US to increase scrutiny on cryptocurrency, federal contractors in effort to slow hacking
U.S. officials unveiled a suite of cybersecurity initiatives Wednesday, from cracking down on illicit cryptocurrency usages to increasing transparency about data breaches, as part of an ongoing White House effort to slow rampant cybercrime.
The Justice Department signaled it will increase its focus on illicit use of virtual money, which is frequently used in ransomware attacks, and move to punish federal contractors that hide security incidents. In a separate plan, the Transportation Security Administration this year will require top air and rail transportation companies to report cyberattacks to the government, name an internal cyber chief capable of corresponding about cyber incidents and develop a plan for recovering from attacks.
Deputy Attorney General Lisa Monaco unveiled two initiatives: a national cryptocurrency enforcement team and a civil cyber fraud initiative. Ransomware and cryptocurrency are “inexorably linked” because of the anonymity that cryptocurrency payments help afford, Monaco said at the Aspen Cyber Summit.
“We want to strengthen our capacity to dismantle the financial ecosystem that enables these criminal actors to flourish, quite frankly, and to profit from what they’re doing,” Monaco said. “And we’re going to do that by drawing on our cyber experts and cyber prosecutors are money laundering experts.”
Elsewhere, Department of Homeland Security Secretary Alejandro Mayorkas announced the TSA requirements, which expand on regulations the agency has already put in place for pipeline operators.
The plans are the latest moves by the Biden administration to take action on ransomware after major attacks this summer on Colonial Pipeline, JBS and Kaseya. They come days after the White House announced another plan to convene 30 nations to tackle ransomware collectively.
The second DOJ initiative will make use of the False Claims Act, which authorizes what Monaco deemed “very, very hefty fines” for government contractors, when they skirt federal cyber guidelines or fail to disclose breaches. The focus comes after suspected Russian hackers breached the federal contractor SolarWinds in 2020, using the federal contractor as a foothold into nine U.S. agencies.
“For too long, companies have chosen silence, under the mistaken belief that it’s less risky to hide a breach than to bring it forward and to report it. Well, that changes today,” she said. “We are announcing for the first time that we will use our civil enforcement tools to pursue companies — those who are government contractors and receive federal funds — when they fail to follow required cybersecurity standards, because we know that puts all of us at risk.”
The federal government won’t tolerate “those who are entrusted with government dollars, who are trusted to work on sensitive government systems, [who] fail to follow required cybersecurity standards,” Monaco said.
She also said the department would take steps to protect whistleblowers who report those failings. Monaco also wrote an op-ed published by CNBC Wednesday encouraging Congress to act on legislation requiring companies to report attacks.
Speaking at the Billington CyberSecurity Summit, Mayorkas unveiled the requirements on air and transport companies. TSA put in place similar mandates on pipeline operators in May following the Colonial Pipeline ransomware attack.
“Mirroring those steps … TSA is now laying the foundation for more secure and resilient aviation and surface transportation sector,” he said.
Mayorkas signaled future plans for more such rules: “TSA will expand the covered entities gradually to other relevant entities in consider additional measures.”
A rail industry group, the Association of American Railroads, took issue with Mayorkas’ rollout of the plan, saying industry only had three days to evaluate and respond to the proposal, which included many things the industry is doing already, according to the group.
“AAR hopes the substantive comments provided will be thoroughly considered in the decision on whether to proceed with the directive and to ensure any actions taken enhance, not hinder, coordinated cybersecurity efforts,” a spokesperson for the group said.
The second DOJ initiative and new TSA steps reflect the ongoing push within the Biden administration and in Congress to mandate that a larger swath of companies report major hacks and cyberattack-related information to the federal government.
Updated, 10/6/21: to include commentary from the Association of American Railroads.