Improving National Defense Against Ransomware

Written by Rep. Rick Crawford
Published by Arkansas Business

Ransomware computer crimes have been around for a number of years, but recent attacks have put them squarely in the headlines. America is under attack, and these recent high-profile hits have amplified the urgency and resolve needed from both government and the private sector if we are to respond effectively.

It’s an infuriating crime: cybercriminals infiltrate a vulnerable computer system, then copy and also encrypt the data, rendering the victim’s affected computer system inoperable. The criminals offer to undo the damage if a ransom is paid. The victimized company often pays the ransom, hoping the hackers keep their promises. (There will be congressional hearings this summer examining the controversy around paying ransoms to computer blackmailers.)

Whether the victim is a business, school district, hospital, or county government — all of whom have been recent targets — the disruption of a ransomware attack can be crippling to that entity and to those it serves. But in recent weeks, ransomware attacks have hit companies that are part of our nation’s critical infrastructure — energy in the Colonial Pipeline attack, and agriculture in the JBS Foods attack. These have outsized impact on our country, as we saw with gas shortages along the East Coast, disruption to our food supply chain, and, of course, higher prices for the affected products.

Folks probably get tired of hearing me say it, but food security is national security, and our food supply is critical infrastructure.

From my positions on the House Agriculture Committee and the House Permanent Select Committee on Intelligence, I have seen shortcomings in assessment and communication of threats to our food supply among the intelligence community (IC), the U.S. Department of Agriculture (USDA), and the agriculture industry. The USDA has not been equipped with the tools it needs to secure our food supply chain from threats, including cyberthreats.

To address this, I introduced last year (along with Sen. Tom Cotton, R-Arkansas, in the Senate) the Agriculture Intelligence Measures Act (AIM Act), which would set up clear lines of communication, along with a new position at USDA to coordinate the dissemination of threats and best practices in securing our critical food and fiber supply chains. The trick is to leverage the cyber-expertise of the IC, while allowing the subject matter experts at USDA to manage the particular threats to our agricultural infrastructure that USDA best understands.

Like any large organization, the federal bureaucracy is subject to turf battles among its various agencies and sectors, particularly since cyber-defense is a relatively new phenomenon in a government organized before computers existed. While Congress can write laws delineating chains of command, it requires strong executive leadership direct from the White House to ensure that response effectiveness is not undermined by agencies muscling for power and position within the federal bureaucracy.

The government must improve oversight of critical industries’ defenses against and resilience after a cyberattack. Businesses will have to employ best defensive cyber-practices across the board, and not let cost-cutting measures, or complacency, compromise the security of their computer systems and data.

We must also create more efficient structures for collaboration between government and the private sector. This includes facilitating collaboration among companies — including competitors — to share threat assessments and defensive measures. Collaboration requires guardrails to protect business and investigative secrets, as well as citizen privacy; but it makes no sense for each entity to be siloed when the threats affect all of us.

As we look to implement measures comparable to the AIM Act to protect other critical infrastructure, we must recognize that defensive measures alone are not enough. Our nation must also go on offense against cybercriminals. Here, the collaboration we need is among nations, rooting out these criminal entities that are dispersed around the world.

It also means confronting our adversaries who tolerate, or actively assist, cybercriminals within their borders. This means diplomacy — including the upcoming summit between President Joe Biden and Russian leader Vladimir Putin — plus State Department and FBI engagement with nations around the globe.

And when those efforts prove insufficient, our Pentagon and IC must be empowered under the president’s command to inflict proportional damage on those nations who harbor or actively assist the cyberterrorists targeting America. Just as Iran has seen a series of computer “mishaps” over the years slowing its pursuit of nuclear weapons, it is time for our cyber-adversaries to face the kinds of disruption we have been facing.

Whether it be economic sanctions or counterattacks, our adversaries must see increased costs associated with their hostile acts against us.

Even amidst our stark political differences, cybersecurity can and should be an opportunity to work together in true bipartisan fashion to develop strong and effective measures to confront these attacks.

And it will require ongoing vigilance by all of us who work with computers. It can seem a daunting task, which is why my office is putting together a briefing to help Arkansas businesses get a handle on the cyberthreats they face and learn how to develop and implement a plan to enhance their security. We’re looking to have public and private sector experts join us for this free educational program later this year. Stay tuned.