Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security United States

Senate Report Finds Government is Unprepared To Stop Ransomware Attacks (fastcompany.com) 48

In the past few years, ransomware attacks have crippled schools, hospitals, city governments, and pipelines. Yet, despite the heavy toll such incidents have on both the public and private sectors, government officials have only a limited understanding of ransomware attacks and how cryptocurrencies are being used to collect payment, according to a new report from the Senate Homeland Security and Governmental Affairs Committee. From a report: "Cryptocurrencies -- which allow criminals to quickly extort huge sums of money, can be anonymized, and do not have consistently enforced compliance with regulations, especially for foreign-based attackers -- have further enabled cybercriminals to commit disruptive ransomware attacks that threaten our national and economic security," said Michigan Senator Gary Peters, the committee's chair, in a statement. "My report shows that the federal government lacks the necessary information to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for perpetrating them."

Part of the issue is in reporting: The federal government doesn't have a standardized place for victims to log ransomware attacks, which typically encrypt data until a ransom is paid in cryptocurrency. Both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have websites where victims can report incidents, and some people report the attacks directly to their local FBI field offices -- all of which can leave people unsure of where to turn and lead to different agencies having records of different incidents. Financial regulators, including the Treasury Department's Financial Crimes Enforcement Network, also gather some data on ransomware, particularly around payments, but it's also far from comprehensive. A new law passed by Congress in March, as part of a broad government funding bill, will soon require operators of "critical infrastructure" to report to CISA within 72 hours when they've been the victims of a "substantial cyber incident," and within 24 hours of paying a ransom, but the provision hasn't yet gone into effect, pending regulatory decisions by CISA.

This discussion has been archived. No new comments can be posted.

Senate Report Finds Government is Unprepared To Stop Ransomware Attacks

Comments Filter:
  • Government offices get hit with ransomware just as much as non-government offices, if not proportionally more.

    The funny part to me is the requirement to report a ransomware attack to the government...what are they going to do if a cyberattack goes unreported? Fine them?

    • Government offices get hit with ransomware just as much as non-government offices, if not proportionally more.

      The funny part to me is the requirement to report a ransomware attack to the government...what are they going to do if a cyberattack goes unreported? Fine them?

      Most likely, yes.

      I mean, let's cut to the chase here. Nobody in our government cares that this shit is happening. They care that money is exchanging hands (the crypto payments for ransomware) and the government isn't getting a cut of the funds. But, they know if they try to publicly claim tax no ransomware payments people will be pissed, so they'll develop "fines" surrounding them to be the tax instead.

      It's our government's answer to everything. I'm actually shocked they haven't found a way to tax or fine i

      • Reports like this are clear, but they're long and nuanced. This specific report is 52 pages, for example.

        We have laws that used to work, but don't work in the modern form of the crimes. In the old days it was an individual who generally had physical access to the money or office records, they could be tracked down locally, they could be prosecuted, convicted, and jailed locally.

        In the digital era there are plenty of laws about the digital trespass, laws about destruction/encryption of data to be unusable,

      • The tax on illegal drug sales is the court fees.
  • by nightflameauto ( 6607976 ) on Thursday May 26, 2022 @10:14AM (#62567830)

    Full stop. That should be the report. The whole report.

  • You cannot prevent ransomware attacks — period. You could severely reduce their numbers by making security job one. They existed before cryptocurrencies were used to cash them out, and they would still exist if we waved a wand and eliminated all cryptocurrencies now. They exist because they are possible, and while they are always going to be possible with some level of effort, they do not have to be this prevalent.

    The best way to reduce them right now though is to make paying the ransom illegal, and to make immediate reporting of ransomware mandatory for the largest targets. There's no good reason to mess around with small businesses who can't afford large ransoms anyway, at least not at this point. It should not have to be pointed out that ransomware exists because people will pay, and stopping the payments is the simplest way to stop the ransomware.

    • Comment removed based on user account deletion
      • Unfortunately, the laws you're suggesting creating are unenforceable

        What? Who told you that? We often find out about ransomware attacks and payoffs now, despite many corporations' best efforts to hide them. What causes you to imagine that we won't continue to hear about them in the future?

        The real problem is that the laws I'm suggesting creating are basically uncreatable, with the corporations in charge.

        It's not unlike making it illegal to be addicted to drugs and requiring all drug addicts to self-report.

        It's very, very different. Make reporting ransomware attacks to shareholders explicitly mandatory, and have the SEC up their ass if they don't report them. Give a bonus to w

        • Comment removed based on user account deletion
          • You seem to be narrowing the scope of your proposed law - now it will only apply to publicly traded corporations? To mangle a movie quote, that's like putting a band-aid on a bullet wound.

            It should of course also apply to the government. You clearly have to start with the big corporations, though. Starting with the little guy always goes badly and accomplishes little.

        • It's very, very different. Make reporting ransomware attacks to shareholders explicitly mandatory, and have the SEC up their ass if they don't report them. Give a bonus to whistleblowers. Tada! This will work fine against the large corporations making the large payouts, which are the largest part of the problem.

          100% sincerely - this sounds brilliant. While small businesses will still remain targets, mandating that publicly traded companies engage in ransomware reporting, including payment amount, known system impacts, and the wallet address to which the payment was made, will make it unprofitable to ignore security concerns.

    • by Ichijo ( 607641 )
      Also make it illegal to retaliate [slashdot.org] against someone who finds [slashdot.org] a vulnerability in your web site.
    • If you saw a carpenter driving screws with a hammer, and upon asking him, he explained, "It's easier to use than a screwdriver," you'd probably think quite a bit less of him. You might expect a toddler to make a mistake like that, but not a professional.

      And yet, in institutions large and small, this is the reason given for using Windows. Windows is fine OS for grandma, who just needs to occasionally check her email. It's fine for the kids, who just want to play games. But when security breaches cost

      • The technical aspect of the ransomware problem is easy - use Linux.

        https://duckduckgo.com/?q=linu... [duckduckgo.com]

      • hmm...

        most office drones need to use ms office and other windows only tools

        those who don't need software like that would typically be developers/etc. who aren't the type to run trojans (i.e., I believe this is the primary source of ransomware?)

        good luck forcing corporate america to not use ms office/etc. - it would be easier just to at least semi-lock down windows and use some corporate cloud backup software (e.g., egnyte, etc.)

        That said, as an office drone myself, if they made me lock down my laptop, my pr

    • another person with no experience in network or even coding.
      NO, that will NOT even slow it down.

      However, it is TRIVIAL to kill off 66-90% of these. How? Simply have ppl use digital certificates on email/text/IMs, social media, etc. And have them ISSUED (not necessarily hosted) by federal governments. THIS would kill off a large amount of attacks, since most of these involve phishing, email/text virus, etc.
      • another person with no experience in network or even coding.

        lol

        NO, that will NOT even slow it down.

        lol again

        However, it is TRIVIAL to kill off 66-90% of these. How? Simply have ppl use digital certificates on email/text/IMs, social media, etc.

        oh shit belly laugh there

        You think it's trivial to get people to use digital signatures? You absolute fucking noob.

        And have them ISSUED (not necessarily hosted) by federal governments.

        Yeah! Don't let anyone email unless they get a cert from the feds! What a wonderful idea, why didn't I think of it? Oh yeah, because I didn't get a brain disease from licking boots, you total fucking numpty.

        • You think it's trivial to get people to use digital signatures? You absolute fucking noob.

          And have them ISSUED (not necessarily hosted) by federal governments.

          Yeah! Don't let anyone email unless they get a cert from the feds! What a wonderful idea, why didn't I think of it? Oh yeah, because I didn't get a brain disease from licking boots, you total fucking numpty.

          Gads, you have always loved proving that you are a TOTAL IDIOT.
          First off, it IS trivial to USE DIGITAL CERTIFICATES. Digital SIGNATURES are something very different, and the fact that you do not understand the difference says that you do not have anywhere NEAR enough experience on the net for security talk.
          Secondly, the hard part with Digital CERTIFICATES is obtaining them, esp. in the US. It costs $75/year for one that handles a number of issues and required me to send in a photo of my ID (front AND bac

    • by pacinpm ( 631330 )

      Isn't having backups like the best response to those kinds of attack?

  • by cellocgw ( 617879 ) <cellocgw@gmail . c om> on Thursday May 26, 2022 @10:37AM (#62567910) Journal

    Just look at our citizen preparedness!

    the only thing that stops a bad guy with a ransomware tool is a good guy with 4 or 5 semiautomatic guns.

    problem solved

  • Educate people to not do preventable shit that causes ransomware to get into a system.

    Make doing preventable shit that causes such an incursion an immediate fireable offense.

    People will eventually get the idea... don't open random emails, don't plug in unknown usb drives into machines on a network, don't visit shit websites, etc....

    • Comment removed based on user account deletion
  • ... I'm pretty sure the sources can be hunted down and tracked accordingly.

  • by Anonymous Coward
    Today the Chinese Communist Party announced that the Small Dong has been upgraded to squirt ransomware all over U.S. government systems, after reports surfaced from the United States Senate that the government was ill-prepared to handle such levels of penetration. The variant, called Medusa, will reportedly penetrate foreign systems through any holes it finds, including back doors, and deeply probe for vulnerabilites before stealing the data and then injecting thick streams of data encryption directly into
  • "Finds a use for" implies inversion of requirements, like priority number one was the use of that piece of tech. The final product will likely be a pile of shit.
  • "Hey Hackers! Aim here!"
  • What the heck would Homeland security know about ransomware. These ransomware attacks, facilitated by the built-in encryption and built-in defects in the Operating System. Illustrating the dangers of running your computing infrastructure on a monoculture.
  • like mass shootings. How would they ever stop cyberattacks.
  • Not all solutions need to be increased IT security, but yes you should do that too.

    1. Force disclosures of such attacks to at least some government agency, depending on the scope or severity, disclose to the public.
    2. If the company pays the ransom, fine them 10x the ransom. The fine must be paid in full within one year of the ransom payment, unless it's a financial hardship, then pay in installments.
    3. Sanction banks that facilitate these transactions.
    4. Some crypto-currency is tough to trace, I get it, b

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...