A senior lawmaker Wednesday hinted that nations not doing enough to stop ransomware groups from operating within their countries should be treated in the same way that the US treats countries that sponsor terror groups.
In opening comments at a Senate Judiciary subcommittee hearing Wednesday, Senator Lindsey Graham described ransomware attacks as a “terrible crime” affecting schools, hospitals, and the lives of thousands of others.
“[Ransomware] has a psychological, violent aspect to it,” Graham said. “It is just a matter of time before somebody gets physically hurt,” he said while expressing the government’s intention to give law enforcement the tools needed to combat the scourge.
“Maybe what we should think about when it comes to the nation state aspect of [ransomware] is to have a collaboration between the Department of Justice and maybe the State Department,” he said.
The goal should be to identify nations that are doing a good job in trying to deal with the problem and to help them in that effort while weeding out the ones that are not doing enough or are actively sponsoring such attacks.
“We have a state-sponsor of terrorism list that the State Department collects,” Graham noted. “If you are on that list, bad things come your way because you are a bad actor.”
Graham said it may be time to consider adopting a similar approach to countries that are either aiding and abetting ransomware operators or not doing enough to stop them: “If we don’t wake up some of the nation-states where these problems reside in large measure, you are never going to fix this problem.”
Richard Downing, deputy attorney general at the US Department of Justice and one of the witnesses at the hearing, characterized the scope of the ransomware problem as "staggering." One of his recommendations is for Congress to enact legislation that will close loopholes in existing laws and make it easier for FBI and law enforcement in general to pursue and prosecute those involved in ransomware schemes.
Current statutes such as the Computer Fraud and Abuse Act (CFAA) already make it a crime for people to create botnets by breaking into computers or using a botnet to carry out ransomware attacks. But the law is less clear on the implications for people who might be renting or selling a botnet but are not actually using it, he said.
Similarly, while federal law gives courts the authority to issue injunctions for disrupting the operation of a botnet, such action is limited to botnets that are being actively used to commit specific categories of crime. There is little in existing law pertaining to what actions law enforcement would be able to take in situations where a botnet might be used to send phishing emails or to launch denial of service attacks, or if a botnet is known to exist but is inactive, Downing said.
“The revenue generated by ransomware is not insignificant,” said Adam Meyers, vice president of intelligence at security vendor CrowdStrike, who also spoke as a witness at the hearing.
The only way to slow down those behind such campaigns is to make it harder and costlier for them to operate, Meyers said. The goal should be to make the potential downsides of running a ransomware campaign greater than any upside for the criminals. Only by turning the tables on the economic factors that fuel ransomware can the scourge be eliminated, he said.