Companies and organizations that are victims of ransomware attacks shouldn’t pay hackers to unlock their data and should quickly contact law enforcement, which opens up the possibility of creative solutions, FBI Director Christopher Wray said.
“It is our policy, it is our guidance from the FBI, that companies should not pay the ransom,” Wray told the House Judiciary Committee at a hearing Thursday.
U.S. companies and government agencies are reeling from recent ransomware attacks that have disrupted critical services, from a major oil pipeline to a beef producer and hospitals. The attacks have ignited a national debate over whether victims should pay ransom, which can reach millions of dollars.
Meat producer JBS USA said it paid $11 million to criminals responsible for a May 30 ransomware attack that disrupted its operations across North America and Australia. Colonial Pipeline Co. paid $4.4 million, or 75-Bitcoin, in ransom after a hack that forced it to shut the largest fuel pipeline in the U.S. on May 7, driving up gasoline prices and sparking shortages at filling stations.
“The Biden administration basically gave a wink and a nod to paying off the thugs,” Representative Steve Chabot, an Ohio Republican, said during the hearing with Wray. “Don’t we need to clarify the policy relative to paying off criminals?”
At a separate hearing Thursday in the Senate, two nominees for top cybersecurity jobs in the Biden administration said they, too, believed companies shouldn’t pay hackers’ extortion demands.
“It is not appropriate to pay ransom,” said Chris Inglis, who President Joe Biden nominated to serve as National Cyber Director. “Unfortunately we get into a place where that is the only thing that is the remedy — feasible to save lives or to bring back critical capabilities.”
He advocated holding companies accountable “not so much for paying the ransom, but for being at a position where they had to pay the ransom in the first place — for the failure to prepare for that.”
Voluntary Guidelines Not Working
Jen Easterly, nominated to lead the Cybersecurity and Infrastructure Security Agency, said she believes her role would be to prevent companies from being victimized by ransomware in the first place, by providing the private sector with information and “best practices protect themselves.” However, both she and Inglis agreed that simply asking companies to follow voluntary cybersecurity standards hasn’t been effective. “It seems to me that voluntary standards are probably not getting the job done and that there probably is some sort of role for making some of these standards mandatory to include notification,” Easterly said.
The White House’s National Security Council issued a statement Wednesday saying “the administration has been very clear: Private companies should not pay ransom. It encourages and enriches these malicious actors, continues the cycle of these attacks, and there is no guarantee companies get their data back.”
But last month Anne Neuberger, the deputy national security advisor for cyber and emerging technologies, told reporters that “typically that is a private sector decision, and the administration has not offered further advice at this time.”
Wray said companies under attack should contact the Federal Bureau of Investigation as soon as possible so that law enforcement can help take action in response, potentially obtaining encryption keys used by hackers.
Referring to ransomware and other cyberattacks, Wray said, “The scale of this is something I don’t think the country has ever seen anything quite like it, and it’s going to get much worse.”
The Justice Department recouped 63.7 Bitcoin that hackers stole from Colonial. Because of the declining value of Bitcoin since the Colonial ransom was paid, the U.S. seizure in late May amounted to $2.3 million, just over half the ransom paid weeks earlier.
Dividing along partisan lines, lawmakers pursued other controversies in questioning the FBI chief.
Democrats cited apparent intelligence failures leading up to the Jan. 6 attack on the U.S. Capitol by a mob of supporters of former President Donald Trump.
Representative Steve Cohen, a Tennessee Democrat, asked Wray whether the FBI is investigating provocation of the crowd by Trump, who Cohen called “Mr. Big — No. 1.” Wray declined to comment on specific investigations.
Republicans questioned Wray on whether what they called Biden’s “open border” with Mexico is leading to a surge of criminals and potential terrorists coming across the southern border. Wray said he would have to get back to the lawmakers with specific information.
(Updates with comments from Biden cyber nominees starting in sixth paragraph)
–With assistance from Rebecca Kern and Jennifer Jacobs.
Top Photo: FBI Director Christopher Wray