With the task force’s oversight, federal agencies are taking actions such as promoting digital resilience among critical infrastructure companies, working to halt ransom payments made through cryptocurrency platforms and coordinating activities with U.S. allies, according to a Senate aide who requested anonymity to speak candidly.
The interagency group is giving the White House frequent updates on agencies’ efforts, the senior administration official said, adding that the body is “tracking, on a weekly basis,” efforts to “implement the national counter-ransomware campaign.” The official, who briefed reporters late Wednesday, spoke anonymously per White House policy.
Among other steps, the State Department will offer rewards — totaling up to $10 million — for information leading to the identification of alleged cyber criminals, especially the hackers behind state-sanctioned breaches of critical infrastructure, the administration official said.
The administration is also exploring the possibility of new partnerships with cyber insurance providers and critical infrastructure companies so that businesses and the government can share information about ransomware attacks more quickly. “We hope to have more for you on this effort in the coming weeks,” the official told reporters.
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, also previewed the administration’s plan during a 35-minute briefing for senators on Wednesday afternoon.
The announcement of the task force comes as lawmakers and experts are pressuring President Joe Biden to respond more forcefully to Russian President Vladimir Putin’s inaction against ransomware operators, who in recent months have paralyzed much of the East Coast’s gasoline supply, crippled a major meat processing company and breached the IT software vendor Kaseya and hundreds of companies connected to it.
“We’ve got to send a very strong, even disproportionate, message to Russia that we’re not going to tolerate this,” House Homeland Security ranking member John Katko (R-N.Y.) told Bloomberg last week.
But Biden faces few good options for altering Putin’s calculus. Years of sanctions have proven ineffective, cryptocurrency regulations face daunting prospects, allies in Europe are heavily reliant on Russian energy supplies and retaliatory cyberattacks could backfire.
Congress is already pursuing its own options. A bipartisan group of senators is expected to introduce legislation this week or next to require a wide range of companies, including critical infrastructure operators, to report hacks to the government. The House Homeland Security Committee is crafting similar legislation. Federal officials say a lack of information about private-sector breaches hampers their ability to protect the country from digital threats.
During Wednesday’s briefing for lawmakers, officials asked for new authority to establish mandatory cyber standards for critical infrastructure, according to a second Senate aide, who also requested anonymity to discuss the private call.
Neuberger also told senators that the White House will announce three other steps in the coming days, the first aide said.
DHS’ Cybersecurity and Infrastructure Security Agency will launch an interagency website, stopransomware.gov, to collect defensive guidance from various agencies. The Treasury Department’s Financial Crimes Enforcement Network will convene a virtual conference on ransomware in August. And the State Department will use its “Rewards for Justice” program to offer cash payments for tips leading to the arrests of ransomware operators.
Meanwhile, a glimmer of hope for the crusade against ransomware materialized on Tuesday, when the REvil gang, which carried out the Kaseya attack, abruptly went dark. It is unclear if the U.S. or Russia disrupted REvil’s infrastructure or if the criminals shut down their servers themselves, as other groups have done in the past following internal squabbles or increased scrutiny.
The senior administration official declined to clear up the mystery for reporters. “We’ve noted the disruption of REvil infrastructure and have no further comment on that at this time,” the official said.
Neuberger did not address the REvil outage during her briefing with lawmakers, Sen. Angus King (I-Maine) told reporters during a separate media call.
As the pace and impact of cyberattacks intensify, Biden is only now getting his core team in place to deal with them. On Monday, Chris Inglis was sworn in as the first-ever national cyber director, overseeing defensive efforts from the White House. And on Tuesday, hours after the Senate confirmed her, Jen Easterly started her job as director of CISA, giving the beleaguered agency its first permanent chief since last November.
Neuberger, who joined the White House in January as Biden’s first senior cyber official, did almost all of the talking during the Senate briefing, according to the first Senate aide.
Joining her on the call were Eric Goldstein, the executive assistant director for cybersecurity at CISA; Todd Conklin, a counselor to Deputy Treasury Secretary Wally Adeyemo; Richard Downing, a deputy assistant attorney general in DOJ’s Criminal Division; and Herb Stapleton, a deputy assistant director of the FBI’s Cyber Division.
Lawmakers asked general questions during their call, the first Senate aide said. Sen. Mike Rounds (R-S.D.), the ranking member on the armed services panel’s cyber subcommittee, asked about potential military cyber operations to confront ransomware gangs. He was told that that issue was better addressed in a classified setting.
King, the co-chair of the congressionally chartered Cyberspace Solarium Commission, welcomed the administration’s new initiatives but said they would probably do little to deter Putin.
“They’re necessary steps in order to deal with this issue,” he told reporters, but “the deterrence starts with the president’s interactions with Putin over the last month or so.”
“Vladimir Putin understands power, and he understands risk,” King said, “and he has to understand that this kind of conduct by the Russian state is unacceptable and will entail costs.”