A lot of the ransomware rhetoric emanating from Washington is now not surprisingly turning into legislative mandates. The Transportation Security Administration (TSA) withing the Department of Homeland Security (DHS) has issued another security directive for operators of pipelines that requires them to both implement urgently needed protections against cyberattacks such as ransomware, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.
The U.S. House of Representatives, meanwhile, has passed five cybersecurity bills on July 20. The five-bill package will increase requirements for private companies to report cybersecurity incidents in addition to providing funding for states and local governments to increase cybersecurity measures.
In the U.S Senate, Sen. Mark Warner (D-Va.) introduced a bipartisan bill that would require the Cybersecurity and Infrastructure Security Agency (CISA) to identify and mitigate threats to the operational technology (OT) systems that manage critical infrastructure. Co-sponsored by Sens. Marco Rubio, (R-Fla), Gary Peters (D-Mich.) and Rob Portman (R-Ohio), the bill is the Senate companion to one of the cybersecurity bills passed in the House.
However, the most controversial move is a Rewards for Justice program offering up to $10 million being funded by the U.S. Department of Justice for information relating to those who create and perpetuate ransomware attacks against U.S. infrastructure. Administered by the Diplomatic Security Service (DSS) within the U.S. State Department, the program promises to reward anyone who has information leading to the identification or location of individuals acting at the direction or under the control of a foreign government participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).
In effect, the State Department is relying on a tried-and-true technique for breaking up organized crime rings by creating a bounty that rewards people who inform on cybercriminals. One of the unfortunate consequences of such programs historically is criminals will resort to intimidation and violence to silence informers. Such actions will create a dilemma for law enforcement agencies that have thus far largely ignored cyberattacks launched from within their territorial boundaries against foreign entities on the grounds they lack jurisdiction. If some of their citizens, however, are physically harmed or killed by those very same cybercriminals the entire jurisprudence picture changes.Rewards for Justice program offering up to $10 million being funded by the U.S. Department of Justice for information relating to those who create and perpetuate ransomware attacks against U.S. infrastructure.Click To Tweet
What exactly the State Department will do with the information it collects is unclear. The U.S. government has signaled its intention to take more aggressive unspecified actions against cybercriminals, including thus far retrieving ransomware payments by hacking into digital wallets. It’s clear at the very least the U.S. government plans to make it more difficult for cybercriminals to enjoy their ill-gotten gains.
Many cybersecurity professionals would argue such efforts are long overdue. The wheels of justice, of course, are notorious for turning slowly. The truth is many of the perpetrators of cyberattacks will never be prosecuted. However, any effort to discourage such attacks is worth the time and effort if for no other reason to remind the individuals that profit from these crimes that they will spend the rest of their days looking over their proverbial shoulders wondering who might, one way or another, be finally coming for them.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.