WASHINGTON, D.C. – U.S. Senator Gary Peters (D-MI), Chairman of the Senate Homeland Security and Governmental Affairs Committee, released a new report detailing the results of his investigation into the role cryptocurrencies continue to play in emboldening and incentivizing cybercriminals to commit ransomware attacks that pose an increasing national security threat. Peters’ report found that the federal government lacks sufficient data and information on ransomware attacks and their use of cryptocurrency. The report’s findings highlight the importance of quickly implementing Peters’ landmark law to require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours if they make a ransomware payment and within 72 hours if they experience a substantial cybersecurity incident. Once implemented, Peters’ law will ensure the federal government is receiving much needed information on ransomware attacks that will help protect critical infrastructure and hold attackers accountable.
“Cryptocurrencies – which allow criminals to quickly extort huge sums of money, can be anonymized, and do not have consistently enforced compliance with regulations, especially for foreign-based attackers – have further enabled cybercriminals to commit disruptive ransomware attacks that threaten our national and economic security,” said Senator Peters. “My report shows that the federal government lacks the necessary information to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for perpetrating them. My bill that was recently signed into law to require critical infrastructure to report cyber-attacks and ransomware payments will be a significant step to ensuring our government has better data to understand the scope of this threat, disrupt the incentive virtual currencies provide for cybercriminals to commit attacks, and help victims quickly recover after breaches.”
READ THE FULL REPORT: “Use of Cryptocurrency in Ransomware Attacks, Available Data, and National Security Concerns.”
The report’s key findings include:
- The federal government lacks comprehensive data on ransomware attacks and use of cryptocurrency in ransom payments;
- Current reporting of ransomware attacks and ransom payments made in cryptocurrency is fragmented across multiple federal agencies;
- Lack of reliable and comprehensive data on ransomware attacks and cryptocurrency payments limits available tools to guard against national security threats; and
- Currently available data on ransomware attacks and cryptocurrency payments limits both private sector and federal government efforts to assist cybercrime victims.
The report makes key recommendations, including:
- The Administration should swiftly implement the new ransomware attacks and ransom payments reporting mandate;
- The federal government should standardize existing federal data on ransomware incidents and ransom payments to facilitate comprehensive analysis;
- Congress should establish additional public-private initiatives to investigate the ransomware economy; and
- Congress should support information sharing regarding ransomware attacks and payments including crowdsourcing initiatives.
The number of paralyzing ransomware attacks demanding payment using cryptocurrencies has sharply risen. In recent years, digital currencies have allowed criminal organizations to collect hundreds of millions of dollars from ransomware attacks on entities including a major oil pipeline, health care facilities, and the world’s largest beef supplier. Peters’ investigation showed that existing data on ransomware attacks is incomplete and that law enforcement and regulatory agencies require more information on the number and types of ransomware attacks that occur across the country in order to more effectively combat attacks.
The ransomware threat is compounded by the use of cryptocurrencies, and increasingly attackers are demanding payments in “privacy coins,” which are more anonymized and present more challenges for law enforcement to trace. Limitations in agencies’ efforts to enforce anti-money laundering and banking regulations that cover cryptocurrency exchanges against illicit actors in certain foreign jurisdictions present additional challenges for tackling the ransomware threat. Approximately 74 percent of global ransomware revenue in 2021 went to entities either likely located in Russia or controlled by the Russian government. Peters’ investigation determined that more information and oversight is needed to not only better address the cybersecurity threat posed by ransomware attacks – but to also address the challenges law enforcement faces in enforcing anti-money laundering laws and holding cybercriminals accountable in order to deter and prevent future attacks.
In addition to his cyber incident reporting law, Peters has led efforts to strengthen cybersecurity protections across the board. His bipartisan bill to enhance cybersecurity assistance to K-12 educational institutions across the country was signed into law. Additionally, Senator Peters secured several provisions in the bipartisan infrastructure law to bolster cybersecurity – including $100 million fund to help victims of a serious attack recover quickly. Peters has also authored and passed significant reforms out of the Senate to require civilian federal agencies to report to CISA if they experience a cyber-attack and ensure federal agencies can quickly and securely adopt cloud-based technologies that improve government operations and efficiency.