US Senate: Govt’s ransomware fight hindered by limited reporting

A report published today by U.S. Senator Gary Peters, Chairman of the Senate Homeland Security and Governmental Affairs Committee, says law enforcement and regulatory agencies lack insight into ransomware attacks to fight against them effectively.

While ransomware incidents have been increasingly hitting organizations across the country, there's still room to improve reporting of both attacks and ransom payments which would provide the federal government with the data and information it needs to deter this severe threat to national security, Senator Peters added.

"The federal government lacks comprehensive data on ransomware attacks and use of cryptocurrency in ransom payments," the report found.

"Current reporting of ransomware attacks and ransom payments made in cryptocurrency is fragmented across multiple federal agencies."

As the full report reveals, reports received by federal agencies (e.g., CISA, the FBI, FinCEN) only capture a small fraction of the actual scale of this threat, with the agencies still having to implement appropriate sharing and publicly reporting channels.

Other key findings include the lack of reliable data on ransomware incidents and ransom demands, with cryptocurrency payments limiting private sector and federal government efforts to deter such attacks and assist victims.

The report is the result of an investigation into how cryptocurrency facilitates cybercrime and the increase of ransomware attacks in recent years.

Key recommendations

This investigation also helped draw up key recommendations on how lawmakers and federal agencies can ensure that cryptocurrency remains an option for Americans while also removing it as an incentive for future attacks.

According to Senator Peters' report:

The Administration should swiftly implement the new ransomware attacks and ransom payments reporting mandate; The federal government should standardize existing federal data on ransomware incidents and ransom payments to facilitate comprehensive analysis; Congress should establish additional public-private initiatives to investigate the ransomware economy; and Congress should support information sharing regarding ransomware attacks and payments, including crowdsourcing initiatives. 

The Strengthening American Cybersecurity Act of 2022, sponsored by Sen. Peters and introduced in the U.S. Senate in February to address such cybersecurity threats against critical infrastructure, passed Senate with amendments in March.

If signed into law, it would require critical infrastructure owners and operators to report ransomware payments to CISA within 24 hours and within 72 hours if they are victims of a "substantial cybersecurity incident."

"My bill that was recently signed into law to require critical infrastructure to report cyber-attacks and ransomware payments will be a significant step to ensuring our government has better data to understand the scope of this threat, disrupt the incentive virtual currencies provide for cybercriminals to commit attacks, and help victims quickly recover after breaches," Peters added.