U.S. Senate report calls out lack of ransomware reporting

The Senate Committee on Homeland Security published a report that points to a lack of ransomware reporting as a major issue in defending the U.S. from cyber attacks.

Limited and fragmented ransomware reporting has a negative impact on national security, according to a U.S. Senate report.

The report by the Committee on Homeland Security & Governmental Affairs this week noted how "fragmented and incomplete" reporting of ransomware attacks by victims has created a flawed picture of the threat landscape and has put federal agencies investigating attacks at a disadvantage. The report, titled "Use of Cryptocurrency in Ransomware Attacks, Available Data, and National Security Concerns," also discussed how ransom payments made in cryptocurrency makes it harder for the government to issue restrictions and sanctions.

"The lack of consolidated data regarding the universe of ransomware attacks and the role that cryptocurrency plays in facilitating illicit acts limit the tools available to guard against national security threats," the report said.

While the report mentions that progress had been made to implement federal regulations, and that there are different data breach reporting requirements across the country at the state level, there is still a major gap between what federal agencies are told and what is actually happening with ransomware.

The report includes feedback from executives at cybersecurity vendors like Coveware and LMG Security who said there is a lack of clarity about the responsibility of victims and how to report an attack, as well as a lack of requirements and incentives to report a ransomware attack. The executives also cited a low rate of victim responses when law enforcement attempts to recontact them for investigations.

"LMG Security emphasized that the process for victims who are seeking to 'do the right thing' is confusing and expensive, which works against U.S. national security interests," the report stated.

When discussing the reports published by individual federal agencies, the FBI's Internet Crime Complaint Center (IC3) data was addressed for its inability to capture the full picture. The Senate report found that in 2019 there was a difference of over 22,000 ransomware attacks between what IC3 gathered and what a private sector study found.

"Security and privacy experts have noted that IC3 ransomware data is a 'subset of a subset' of data," the report stated. "Some argue that the figures are 'incredibly low' and 'inconsistent' since victims will generally report an incident to their local field office. The FBI's figures on ransomware may also be low due to lack of awareness on the part of victims regarding when and how ransomware incidents should be reported."

The Senate report, however, did mention that the FBI and IC3 are getting better when it comes to data collection for ransomware reporting. "The FBI has since made improvements in its data collection process," the report said. "In June 2021, the IC3 began tracking reported ransomware incidents in the critical infrastructure sector, specifically. In another improvement over the 2020 annual report, the FBI also discusses the evolution of ransomware tactics and techniques and provides general recommendations for protecting computer systems against ransomware attacks."

Other agencies like the Securities and Exchange Commission (SEC) and the Federal Reserve are implementing new requirements to help boost the understanding and defenses against ransomware attacks. For example, the SEC proposed a new rule in March to strengthen disclosure requirements for public companies that suffer cyber attacks.

Cryptocurrency concerns

The report also examined how threat actors are receiving ransom payments from victims, with cryptocurrency exchanges being the most common way for threat actors to receive payments. Such exchanges are even being used by the Russian government to bypass recent sanctions regarding the invasion of Ukraine.

"The United Nations and the U.S. have recently observed nations using cryptocurrencies to evade sanctions," the report said. "According to public reports, 'hacking techniques like ransomware could help Russians [extort] digital currencies and make up revenue lost to sanctions.' In light of the ongoing invasion of Ukraine by Russia, a comprehensive understanding of illicit cryptocurrency use and ransomware is critical to ensure compliance with U.S. sanctions policy and mitigate damaging cybercrime."

The Senate committee recommended that federal agencies further investigate the use of cryptocurrency exchanges and their relation to ransom payments, as well as share the information with private researchers so that everyone can better understand the threat landscape.

The Biden administration has made national cybersecurity a major point of interest, enacting the Strengthening American Cybersecurity Act in March. The report stated that while the administration is putting in the effort to slow down and investigate ransomware, a lack of data is hampering the results.

"The lack of comprehensive ransomware incident and ransom payment reporting contributes to a lack of data on matters that are priorities in the Biden Administration's national security agenda," the report stated. "Further, this limited collective understanding of the ransomware landscape and the cryptocurrency payment system blunts the effectiveness of available tools to protect national security."

In terms of the future, the report concluded with methods to make the ransomware reporting process more effective and strengthen the fight against cyber attacks.

"The rules implementing the reporting process should be standardized and easily understood such that victims under the duress of an attack are not unduly burdened by the reporting process," the report said. "To ensure that the potential influx of ransomware attack-related data is used effectively, Congress should consider exploring whether federal agencies responsible for processing the data have sufficient resources to do so in a timely and effective manner and assess the level of resources that would be needed, if not."

Dig Deeper on Threat detection and response