Ransomware Attacks Spur a Renewed Push for Company Mandates (1)

July 27, 2021, 6:23 PM

U.S. companies that provide critical services or have high-value trade secrets should be required to improve their cybersecurity and report hacking attacks to the federal government, national security officials and senators said Tuesday.

The attack on Colonial Pipeline Co. in May, which forced the shutdown of the largest fuel pipeline in the U.S. until the company paid $4.4 million in ransom, represents “a total face-plant failure,” Senator Sheldon Whitehouse said during a Senate Judiciary Committee hearing on what to do about ransomware attacks.

“We now have a situation in which you can have critical infrastructure companies fail at meeting basic standards of cyber hygiene, and we’re OK with that,” Whitehouse, a Rhode Island Democrat, said. “We don’t have to regulate everybody in the world. But if you’re critical infrastructure we should no longer tolerate this voluntary regime with big companies who know their infrastructure is critical and fail.”

Whitehouse has introduced legislation with Senator Lindsey Graham, a South Carolina Republican, that would create cybersecurity and breach reporting requirements for certain companies. Whitehouse called on the Biden administration to promptly work with lawmakers to prepare the legislation.

The Justice Department also wants Congress to pass legislation requiring certain companies to notify the federal government about ransomware attacks, Richard Downing, deputy assistant attorney general, testified. The requirement should be for breaches that affect critical supply chains and high-value trade secrets, Downing said.

The department is also seeking help from Congress to improve the ability to disrupt criminal activity and enhance the ability to prosecute those carrying out attacks, who often live in countries that are off-limits to U.S. investigators such as Russia and China, Downing said.

Downing said that Russia is at the top of the list of countries that protect criminals. The U.S. has found connections between criminals carrying out ransomware attacks against U.S. companies and Russian intelligence agencies, Downing said.

“I wouldn’t say that the government of Russia is behind these attacks. However, we do believe they aren’t doing what they could be doing to suppress these attacks,” Downing said.

Although there was bipartisan support for new legislation, the hearing also aired criticism along party lines. Senator Ted Cruz, a Texas Republican, said President Joe Biden has “responded to an extreme threat with extreme weakness” after attacks.

Downing, the Justice Department official, said that “most of the ransom paid by the Colonial Pipeline was recovered,” despite criticism of the administration’s performance.

(Updates with Justice Department official in final paragraph)

--With assistance from Cameron Minnard.

To contact the reporters on this story:
Chris Strohm in Washington at cstrohm1@bloomberg.net;
Sophia Cai in Washington at scai102@bloomberg.net

To contact the editors responsible for this story:
Bill Faries at wfaries@bloomberg.net

Larry Liebert, Andrew Martin

© 2021 Bloomberg L.P. All rights reserved. Used with permission.

To read more articles log in. To learn more about a subscription click here.