Portman, Peters Seek Input as Committee Works to Address Relentless Ransomware Attacks

WASHINGTON, DC – U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), Ranking Member and Chairman of the Homeland Security and Governmental Affairs Committee, wrote a letter to Acting Office of Management and Budget Director Shalanda Young and National Security Advisor Jake Sullivan seeking input from the administration as they work to address the relentless wave of ransomware attacks against our nation’s critical infrastructure. Recent attacks include dangerous breaches of a major oil pipeline, the New York City transportation system, and meatpacking centers across the nation. 

“As highlighted in recent weeks, a single ransomware attack against a vulnerable target can have widespread and devastating impacts for communities across the United States. Criminal actors have infiltrated and held critical infrastructure companies hostage, disrupting essential elements of society ranging from our nation’s fuel distribution networks to food supply chains,” wrote the senators. “The federal government needs to do more to support partners in the public and private sectors as they work to secure their systems against ransomware attackers and punish the bad actors that perpetrate these crimes to deter future attacks.” 

As Ranking Member and Chairman of the Homeland Security and Governmental Affairs Committee, Portman and Peters have led efforts to bolster our nation’s cybersecurity defenses. The senators recently held a hearing with the President and Chief Executive Officer of Colonial Pipeline to examine the company’s recent ransomware attack. Earlier this week, the Senate passed Portman and Peters’ Cyber Response and Recovery Act, which will create authority for the Secretary of Homeland Security, in consultation with the National Cyber Director, to declare a Significant Incident in the event of an ongoing or imminent attack that would impact national security, economic security, or government operations. This declaration would empower the Cybersecurity and Infrastructure Security Agency to coordinate federal and non-federal response efforts, and allow the Secretary access to a Cyber Response and Recovery Fund that would help support federal and non-federal entities impacted by the event. The bill would authorize $20 million over seven years for the fund and would require DHS to report to Congress on its use.  

Text of the letter is copied below and available here

June 10, 2021 

Dear Acting Director Young and Mr. Sullivan: 

We write to you today with serious concern about the state of our nation’s cybersecurity and the threat of ransomware attacks directed at our critical infrastructure. As highlighted in recent weeks, a single ransomware attack against a vulnerable target can have widespread and devastating impacts for communities across the United States. Criminal actors have infiltrated and held critical infrastructure companies hostage, disrupting essential elements of society ranging from our nation’s fuel distribution networks to food supply chains. 

The federal government needs to do more to support partners in the public and private sectors as they work to secure their systems against ransomware attackers and punish the bad actors that perpetrate these crimes to deter future attacks. We must also encourage critical infrastructure companies to assess their own risk and mitigate this threat. Otherwise, our national security, economic security, and the stability of daily life in this country will continue to be in jeopardy. 

The only way that we as a nation can fight this persistent and growing threat is through action. As Chair and Ranking Member of the Senate committee with primary jurisdiction over cybersecurity issues, we are considering introducing and marking up legislation that will address the threat of ransomware attacks before the Senate’s August recess this year. We would like to receive the Administration’s input as we draft and develop this legislation. In particular, we would appreciate your assistance in providing the following within 30 days:

1. Information on strategies that relevant federal agencies are developing and implementing to combat ransomware attacks;

2. Any new authorities, or revisions to existing authorities, that would further empower relevant federal agencies to combat ransomware attacks and respond when they do occur; and

3. Suggestions for Congress to consider as we develop legislation and oversight plans to combat ransomware attacks. 

We would appreciate you coordinating a response on behalf of the whole Administration including the Department of Justice, the Department of Homeland Security, and the Intelligence Community. We look forward to working with you on this issue in the coming months. Thank you for your attention to this matter. 

###