Lawmakers and national security experts said Tuesday that the U.S. needs to take bigger steps at the government level and in the private sector to guard against ransomware attacks.
Rep. Yvette ClarkeYvette Diane ClarkeLawmakers, security experts call for beefing up cybersecurity Hillicon Valley — Presented by LookingGlass — Congress looks to strengthen government's aging cyber infrastructure Congress looks to strengthen government's aging cyber infrastructure MORE (D-N.Y.), speaking at The Hill’s Cybersecurity Summit, said the attacks are “happening each and every day.”
“Not only in the private sector but in our government sector, whether it’s state and local governments, our adversaries are never sleeping,” Clarke said. “We’ve been able to avoid the worst possible outcomes — the things that keep us up at night. But at the end of the day, it’s extremely costly.”
Clarke described how legislation that she introduced — the State and Local Cybersecurity Act — has been included in Democrats’ wide-ranging social spending package. Her measure would provide $500 million in cybersecurity funding for state and local governments via Department of Homeland Security (DHS) grants.
As President BidenJoe BidenJill Biden campaigns for McAuliffe in Virginia Fill the Eastern District of Virginia Biden: Those who defy Jan. 6 subpoenas should be prosecuted MORE and Democratic leaders in Congress attempt to unite their party before the spending bill gets a floor vote, Clarke acknowledged that like so many other provisions in the package, funding for her bill could be reduced.
“Unfortunately, there’s some give and take with respect to the amount of funding that may be made available. We really believe we’ve got to start somewhere,” said Clarke, who heads the House Homeland Security Subcommittee on Cybersecurity, Infrastructure, Protection and Innovation.
.@RepYvetteClarke: “There are ransomware attacks happening each and every day...that is an indication of the fact that our adversaries are never sleeping, and we’ve got to do everything we can to improve our cybersecurity posture” #TheHillCybersecurity https://t.co/nLp5mm7WmY pic.twitter.com/Rdm7tamhgV— The Hill Events (@TheHillEvents) October 12, 2021
Clarke also voiced support for mandatory cybersecurity reporting, saying the Cybersecurity and Infrastructure Security Agency needs to “build trust” with the private sector through reporting so that it has the “forensic ability to get a sense of what it is our adversaries are really up to.”
Former Rep. Mike RogersMichael (Mike) Dennis RogersLawmakers, security experts call for beefing up cybersecurity Hillicon Valley — Presented by LookingGlass — Congress looks to strengthen government's aging cyber infrastructure The Memo: Generals' testimony on Afghanistan hurts Biden's credibility MORE (R-Mich.), who chaired the House Intelligence Committee from 2011-2015, expressed concerns at Tuesday’s event that the United States isn’t doing enough to combat ransomware attacks from abroad.
“Our adversaries are starting to understand that you don’t have to attack the National Security Agency or the CIA or even the Pentagon,” Rogers said. “They want to prep the battlefield. If they ever want to engage the United States anywhere in the world, how do you do that? You cause us a lot of problems in cyberspace with private sector companies.”
Rogers, now a CNN national security commentator and board member at cybersecurity firm IronNet, said he doesn’t believe the private sector would be supportive of mandatory reporting for cybersecurity incidents.
Rogers said companies are “very concerned” about sharing information with DHS, but that they shouldn’t have to choose between protection and privacy.
“This notion that you either have to have privacy or security is wrong,” he said. “You can have both. I argue that you can’t have privacy until you have security.”
Former Homeland Security Secretary Janet Napolitano, who also spoke at Tuesday’s summit, said that there are “real demerits” to paying ransom, but sometimes it’s the most simple strategy for a company to recover digital property as soon as possible.
“It would be easy to say, ‘Never pay ransom,’” she said at the summit sponsored by LookingGlass Cyber Solutions. “If you’re attacked and the amount of ransom is a million or 2 million dollars and in the meantime your systems are totally down … you’re gonna weight it. It’s gonna be very situational.”
Hon. @RepMikeRogers on his concerns with U.S. adversaries and improving our cybersecurity efforts: “if they ever have to engage the United States anywhere in the world -how do you do that? You cause us a lot of problems in cyberspace” #TheHillCybersecurity https://t.co/nLp5mm7WmY pic.twitter.com/6UKe170GC8— The Hill Events (@TheHillEvents) October 12, 2021
Napolitano, now the director of the University at California at Berkeley’s Center for Security in Politics, said the government needs to play a more active role in identifying perpetrators of cyber attacks.
“Where I think the government needs to step in is on attribution,” she said. “Attribution on who is the party demanding ransom, whether they are a state-sponsored actor or a state actor or simply a state-supported actor. And then be prepared at the government level to make an appropriate response.”
Fmr. @DHSgov Sec. Janet Napolitano on government involvement in cyberattacks on private companies: “how do you balance the customer’s requirement for privacy versus the government’s legitimate need for intelligence and information?” #TheHillCybersecurity https://t.co/nLp5mm7WmY pic.twitter.com/akanUF5tVR— The Hill Events (@TheHillEvents) October 12, 2021