Joint Hearing Wrap Up: Increased System Securities, Innovative Measures, and Proactive Controls Needed to Combat Growing Ransomware Attacks
WASHINGTON—The Subcommittee on Cybersecurity, Information Technology, and Government Innovation and the Subcommittee on Economic Growth, Energy Policy, and Regulatory Affairs held a joint hearing titled, “Combating Ransomware Attacks.” Members asked witnesses about the increasing sophistication of ransomware attacks and the growing trend of attacks on industries and institutions across the United States. Members also spoke with victims of ransomware attacks about the economic and human costs of navigating through such an occurrence, as well as lessons learned and shared, so others might be better prepared to survive attacks by hackers attempting to access their sensitive systems.
Key Takeaways:
Ransomware attacks on U.S. infrastructure, education centers, and healthcare systems are increasing, leaving victims of these attacks with high costs and few options to combat criminal hackers and restore services.
- Grant Schneider— Senior Director of Cybersecurity Services at Venable LLC—spoke on the choices confronted by victims of ransomware attacks: “In our policy discussions, we cannot lose sight of the fact that ransomware can have devastating operational, economic, and reputational impacts on victim organizations. Victims of ransomware are often left with an unsavory set of options. In many cases the victim organization must choose between restoring services quickly by paying the ransom or working to reconstitute their systems and restore operations on their own. Reconstituting an organization’s systems is a costly and time-consuming process during which service delivery may be impaired and result in the loss of significant revenue. Often, paying a ransom can be the most time and cost-efficient approach to getting systems running and restoring data.”
Increased security, deterrents, and integration of cutting-edge security measures are needed to thwart perpetrators of ransomware attacks and protect our critical infrastructure.
- Dr. Stephen Leffler— President and Chief Operating Officer of the University of Vermont Medical Center — discussed how even with strict security in place, his medical center was still the victim of a ransomware attack: “We had strong security processes in place and had deployed a variety of tools to block malware attacks, yet we were still the victim of a cyberattack. This really is an arms race. As we have all seen in the news over the past few years, the cyber criminals and actors are getting increasingly sophisticated, and so this important work to protect our systems will never be fully finished. We all are going to have to stay vigilant and continually update our tools and approaches to stay ahead of cyberattacks.”
- Dr. Lacey Gosch— Assistant Superintendent of Technology at Judson Independent School District —emphasized that it is not a matter of if, but when hackers will attempt to breach system defenses and organizations must be ready for that reality: “The topic of Ransomware is rarely shared among organizations and is viewed as a scarlet letter or badge of dishonor to technology and security teams. The topic is considered to be one that should only be discussed in closed rooms and behind locked doors. However, I am here to testify that this issue must be discussed openly and provide support to adequately protect, prevent, and mitigate cybersecurity breaches. The mentality that any organization is too small or insignificant to be affected by a cybersecurity breach is living under a false sense of security. The truth is that cybersecurity events in organizations need to be viewed not as improbable but as absolute. The question is not if it will happen but when it will happen.”
Member Highlights: Subcommittee on Cybersecurity, Information Technology, and Government Innovation Chairwoman Rep. Nancy Mace (R-S.C.) discussed how the victim organizations face large costs as result of ransomware attacks.
Rep. Mace: “It’s not just the ransom fee if it was paid that would be the cost of this, there’s a much larger cost to an organization, a school or a hospital, what do you estimate as cost when this attack happened?”
Dr. Gosch: “I would say from our experience it was very similar to what was shared from the hospital side, we had to replace almost everything. Upwards of potentially 3, 4, 5 million dollars.”
Rep. Mace: “Dr. Leffler”
Dr. Leffler: “For UVM Medical Center it was $65 million dollars in costs.”
Subcommittee on Economic Growth, Energy Policy, and Regulatory Affairs Chairman Rep. Pat Fallon (R-Texas) asked the victims of ransomware attacks what were the biggest take-aways from the experience and the overall cost on industry when an attack takes place.
Rep. Fallon: “What were your best and greatest take-aways from the experience? As far as preventing it from happening again?”
Dr. Gosch: “Our best and greatest take-away is that it isn’t a matter of if you’re going to be hit by some attack, it’s going to be your ability to mitigate and to defend and to recover quickly. In our situation, one of the things that stuck out for us was the need to continually maintain and upgrade and make sure that the systems on the backend are prepared.”
Rep. Fallon: “Can you explain how cyber-attacks on critical infrastructure like the one we had with the Colonial Pipeline in 2021, can affect industries and communities beyond the victimized organization?”
Mr. Schneider: “Certainly Colonial Pipeline is a great example. The pipeline was shut down, by all reporting it was not actually a victim of the ransomware attack, they had to shut it down out of an abundance of caution and then the ripple effect on the entire east coast if you were trying to get any fuel, you could not. There were long lines at gas stations and that just has a trickle effect on the economy at large.”
Rep. Tim Burchett (R-Tenn.) discussed what can be done to be better prepared to thwart and protect against ransomware attack moving forward.
Rep. Burchett: “What can we do to fix this?”
Mr. Schneider: “We have to approach both from a defensive standpoint and what defensive measures cybersecurity controls can an organization put in place in order to protect their systems, to have good backups of their systems, then encrypt their own data so that they can’t be encrypted by someone else and taken from them. And as we were just discussing, we need to be able to disrupt and deter actors in cyber space and we really need to find a way to shift the value proposition for ransomware actors. They are able to do this with almost impunity.”
Rep. Chuck Edwards (R-N.C.) broke down where these bad actors are launching ransomware attacks from and whether they are receiving support from hostile foreign nations.
Rep. Edwards: “Is there any evidence that you are aware of that these bad actors are supported by a government entity of which we should be aware in our interaction with other governments? It seems like if they are government sponsored, we should hold them accountable or refuse to have different levels of cooperation.”
Mr. Schneider: “I think there is certainly evidence of some countries supporting ransomware actors, North Korea is a very good example where they have, as a nation state, where they will use ransomware to get around sanctions.
Rep. Russell Fry (R-S.C.) explored the vulnerabilities posed by increase telework on the possibility of ransomware attacks.
Rep. Fry: “Has the approach of cyber criminals changed at all in this era of work from home or during the pandemic, how has the landscape shifted?”
Mr. Schneider: “I think the landscape has shifted in the way that our threats surface, and it is connected. As we discussed earlier, as we continue to inter-connect more and more systems, more and more data, and every time we interconnect more systems, we introduce potentially new vulnerabilities which gives the bad actors more places to attack from.”