In late September, two subcommittees of the U.S. House of Representatives held a joint hearing on responding to ransomware attacks. The hearing—held by the Subcommittee on Cybersecurity, Information Technology, and Government Innovation and the Subcommittee on Economic Growth, Energy Policy, and Regulatory Affairs—signals intense interest by policymakers in preventing the enormous disruptions that threat actors can inflict on both the public and private sectors. We report on three themes recurring throughout the hearing.
A first theme concerned the role of operating budgets in attack preparedness. One cybersecurity expert testified that organizations could struggle to afford the optimal tools for preventing and responding to attacks, including technical tools for encrypting data and updating software, risk management strategies, and employee education. Committee members and witnesses also discussed the tradeoff where “sometimes investing in a cybersecurity resource or tool means something else goes unfunded.” For example, hospitals might spend less on patient care to pay for system backups and training of physicians in cybersecurity measures. Local and state governments are also especially vulnerable to attacks, given stretched budgets, outdated platforms, and a nationwide shortage of cybersecurity professionals.
Second, despite the budgetary implications of cybersecurity preparedness, ransomware attacks continue to impose an enormous cost. The president of a state university’s medical system testified to spending $65 million in response to an attack, even though no ransom was paid and backups were successfully used. Witnesses spoke about costs they incurred in the forensic response, the restoration of systems, and business continuity, which enabled employees to continue their work while systems remain offline, which could be for weeks or months. They also referenced ongoing reputational harms. This testimony highlights that there is no inexpensive panacea for ransomware attacks, even when successfully repelled.
A final theme concerned the typical profile of an attack. Committee members grappled with whether attacks tend to be indiscriminate or targeted. One cybersecurity expert testified that a ransomware attack was usually a “crime of opportunity,” but another witness observed that educational institutions were the most common targets of specific malware. The committee members debated the motives of threat actors, with discussion over whether those actors were primarily financially driven or nation states seeking to damage critical infrastructure. Some members questioned whether artificial intelligence might make ransomware attacks worse or if they could be useful in defending against them. Witnesses also offered contrasting evidence about the support they received from the government while responding to an attack: one witness found consultations with law enforcement useful, but another’s experience was that “the cavalry does not come.”
The different perspectives offered might reflect the timing of the attacks referenced and the rapidly evolving practices of threat actors. The hearing’s witnesses reported attacks from 2020 and 2021. Likewise, subcommittee members most frequently referenced the Colonial Pipeline attack of May 2021, which led to the shutdown of the pipeline, fuel shortages, and an emergency declaration issued for seventeen states. But ransomware trends quickly develop. For example, one report from April 2023 observes that, with enterprises investing heavily in cybersecurity, threat actors facing lower odds of success have increasingly targeted high-value companies and made higher demands. This trend may not be apparent from data points gathered from 2021.
We will continue to monitor and report on regulators’ interest in ransomware and cybersecurity trends.
