The government lacks comprehensive data on ransomware attacks and suffers from fragmented reporting, according to a new US Senate committee report.
The 51-page report from the Senate Homeland Security and Governmental Affairs Committee calls on the government to swiftly implement new mandates for federal agencies and critical infrastructure organizations to report ransomware attacks and payments to attackers.
The 10-month investigation, which focussed on the role of cryptocurrency in ransomware payments, found that reporting on attacks is “fragmented and incomplete”, in part because the FBI and Cybersecurity and Infrastructure Security Agency (CISA) both claim have the “one stop” website for reporting attacks — respectively, IC3.gov and StopRansomware.gov.
Since the investigation began, the US has introduced several new laws to improve ransomware incident reporting and data collection, including the Cyber Incident Reporting Act of 2021, which passed the Senate in March, 2022 under the Strengthening American Cybersecurity Act.
The new laws require critical infrastructure organizations to report cyberattacks to CISA within 72 hours and ransomware payments within 24 hours.
CISA said in March it would immediately share incident reports with the FBI, but the investigation found shortcomings with this arrangement.
“While the agencies state that they share data with each other, in discussions with committee staff, ransomware incident response firms questioned the effectiveness of such communication channels’ impact on assisting victims of an attack,” the report states.
Beyond the dual reporting functions of the FBI and CISA, there are sector-specific reporting regimes under Treasury’s FinCEN, the Transport Security Administration, and the Security and Exchange Commission, as well as reporting through FBI field offices, and some state governments.
“These agencies do not capture, categorize, or publicly share information uniformly,” the report notes.
It notes that the FBI’s IC3 figures on ransomware are believe by experts to be a “subset of a subset” of data. The FBI admits its ransomware data in its annual IC3 report is “artificially low” as victims only voluntarily report incidents to the FBI. Meanwhile, FBI field offices that do collect ransomware victim reports lose contact with about 25% of victims during follow-up investigations.
FinCEN would like improved reporting of financial information related to ransomware attacks to give it better actionable data about the laundering of cryptocurrency ransoms, it notes.
The lack of comprehensive data impedes US responses through sanctions, law enforcement and international partnerships, as well as private sector contributions to ransomware recovery, the report said.
The report calls on federal agencies to immediately implement the requirements under the incident reporting acts to share all incident reports with CISA “to enable a consolidated view of incidents from across different sectors and reported under different regulatory regimes.”
The report also stresses that ransomware data collection is also critical for US national security, especially in the context of Russia’s invasion of Ukraine.
“As Russia’s invasion of Ukraine continues and Russia seeks to find ways around the international finance system, the need to address these shortfalls grows. Approximately 74 percent of global ransomware revenue in 2021 went to entities either likely located in Russia or controlled by the Russian government,” the report notes.
“Further, CISA and other federal agencies have warned that Russia’s invasion of Ukraine could lead to additional malicious cyber activity, including ransomware attacks, in the United States. Therefore, as the report finds, prioritizing the collection of data on ransomware attacks and cryptocurrency payments is critical to addressing increased national security threats.”