The Senate Committee on Homeland Security and Government Affairs will hold a hearing today (June 7) to discuss the rising threat of cryptocurrencies as an enabler of ransomware attacks and ransom payments. Witness experts from the private sector will provide testimony about how to deal with these problems.
The Tuesday hearing comes a few days after Sen. Gary Peters, chairman of the committee, released a new report on June 2 detailing the results of his investigation into the role cryptocurrencies—which according to the report continue to play in emboldening and incentivizing cybercriminals to commit ransomware attacks that pose an increasing national security threat. The report found that the federal government lacks sufficient data and information on ransomware attacks and the use of cryptocurrency as ransom payments in those attacks.
One of the recommendations from the report is that “Congress should establish additional public-private initiatives to investigate the ransomware economy.” The hearing today may seek to reinforce this collaboration and to find different ways to get additional data. The experts who will provide testimony come from private firms specialized in cybersecurity (Megan Stifel, CSO at Institute for Security and Technology), ransomware recovery (Bill Siegel, CEO at Coveware) and blockchain data (Jacqueline Burns, head of Cyber Threat Intelligence at Chainalysis).
The hearing, presided by Peters, will likely deal with some of the concerns raised in his report, which include the lack of comprehensive data on the amount of ransomware attacks and how federal agencies could access and share more data to be in a “better position to assist existing and potential cybercrime victims with prevention, detection, mitigation and recovery.”
The report highlighted how despite the efforts taken by many federal regulators to address this raising threat, in particular the Financial Crimes Enforcement Network (FinCEN), the Securities and Exchange Commission (SEC) and the Internal Revenue Service (IRS), current reporting is fragmented across agencies, and they do not capture, categorize or publicly share information uniformly.
One of the most significant legal developments that would help to address the lack of information on this space is the adoption of the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This law, passed in March 2022, mandates companies in certain sectors to report cyberattacks and ransomware payments in a timely fashion, sometimes 48 to 72 hours after the incident occurred. For ransom payments, companies will only have 24 hours to report these payments.
This law changes the voluntary nature of these disclosures and will oblige companies to report incidents. Peters’ report also recommends the Administration to “swiftly implement the new mandate.” It says, “Federal agencies should implement the requirement in the law to share all cyber incident reports with Cybersecurity and Infrastructure Security Agency to enable a consolidated view of incidents from across different sectors and reported under different regulatory regimes.”
Additionally, the report recommends that agencies should standardize the data across the federal government to enable more comprehensive information sharing and analysis. The last recommendation is for Congress and relevant agencies to consider ways to support partners within the private, nonprofit, and academic sectors seeking to expand the collection and organization of information on ransomware attacks including by examining federal funding options and sharing anonymized data regarding ransomware attacks and payments.