OCTOBER 13TH, 2021
Lawmakers and national security experts said Tuesday that the U.S. needs to take bigger steps at the government level and in the private sector to guard against ransomware attacks.
“Not only in the private sector but in our government sector, whether it’s state and local governments, our adversaries are never sleeping,” Clarke said. “We’ve been able to avoid the worst possible outcomes — the things that keep us up at night. But at the end of the day, it’s extremely costly.”
Clarke described how legislation that she introduced — the State and Local Cybersecurity Act — has been included in Democrats’ wide-ranging social spending package. Her measure would provide $500 million in cybersecurity funding for state and local governments via Department of Homeland Security (DHS) grants.
As President Biden and Democratic leaders in Congress attempt to unite their party before the spending bill gets a floor vote, Clarke acknowledged that like so many other provisions in the package, funding for her bill could be reduced.
“Unfortunately, there’s some give and take with respect to the amount of funding that may be made available. We really believe we’ve got to start somewhere,” said Clarke, who heads the House Homeland Security Subcommittee on Cybersecurity, Infrastructure, Protection and Innovation.
Clarke also voiced support for mandatory cybersecurity reporting, saying the Cybersecurity and Infrastructure Security Agency needs to “build trust” with the private sector through reporting so that it has the “forensic ability to get a sense of what it is our adversaries are really up to.”
Former Rep. Mike Rogers (R-Mich.), who chaired the House Intelligence Committee from 2011-2015, expressed concerns at Tuesday’s event that the United States isn’t doing enough to combat ransomware attacks from abroad.
“Our adversaries are starting to understand that you don’t have to attack the National Security Agency or the CIA or even the Pentagon,” Rogers said. “They want to prep the battlefield. If they ever want to engage the United States anywhere in the world, how do you do that? You cause us a lot of problems in cyberspace with private sector companies.”
Rogers, now a CNN national security commentator and board member at cybersecurity firm IronNet, said he doesn’t believe the private sector would be supportive of mandatory reporting for cybersecurity incidents.
Rogers said companies are “very concerned” about sharing information with DHS, but that they shouldn’t have to choose between protection and privacy.
“This notion that you either have to have privacy or security is wrong,” he said. “You can have both. I argue that you can’t have privacy until you have security.”
Former Homeland Security Secretary Janet Napolitano, who also spoke at Tuesday’s summit, said that there are “real demerits” to paying ransom, but sometimes it’s the most simple strategy for a company to recover digital property as soon as possible.
“It would be easy to say, ‘Never pay ransom,’” she said at the summit sponsored by LookingGlass Cyber Solutions. “If you’re attacked and the amount of ransom is a million or 2 million dollars and in the meantime your systems are totally down … you’re gonna weight it. It’s gonna be very situational.”
Napolitano, now the director of the University at California at Berkeley’s Center for Security in Politics, said the government needs to play a more active role in identifying perpetrators of cyber attacks.
“Where I think the government needs to step in is on attribution,” she said. “Attribution on who is the party demanding ransom, whether they are a state-sponsored actor or a state actor or simply a state-supported actor. And then be prepared at the government level to make an appropriate response.”