In several high-profile ransomware attacks this year against corporations there was no single point of contact in the federal government for companies to alert, demonstrating the need for the federal government to clarify who should be contacted in such an event, says a new report by the House Committee on Oversight and Reform.
Of the three attacks reviewed, “two companies’ initial requests for assistance were forwarded around to different FBI offices and personnel before reaching the correct team,” says the report, which was prepared by committee’s Democratic staff. “Companies also received different responses on which agencies could answer questions as to whether the attackers were sanctioned entities. These examples highlight the importance of clearly established federal points of contact.”
The report, prepared as a memorandum for the committee, investigated ransomware attacks against CNA Financial Corporation, Colonial Pipeline, and JBS Foods USA, each of which paid ransoms to the attackers in return for keys to unlock their networks.
In each instance, the companies reported the ransomware attacks to different federal agencies.
Colonial reported to seven or more agencies and CNA was first referred to one FBI field office and then another field office was made the primary contact, the report says. For JBS, the first field agent they contacted was the wrong person, leading to several hours of delay before the appropriate contact was sorted out, it says.
“In one instance, a company was referred to the Treasury Department for questions regarding sanctions, while another company was provided a substantive answer on this topic by the FBI,” the Nov. 16 committee report says. “These logistical hurdles underscore the need for clearly established federal points of contact in response to ransomware attacks.”
The committee hosted a hearing on Tuesday with federal cyber security leaders to review strategies for countering ransomware. Rep. Jamie Raskin (D-Md.) highlighted that if victims report an attack to the FBI, they have a choice of 56 field offices, a separate FBI “tip portal,” and the bureau’s Internet Crime Complaint Center.
“For victims who do want to report a ransomware attack, the guidance on who to report to is not exactly clear or efficiently organized,” Raskin said. He also said these attacks could be reported to separate Department of Homeland Security agencies, either the Cybersecurity and Infrastructure Security Agency or the Secret Service, which also has field offices.
National Cyber Director Chris Inglis replied that if the federal government wasn’t taking a unified approach to ransomware incidents, then victims would find it “confusing” as to who to alert.
“Our job on the government side is to ensure if you told one of them you told all of them,” Inglis said.
Later in the hearing, in response to a similar question from Rep. Debbie Wasserman-Schultz (D-Fla.) about who in the federal government should be alerted to an attack, Inglis said he has worked to ensure that any federal entity that has oversight responsibility for one of the nation’s critical infrastructures notifies CISA about an incident.
He also has worked with CISA to ensure that once CISA has “synthesized” information about an incident, the agency distributes the analysis broadly throughout the government and the “beneficiaries.”
“That work is not complete,” Inglis said. “It is…very diverse and it grew up as set of various and separate stovepipes. But that’s the work before us. That’s what we’ve been doing. I spend arguably half of my time on that issue alone.”
Any problems in sharing information within the government are not a matter of policy but come down to proper implementation, he said.
Brandon Wales, executive director of CISA, and Bryan Vorndran, assistant director of the FBI’s Cyber Division, both said their respective agencies work in partnership using central coordination to share information.