Ransomware hearing in Congress hones in on cybersecurity spending and state actors

Quick Take

  • A House of Representatives subcommittee held a hearing focused on ransomware on Tuesday.
  • The topic of cryptocurrency was often invoked during the subcommittee, but there was little talk of a crackdown on the technology.

A House of Representatives subcommittee held a hearing focused on ransomware on Tuesday, honing in on a growing policy issue in recent months.

Contrary to recurring fears among some industry observers, talk of a clampdown on cryptocurrency activities was fairly muted before the Oversight and Investigations subcommittee of the House Energy and Commerce Committee.

Indeed, multiple witnesses noted the importance of good actors in the crypto space. Kemba Walden, a lawyer for Microsoft who testified, noted the role that bitcoin and its pseudonymity played in many ransomware attacks.

“This technology does not cause criminals to commit these crimes,” continued Walden. “Compliant stakeholders within the crypto industry are just as eager as victims to eliminate the threat of ransomware.”

While Philip Reiner, CEO of the Institute for Security and Technology told the subcommittee that “the cryptocurrency sector must be better understood and more closely regulated,” he also noted the findings of a ransomware task force on which he served were “not necessarily that cryptocurrency is a problem.”

The necessary expanding regulation, according to Reiner, was likely “expanding application of KYC and AML rules that are already available.”

“Cyber hygiene”

But just because crypto itself didn’t seem to be in the crosshairs doesn’t mean that the subcommittee wasn’t on a mission.

For starters, there was a lot of talk of so-called “cyber hygiene.”

Broadly, witnesses defined the term as some combination of the basics: multifactor authentication, employee training on identifying phishing attempts and segmenting of networks. From a policy standpoint, this included the need to expand cybersecurity spending within the private sector — a proposal that emerged with seeming bipartisan favor was a requirement for firms receiving government grant funding to spend a certain percentage of their budgets on cybersecurity.

These concerns were especially concentrated on health care and energy. “I’m here to tell you that healthcare is not prepared to prevent or respond to cyberattacks,” said Christian Dameff, a professor in medical cybersecurity.

In addition to highly public attacks like the one against Colonial Pipeline, hospitals routinely find their systems bound up by ransomware.

Beyond internal considerations, cybersecurity has become a major area of international concern.

The White House began this week by spotlighting China as a malicious actor in cyberspace. The administration and many throughout Congress have spent the past several months associating the Putin regime in Russia with many of the world’s biggest ransomware gangs.

“While the Russian president Putin may not be directly connected to these attacks, he refuses to crack down on them,” said Cathy Rodgers, ranking member of the full committee. “We know the Chinese government engages in malicious cyber behavior too.”

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.