Ransomware attacks spur a renewed push for company mandates

Colonial Pipeline Source: Colonial Pipeline website

U.S. companies that provide critical services or have high-value trade secrets should be required to improve their cybersecurity and report hacking attacks to the federal government, national security officials and senators said Tuesday.

The attack on Colonial Pipeline Co. in May, which forced the shutdown of the largest fuel pipeline in the U.S. until the company paid $4.4 million in ransom, represents “a total face-plant failure,” Senator Sheldon Whitehouse said during a Senate Judiciary Committee hearing on what to do about ransomware attacks.

“We now have a situation in which you can have critical infrastructure companies fail at meeting basic standards of cyber hygiene, and we’re OK with that,” Whitehouse, a Rhode Island Democrat, said. “We don’t have to regulate everybody in the world. But if you’re critical infrastructure we should no longer tolerate this voluntary regime with big companies who know their infrastructure is critical and fail.”

Whitehouse has introduced legislation with Senator Lindsey Graham, a South Carolina Republican, that would create cybersecurity and breach reporting requirements for certain companies. Whitehouse called on the Biden administration to promptly work with lawmakers to prepare the legislation.

The Justice Department also wants Congress to pass legislation requiring certain companies to notify the federal government about ransomware attacks, Richard Downing, deputy assistant attorney general, testified. The requirement should be for breaches that affect critical supply chains and high-value trade secrets, Downing said.

The department is also seeking help from Congress to improve the ability to disrupt criminal activity and enhance the ability to prosecute those carrying out attacks, who often live in countries that are off-limits to U.S. investigators such as Russia and China, Downing said.

Downing said that Russia is at the top of the list of countries that protect criminals. The U.S. has found connections between criminals carrying out ransomware attacks against U.S. companies and Russian intelligence agencies, Downing said.

“I wouldn’t say that the government of Russia is behind these attacks. However, we do believe they aren’t doing what they could be doing to suppress these attacks,” Downing said.

Although there was bipartisan support for new legislation, the hearing also aired criticism along party lines. Senator Ted Cruz, a Texas Republican, said President Joe Biden has “responded to an extreme threat with extreme weakness” after attacks.

Downing, the Justice Department official, said that “most of the ransom paid by the Colonial Pipeline was recovered,” despite criticism of the administration’s performance.

© 2021 Bloomberg L.P.

Dear user, please be aware that we use cookies to help users navigate our website content and to help us understand how we can improve the user experience. If you have ideas for how we can improve our services, we’d love to hear from you. Click here to email us. By continuing to browse you agree to our use of cookies. Please see our Privacy & Cookie Usage Policy to learn more.