration is creating mandatory cyber legislation or regulations to force critical infrastructure groups to enhance security.
The Transportation Security Agency (TSA) last month issued a new security directive requiring pipeline companies to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of them occurring, and are working on further regulations.
Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, on Thursday criticized what he described as past "happy talk bills" that created only voluntary cybersecurity standards and left the door open to more attacks.
"I am pleased that it looks like we are going to insist on more accountability, so to speak, with contractors," Wyden told The Hill.
While there are multiple bills with several sponsors in the mix, there is no disagreement that following a year in which hackers targeted everything from hospitals to schools to government agencies, action must be taken to stem the tide of attacks.
"You look back at some of the previous bills and it was not what I think the country needed and I think now every senator is saying to themselves, 'this is pretty obvious,'" Wyden said.
US Cyber Command leads competition in effort to strengthen nation's cybersecurity .
Cyber professionals from the U.S. and multiple other countries are in the midst of an annual competition led by U.S. Cyber Command meant to enhance the nation's cybersecurity in wake of months of devastating attacks. The annual Cyber Flag competition this year brought together 430 cyber professionals on 17 teams representing U.S. Cyber Command and other Defense Department agencies, the House of Representatives, the National Guard, and the U.S. Postal Service. It also incorporates teams from the United Kingdom and Canada.