Durbin, Grassley Open to Ransomware Payment Tracing Bill

Grassley said some finance and banking enforcers believe “there’s already enough authority” to thwart digital payments, but if it takes legislative action, he’s on board. Durbin during the hearing discussed how DOJ in June seized $2.3 million in cryptocurrency paid to the hackers of the May attack on Colonial (see 2105210019). He asked what further laws Congress can pass. It seems digital currency needs to be subject to some sort of “review or surveillance,” said Durbin.

Cryptocurrency is enabling these attacks, said Deputy Assistant Attorney General-Criminal Division Richard Downing. It’s difficult to claw back currency once it’s moved into criminal hands, but DOJ doesn’t have a proposal to enhance authority to track or interdict, he said: It’s under consideration.

Congress needs to “take this very seriously and pass some legislation to deal with it,” said Sen. Dianne Feinstein, D-Calif. Grassley asked Downing if DOJ has had interagency conversations about how to deal with criminal organizations leading ransomware attacks. Downing agreed criminal enterprises linked to nation-state actors are the problem and said officials are considering options.

The FBI is tracking more than 100 “variants,” or groups of actors, responsible for ransomware attacks, said Cyber Division Assistant Director Bryan Vorndran. That includes groups with duplicative actors, he said. The largest one had revenue exceeding $200 million, he added.

This shows criminal organizations are operating in the open and the U.S. “can’t do anything about it,” said Feinstein. Vorndran blamed countries like Russia for harboring cybercriminals. Finding ways to press those countries is important, said Downing, and Russia tops the list. The Russian government may not be behind the attacks, but it’s not doing enough to bring violators to justice, Downing added.

Bipartisan legislation reintroduced in June, meant to expand authorities for confiscating devices and prosecuting criminals targeting infrastructure, has the potential to pass unanimously, said Sen. Sheldon Whitehouse, D-R.I. He introduced the International Cybercrime Prevention Act with Sens. Lindsey Graham, R-S.C.; Richard Blumenthal, D-Conn.; and Thom Tillis, R-N.C. Whitehouse noted Downing’s testimony suggested a lot of language that mirrors their bill. Whitehouse asked why DOJ hasn’t endorsed the entire bill, and Downing said the department would be “happy to work with staff” about remaining questions. Graham said he wants to continue working with Whitehouse on advancing the bill. Graham asked if it would be helpful to create a list of countries known for harboring cybercriminals.

The FBI has a “good handle” on what countries are at fault, said Vorndran. More statutory authority for combating money laundering, structured payments and unlicensed money transmitters would strengthen investigations, Secret Service Investigations Office Assistant Director Jeremy Sheridan told the committee.

About 25% of ransomware intrusions are reported, said Department of Homeland Security's CISA Executive Assistant Director-Cybersecurity Eric Goldstein. That means it’s difficult to answer any questions about trends with “any level of authority,” he testified. Blumenthal said the U.S. needs to act on what it “does know,” and if the private sector is refusing to report, it’s failing its responsibility to protect national security. The more reporting from the private sector, the better government can manage risk, said Goldstein.

President Joe Biden should issue cyber-related sanctions against China similar to those issued against Russia, Republican senators wrote Tuesday. The U.S. must respond to recent attacks with “swift and decisive force to defend our national interests and impose costs for Russian and Chinese actions that seek to harm us,” wrote Sens. Marsha Blackburn, Tenn.; Roger Marshall, Kan.; Ted Cruz, Texas; and Tom Cotton, Ark.