Congress needs to step up in ransomware fight, House cybersecurity panel chair says
The new head of the House Homeland Security Committee’s panel on cybersecurity said Tuesday that federal lawmakers need to do more to help organizations, especially state and local governments, protect themselves against ransomware.
Speaking during the Cyber Threat Alliance’s CyberNext DC event, Rep. Lauren Underwood, D-Ill., said that the federal government’s current approach to aiding victims of the extortion malware often falls short by being too simplistic.
“It is not realistic to tell state and local governments, hospitals or small businesses to simply to not pay a ransom demand,” she said. “Instead we must empower potential ransomware victims with options and weaken their attackers. That means helping state and local governments and critical infrastructure operators improve their cybersecurity postures.”
Underwood called out a few notable ransomeware incidents, including the 2018 attack against Atlanta and the 2019 attack against Baltimore, as well as the more recent spate of hacks targeting hospitals across the country. She also noted incidents that struck close to home, including a ransomware strike against a school system in her district west of Chicago.
One step Underwood said Congress could take would be if the Senate took up a bill, passed in the House in September, that would create a $400 million cybersecurity grant program for state and local governments.
“We have to help state and locals better protect networks,” Underwood said. “We have to consider providing resources to those who have been impacted ransomware attacks to rebuild.”
While the Senate has considered several different pieces of legislation aimed at state and local cybersecurity during its current session, none are considered potential companions to the House bill.
Underwood became the head of the Homeland Security Subcommittee on Cybersecurity last month following Rep. Cedric Richmond, D-La., who is leaving Congress to join President-elect Joe Biden’s administration. But Underwood said she took an early interest in cybersecurity upon arriving in Congress because of Russian government hackers’ successful penetration in 2016 of Illinois’ voter registration database.
She criticized the Republican-led Senate and Trump administration for not sharing the House’s interest in expanding election-administration funding during the 2020 election cycle. But Underwood also said she expects a more receptive White House beginning next January.
“I’m confident the Biden administration will prioritize election security,” she said.
And while she praised the Cybersecurity and Infrastructure Security Agency’s oversight of federal election security efforts, Underwood said she was “disturbed” by recent reports that the White House is targeting the agency’s leaders in a post-election purge.
Rather, she said, she would like to see the next administration “scale up” the two-year-old agency, including putting it in charge of responding to ransomware and other emerging cyber threats.
But Underwood said the priority for state and local governments is to get them not just more cybersecurity funding, but better educational and recovery resources.
“We have to communicate to our state and local partners problems about paying off a ransom,” she said. “They may not get their data back, the data may be sold or shared, the hacker may still be in the network. We need to help build better defenses. We need to be better prepared instead of leaving victims to fend for themselves.”