Victims’ reluctance to report ransomware stymies efforts to curb cyberattacks, say federal officials

Two years after a coalition of cybersecurity companies, public sector organizations and federal agencies came together to form the Ransomware Task Force at the nonprofit Institute for Security and Technology, these digital crimes remain an ongoing and serious problem with attacks seemingly increasingly severe.

Attacks on cities, universities and hospitals continue making headlines every week. In just the past few days, officials in Dallas have struggled to bring services back online after a ransomware attack there crippled services in one of the biggest cities in the country. And over the past year, ransomware gangs have appeared to become more brazen in their attempts to get their victims to pay extortion demands, even as some attacks appeared to subside potentially do to the conflict between Russia and Ukraine.

“I truly expected that nation-state cyberattacks would be the core driver of both domestic and international cyber policy. And I can say that instead, criminal ransomware activity has really been a core driver,” said Deputy National Security Advisor Anne Neuberger at a meeting of the Ransomware Task Force in Washington on Friday.

One of the biggest concerns for the task force and other stakeholders is continuing dearth of data related to attacks — and the attackers — that could help inform some of the still unaddressed recommendations from the group’s initial 2021 report. The group released a progress report on Friday.

For instance, FBI and Justice Department representatives at Friday’s gathering acknowledged ongoing challenges in getting victims to report attacks, citing that only roughly 20% of those affected by the attacks. “If we could move that number from 20-30% to up to 70-80% we could make an even bigger impact than we’re already doing,” said Marshall Miller, principal associate deputy attorney general at the Justice Department.

New successes such as a more aggressive approach to disrupting ransomware efforts through both destabilizing groups and the infrastructure and financial systems they use, also require new ways of collecting better data. “We want to ask ourselves, we know it has a disruptive impact — for how long? How do we extend how long that lasts? How do we ensure these disruptions are a foundational impact on the infrastructure of the people and the money laundering networks that make this possible,” said Neuberger.

But that doesn’t mean attitudes haven’t changed at all. “I think the conversation has shifted from should we report this to law enforcement but rather when should we report this to law enforcement,” said David Ring of the FBI’s Cyber Division “Most have recognized there’s more risk in not sharing and not reporting.”

Valerie Cofield, chief strategy officer at the Cybersecurity and Infrastructure Security Administration, says that while the agency could still benefit from more reporting, it’s been able to show how powerful better data is with its newer programs. Tips to the agency’s pre-ransomware notification program, which launched earlier this year, have led to 150 notifications to a range of entities including a city in Europe that was then able to prevent an attack. Cofield noted that the implementation of cybersecurity reporting legislation passed by Congress last year will also improve CISA’s data on attacks.

There are ways that the private and public sectors could further encourage better reporting and data, the task force notes in its updated report. For instance, it recommended that the U.S. government could consider incentives for reporting, noting the tax structures and incentives in the National Cybersecurity Strategy

The U.S. government’s increased focus on ransomware is apparent based on the progress that agencies have made on the task force’s 2021 recommendations. For instance, a recommendation for an international coalition to combat ransomware criminals has been met by the United State’s Counter Ransomware Initiative, which has more than 30 countries involved.

As of this month, 92% of the 48 recommendations from the task force have seen “some degree of action” and 50% experienced “significant progress, including through legislation and policy adoption.”

“I would say we’re further ahead than we expected to be, but we also knew we wouldn’t have success overnight,” said Megan Stifel, chief strategy officer for the Institute for Security and Technology and RTF co-chair. “I would not want any of us to rest on our laurels.”