Officials talk of next steps in response to cyberattacks

Energy Secretary Jennifer Granholm attends the inaugural meeting of the Task Force on Worker Organizing and Empowerment, in Harris' ceremonial office, Thursday, May 13, 2021, on the White House complex in Washington. (AP Photo/Jacquelyn Martin)
Energy Secretary Jennifer Granholm attends the inaugural meeting of the Task Force on Worker Organizing and Empowerment, in Harris' ceremonial office, Thursday, May 13, 2021, on the White House complex in Washington. (AP Photo/Jacquelyn Martin)

WASHINGTON -- Energy Secretary Jennifer Granholm on Sunday called for more public-private cooperation on cyberdefenses, saying U.S. adversaries already are capable of using cyberintrusions to shut down the nation's power grid.

[Video not showing up above? Click here to watch » https://www.youtube.com/watch?v=s4jucIk9_Yo]

"I think that there are very malign actors who are trying," she said. "Even as we speak, there are thousands of attacks on all aspects of the energy sector and the private sector generally."

Granholm noted, without mentioning the company by name, that Colonial Pipeline Co. was hit in May with a crippling cyberattack by a ransomware group. Colonial temporarily shut down its gasoline distribution networks in the South before paying $4.4 million to the hackers.

Granholm urged energy companies to resist paying ransom.

"The bottom line is, people, whether you're private sector, public sector, whatever, you shouldn't be paying ransomware attacks because it only encourages the bad guys," she said.

Granholm spoke in favor of passing legislation that would ban paying such ransom, though she said, "I don't know whether Congress or the president is at that point."

Asked whether American adversaries have the capability of shutting down the U.S. power grid, she said: "Yes, they do."

Granholm spoke on CNN's "State of the Union" and NBC's "Meet the Press."

Appearing on "Face the Nation" on CBS, former Secretary of State Condoleezza Rice said the United States and other nations should talk to countries such as Russia, which is believed to be the origin of some ransomware attacks, about law enforcement and intelligence cooperation "to shut it down."

Rice said this would "test the reality of how much the Russian government is or is not involved" in these attacks.

REPORTING ATTACKS

A top Democratic senator agreed that more transparency is needed into what kind of cash payments are made after ransomware attacks.

Mark Warner, chairman of the Senate Intelligence Committee, spoke days after JBS USA, the second-largest producer of beef, pork and chicken in the United States, had to shut down facilities that account for almost a quarter of American beef supplies after a cyberincident.

"Not only are the companies often not reporting that they are attacked, but they're not reporting the ransomware payments," Warner said on "Meet the Press."

It's "worth having" a debate over whether to make paying ransoms illegal for U.S. companies, said Warner, who's also founder and co-chairman of the Senate Cybersecurity Caucus.

The JBS and Colonial incidents have been tied to Russian-based hackers, and the issue will be on the agenda when President Joe Biden meets with Russian President Vladimir Putin on June 16.

Sen. Angus King of Maine, an independent who caucuses with the Democrats and is also on the intelligence panel, said private companies should be subject to mandatory reporting of breaches but also should receive liability protection, creating "an entirely new relationship between the federal government and private sector."

"There has to be trust. And there has to be real-time" reporting, King said on "State of the Union." "I mean, the Colonial Pipeline, my understanding is, it wasn't reported to the government for four or five days. I think they'd already paid the ransom."

Commerce Secretary Gina Raimondo stopped short of proposing that the U.S. government require businesses to secure their technology in specific ways.

Instead, the Biden administration would urge companies to adopt higher standards and remain "vigilant" on cybersecurity, Raimondo said on ABC's "This Week."

FBI Director Christopher Wray has compared ransomware attacks -- when the victim is targeted by a type of malware and a ransom is demanded -- to the challenges posed by the September 11, 2001, attacks on the U.S. The FBI is investigating about 100 types of ransomware, he said last week.

CALLS FOR ACTION

The escalating havoc caused by ransomware gangs raises the question of why the United States, believed to have the world's greatest cybercapabilities, has struggled to protect its citizens from criminals operating with near impunity out of Russia and allied countries.

The answer is that there are numerous technological, legal and diplomatic hurdles in going after ransomware gangs. Until recently, it hasn't been a high priority for the U.S. government.

That has changed as the problem has grown beyond an economic nuisance. In addition to Biden confronting Putin about Moscow's harboring of ransomware criminals, the U.S. administration has also promised to boost defenses against attacks, improve efforts to prosecute those responsible and build diplomatic alliances to pressure countries that harbor ransomware gangs.

Calls are growing for the administration to direct U.S. intelligence agencies and the military to attack ransomware gangs' technical infrastructure used for hacking, posting sensitive victim data on the dark web and storing digital currency payouts.

Fighting ransomware requires the nonlethal equivalent of the "global war on terrorism," said John Riggi, a former FBI agent and senior adviser for cybersecurity and risk for the America Hospital Association. Its members have been hard-hit by ransomware gangs during the coronavirus pandemic.

"It should include a combination of diplomatic, financial, law enforcement, intelligence operations, of course, and military operations," Riggi said.

A public-private task force including Microsoft and Amazon made similar suggestions in an 81-page report that called for intelligence agencies and the Pentagon's U.S. Cyber Command to work with other agencies to "prioritize ransomware disruption operations."

"Take their infrastructure away, go after their wallets, their ability to cash out," said Philip Reiner, a lead author of the report. He worked at the National Security Council during Barack Obama's presidency and is now CEO of The Institute for Security and Technology.

But the difficulties of taking down ransomware gangs and other cybercriminals have long been clear. The FBI's list of most-wanted cyberfugitives has grown at a rapid clip and now has more than 100 entries, many of whom are not exactly hiding.

Evgeniy Bogachev, indicted nearly a decade ago over what prosecutors say was a wave of cyber bank thefts, lives in a Russian resort town and "is known to enjoy boating" on the Black Sea, according to the FBI's wanted listing.

Ransomware gangs can move around, do not need much infrastructure to operate and can shield their identities. They also operate in a decentralized network. For instance, DarkSide, the group responsible for the Colonial Pipeline attack, rents out its ransomware software to partners to carry out attacks.

Katie Nickels, director of intelligence at the cybersecurity firm Red Canary, said identifying and disrupting ransomware criminals takes time and serious effort.

"A lot of people misunderstand that the government can't just willy-nilly go out and press a button and say, well, nuke that computer," she said. "Trying to attribute to a person in cyberspace is not an easy task, even for intelligence communities."

DEBATE IN U.S.

Reiner said those limits do not mean the United States cannot make progress against defeating ransomware, comparing it with America's ability to degrade the terrorist group al-Qaida while not capturing its leader, Ayman al-Zawahiri, who took over after U.S. troops killed Osama bin Laden.

"We can fairly easily make the argument that al-Qaida no longer poses a threat to the homeland," Reiner said. "So short of getting al-Zawahiri, you destroy his ability to actually operate. That's what you can do to these [ransomware] guys."

The White House has been vague about whether it plans to use offensive cybermeasures against ransomware gangs. Press secretary Jen Psaki said Wednesday that "we're not going to take options off the table," but she did not elaborate.

Gen. Paul Nakasone, who leads Cyber Command and the National Security Agency, said at a recent symposium that he believes the U.S. will be "bringing the weight of our nation," including the Defense Department, "to take down this [ransomware] infrastructure outside the United States."

King said the debate in Congress over how aggressive the U.S. needs to be against ransomware gangs, as well as state adversaries, will be "front and center of the next month or two."

"To be honest, it's complicated because you're talking about using government agencies, government capabilities to go after private citizens in another country," he said.

The U.S. is widely believed to have the best offensive cybercapabilities in the world, though details about such highly classified activities are scant.

Documents leaked by former National Security Agency contractor Edward Snowden show the U.S. conducted 231 offensive cyberoperations in 2011. More than a decade ago, a virus called Stuxnet attacked control units for centrifuges in an underground site in Iran, causing the sensitive devices to spin out of control and destroy themselves. The cyberattack was attributed to America and Israel.

U.S. policy called "persistent engagement" already authorizes cyberwarriors to engage hostile hackers in cyberspace and disrupt their operations with code. U.S. Cyber Command has launched offensive operations related to election security, including against Russian disinformation officials during U.S. midterm elections in 2018.

After the Colonial Pipeline attack, Biden promised that his administration was committed to bringing foreign cybercriminals to justice. Yet even as he was speaking from the White House, a different Russian-linked ransomware gang was leaking thousands of highly sensitive internal files -- including personal background checks -- belonging to the Police Department in the nation's capital. Experts believe it's the worst ransomware attack seen against a U.S.-based law enforcement agency.

"We are not afraid of anyone," the hackers wrote in a follow-up post.

Information for this article was contributed by Alan Suderman and staff members of The Associated Press; and by Ros Krasny, John Gittelsohn, Yueqi Yang and Tony Czuczka of Bloomberg News (TNS).

Upcoming Events