Lawmakers increasingly anxious about US efforts against Russian hackers
Five months after President Biden met with Russian President Vladimir Putin and urged him to take a stand against ransomware attacks emanating from his country, lawmakers are beginning to chafe at what they view as a lack of results from the administration’s efforts to confront Russia.
Their concerns have increased in recent weeks as they heard mixed messages from key federal leaders on whether ransomware attacks tied back to Russian-based hackers have decreased since the two leaders met, undercutting the Biden administration’s extensive efforts to strengthen the nation’s cybersecurity.
“If the United States knew that criminal actors were emanating from our soil and attacking another country, we would act, and I don’t see any evidence that Russia is actually helping us on this score,” Rep. Elissa Slotkin (D-Mich.), chairwoman of the House Homeland Security Intelligence and Counterterrorism Subcommittee, said at a hearing Wednesday.
Biden put cybersecurity concerns at the center of his agenda during his in-person talk with Putin in Geneva earlier this year, and handed the Russian leader a list of 16 types of critical infrastructure in the U.S. that could not be attacked without risking retaliation. Biden warned at the time that the U.S. would take further steps if action wasn’t taken, and private talks between U.S. and Russian officials have continued since that meeting.
“I pointed out to him we have significant cyber capability, and he knows it. He doesn’t know exactly what it is, but it’s significant,” Biden told reporters following the meeting. “If they violate these basic norms, we will respond.”
Adding to lawmakers’ concerns are statements made in recent weeks by top officials that have painted slightly conflicting pictures of the state of ransomware attacks.
“We have seen a discernible decrease,” National Cyber Director Chris Inglis testified on Russian ransomware attacks to the House Homeland Security Committee earlier this month, cautioning that “it’s too soon to tell whether that is because of the material efforts undertaken by the Russians or the Russian leadership.”
But the day after Inglis’s testimony, Deputy Attorney General Lisa Monaco told The Associated Press that “we have not seen a material change in the landscape.”
“From an FBI perspective, we have not seen a decrease in ransomware attacks in the past couple of months originating from Russia,” Bryan Vorndran, the assistant director of the FBI’s cyber division, told the House Oversight and Reform Committee Tuesday. “Please understand we do have incomplete data. In a best case scenario, we only see about 20 percent of the intrusions in the country.”
The lack of data has increasingly not sat well with lawmakers on both sides of the aisle, who have seen constituent concerns around cyber threats creep up over the past year following ransomware attacks on groups including Colonial Pipeline and meat producer JBS USA, as well as city governments, schools and hospitals. Both the Colonial Pipeline and JBS USA attacks were linked to cybercriminals likely based in Russia.
These concerns were front and center during the two House hearings on ransomware attacks this week, at which lawmakers grilled federal officials.
During a testy exchange between Slotkin and Robert Silvers, the under secretary of the Department of Homeland Security’s Office of Strategy, Policy, and Plans, Slotkin repeatedly pressed Silvers for metrics on attacks. Silvers testified he couldn’t make a “definitive assessment” due in large part to a lack of transparency into the private sector.
“I am very concerned about whether or not we are actually able to hold people accountable inside Russia,” Rep. August Pfluger (R-Texas) noted after a similar exchange with Silvers. “We want to see and hear and understand the specifics of these instances and how that effect is making headway to prevent our businesses.”
Some lawmakers suggested the need to go further and take more aggressive actions against Russia.
“Obviously Putin can shut these operations down in a day if he wanted to,” Rep. Tom Malinowski (D-N.J.) said at the House Homeland Security Committee hearing Wednesday. “Frankly, although we don’t talk about this as much publicly, I do believe that there is an offensive, not just defensive capability, that we need to be employing here.”
“At what point is this a declaration of war, a declaration that we cannot put up with?” Rep. Ralph Norman (R-S.C.) asked during the House Oversight and Reform Committee hearing the day before, adding that “they are shooting their way into us.”
House Homeland Security Committee ranking member John Katko (R-N.Y.) was even more blunt.
“Russia and China are not deterred on cyber issues. It’s because of the weak response of this administration,” Katko told The Hill Wednesday. “You’ve got to have a strong response in the cyber realm. The bad guys know nothing but strength, and if you don’t project strength, you’ve got problems.”
But administration officials have insisted this week that not only has the administration made confronting cybersecurity threats a priority, but they have taken a number of steps to create political pain for Russia and are continuing to urge leaders there to crack down on hackers behind the scenes.
“We have been quite direct with the Russian government, but we are not sitting around and waiting for the Russian government to act,” Silvers testified. “We have communicated that if they will not act against those taking this action from their territory, we will take those actions, and we are doing so, and those have been announced, and some have not been announced, in recent months.”
“One of the keys here is to make ransomware criminals feel paranoid, scared, not trusting those around them, and that is what we are doing to disrupt them,” he added.
Beyond meeting with Putin, Biden signed into law an executive order in May to strengthen federal cybersecurity, and the White House convened leaders from around 30 countries last month to discuss ways to address ransomware attacks on the global stage.
In addition, the Justice Department and Treasury Department have issued indictments and sanctions against cybercriminals in Russia and neighboring states, along with Biden sanctioning Russia in retaliation for the SolarWinds hack.
“When I met with President Putin in June, I made clear that the United States would take action to hold cybercriminals accountable,” Biden said in a statement last month after the Justice Department indicted hackers tied to the ransomware attack on IT group Kaseya. “That’s what we have done today.”
Silvers and other officials argued this week that data wasn’t forthcoming due to the lack of regulations mandating critical organizations to report cybersecurity incidents. Legislation to do just that is likely to be signed into law as part of this year’s National Defense Authorization Act.
“It’s difficult to assess, because the vast majority of ransomware incidents are not reported to the government,” Silvers testified, stressing that the legislation would “get us the data we need to make these kinds of assessments that you expect to see in your oversight.”
But in the meantime, lawmakers are anxious for more tangible progress.
“It’s one thing to say we are going to take action and to demonstrate strength, it’s another thing to actually have the data to back it up,” Slotkin said.