Biden administration readies 3 initiatives to curb ransomware

When President Joe Biden met with Russian President Vladimir Putin in June, the leaders agreed to chip away at tolerated cybercriminal activity — though less than a month later a Russia-based gang, REvil, targeted IT management company Kaseya.

Russia denies responsibility for the attack, but lawmakers added the supply chain ransomware attack to the growing list of red flags against the nation state. Sen. Mark Warner, D-Va., introduced a bill for "timely federal government awareness of cyber instructions," earlier this month in response, in addition to a slew of other cyber legislation in the draft stage. The bill designates the Cybersecurity and Infrastructure Security Agency (CISA) as the recipient of notifications from other federal agencies and "covered entities."

While lawmakers are finding their part in cybersecurity, the Biden administration rolled out several efforts in response to the unrelenting ransomware threat. In May, Biden released the cyber executive order, though critics say the order did not define the role of government in protecting critical infrastructure well enough, according to Bryson Bort, founder and CEO of SCYTHE and senior fellow at the R Street Institute, during a webcast June 21.

But beyond the executive order, the government "needs to be looking at how we change the economic utility, and the calculus of actors," Bort said. The government wants cybercriminals to think twice before instigating an incident.

Then, in June, the Department of Justice launched the Ransomware and Digital Extortion Task Force, separate from the Ransomware Task Force by the Institute for Security and Technology. And last week, the Biden administration announced three more initiatives to combat ransomware:

1. Online ransomware hub

The Departments of Justice and Homeland Security launched the "StopRansomware.gov" website as a central hub for ransomware-related information, guidance and alerts. The website offers victims of attacks "clear guidance" for how to report their incident.

Officials built the online resource with a culmination of input from CISA, Secret Service, FBI, the National Institute of Standards and Technology (NIST), and the Departments of the Treasury and Health and Human Services.

While an informative resource for individuals and organizations to refer back to, like the other measures, it does not "move the needle in the private sector where the majority of attacks occur and there is a huge potential to damage to the economy," Andy Bennett, VP of technology and CISO of Apollo Information Systems, told Cybersecurity Dive in an email.

"As a CISO, I entirely plan to participate in any opportunity made available to me, as will many of my peers," Bennett said. "However, we will likely stop participating if the initiative doesn't show progress."

2. $10 million reward

The federal government has historically struggled with information sharing — it cannot always exchange information with the private sector in return for companies' inputs. The State Department announced a monetary reward program for information sharing that identifies a person or location "acting at the direction or under the control of a foreign government," performing malicious cybercrime against U.S. critical infrastructure.

"I feel like every three to six months, whenever something bad happens, everyone goes, 'Well, we should do information sharing,'" Bort said. "And yet, we don't. We haven't." Bort argues that there is not enough transparency among security professionals to use information sharing in an effective way.

To incentivize information sharing, specifically in relation to ransomware, the Department of State's Rewards for Justice (RFJ) program announced its $10 million reward for relevant ransomware data.

The RFJ program created a Dark Web channel, based on Tor, for reporting information. The tips will be fed to other federal agencies to dissect information for relevance. Rewards could be paid in cryptocurrency depending on the eligibility of the sources.

If an individual or organization is able to identify malicious activity against critical infrastructure and acting in violation of the Computer Fraud and Abuse Act (CFAA), they will receive payment.

Violations of the CFAA could include extortion threats, intentional unauthorized access to a computer system and enabling a command, or deliberate damage to a computer, the State Department said in its announcement. "Protected computers include not only U.S. government and financial institution computer systems, but also those used in or affecting interstate or foreign commerce or communication."

3. Virtual conference for financial industry

The government will continue with a virtual conference in August for stakeholders and government in the financial sector, as part of the Financial Crimes Enforcement Network (FinCEN), will help inform next steps on how the sector can combat ransomware.

It's not only business disruption financial services companies have to avoid — it's also data exploitation. The industry is simply a high-value target for bad actors.

Organizations in financial services are approximately 300 times more likely to be the target of a cyberattack, according to data from Arctic Wolf. Between March and June 2020, phishing and ransomware attempts in the the financial industry grew by 520%, the highest increase of any industry.

In part due to mass remote work since March 2020, financial institutions and financial market infrastructures (FMIs) experienced cyberattacks, including phishing and ransomware, increasing from 5,000 to 200,000 weekly incidents.

The virtual event, FinCEN Exchange, will address ransomware with participants from the public sector, private sector and law enforcement, within financial institutions. The August event is an addition, or follow up, to the FinCen Exchange hosted in November 2020.

The Exchange, like the other initiatives, are voluntary for participants.