Intelligence bill would elevate ransomware to a terrorist threat
When the Senate Intelligence Committee earlier this summer advanced its annual measure to authorize the work of the U.S. intelligence community, it also advanced a controversial proposal to deal with ransomware: treating it like terrorism.
Sponsored by committee Chairman Mark Warner, D-Va., the bill contains novel language regarding ransomware that seeks to address increasingly rampant and damaging ransomware attacks by calling out ransomware gangs by name and branding them as “hostile foreign cyber actors”; designating nations that harbor ransomware actors as “state sponsors of ransomware” and slapping such states with sanctions; and granting the U.S. intelligence community greater legal authority to go after ransomware actors by elevating ransomware to the level of a national intelligence priority.
Although the U.S. Justice Department has said in the past it is elevating investigations of ransomware attacks to a similar priority as terrorism, the Senate Intelligence Committee’s proposal, if passed into law, would be the first US law that directly links ransomware to terrorism.
“Bottom line, the bill represents an acknowledgment of the economic damage that ransomware is doing to the US and its allies,” Adam Maruyama, former U.S. government counterterrorism expert who is the field CTO at Garrison Technology, told CyberScoop. “At the same time, it calls out that there are nation-states in the world, North Korea in particular, who are making significant chunks of their GDP off of being state sponsors of ransomware.”
But experts question whether the move to treat ransomware actors like terrorist groups and to use U.S. sanctions authorities against their backers will have the desired effect. Levying additional sanctions against state sponsors who already are the subjects of significant sanctions and are unlikely to be undeterred by new ones may do little to change the behavior of ransomware groups with nebulous relationships to the states in which they operate.
But the bill’s defenders argue that it sends an important signal, and that once passed into law it will indicate to U.S. adversaries that Washington is seriously ramping up its efforts to address ransomware attacks.
Calling out ransomware groups as hostile foreign cyber actors
The Intelligence Committee’s proposal finds “that foreign ransomware organizations, and foreign affiliates associated with them, constitute hostile foreign cyber actors, that covered nations abet and benefit from the activities of these actors, and that such actors should be treated as hostile foreign cyber actors by the United States,” citing a list of 18 ransomware gangs, from DarkSide to Black Basta.
Luke Connolly, threat analyst at Emsisoft, told CyberScoop that naming the groups represents “a shot across the bow, saying the full weight of the U.S. community intelligence community is now going to be potentially directed at you.” Connolly sees that as a warning to ransomware groups: “You better think twice about targeting something that’s quite egregious, like hospitals where potential lives are at stake.”
But experts caution that by listing a group of 18 particular ransomware groups the legislation may fail to account for the fluid nature of the cybercriminal underground. Ransomware groups are frequently the subject of law enforcement take-downs and frequently disband, only to regroup again as different entities or under various names.
The listed ransomware groups include LockBit, which was shuttered during a significant international law enforcement effort called Operation Cronos in February. Once considered the top ransomware threat, LockBit no longer rates among the top players, according to Cyfirma. REvil, another group on the list, largely ceased operations after being targeted by Russian law enforcement in 2022.
Megan Stifel, chief strategy officer for the Institute for Security and Technology, said that a better approach might have been to list the groups as merely examples rather than a definitive list. In any case, she says, “the way these groups are so amorphous and constantly reshaping, it is very similar to the way we saw terrorism groups operating in the late 2000s and early 2010s.”
Naming the countries who are ‘state sponsors of ransomware’
The Intelligence Committee’s bill tries to give teeth to its ransomware crackdown by directing the secretary of state and the director of national intelligence to “designate as a state sponsor of ransomware any country the government of which the Secretary has determined has provided support for ransomware demand schemes,” including by providing a safe haven for individuals engaged in such schemes.
It also allows the president to impose sanctions and penalties on state sponsors of ransomware as if they were state sponsors of terrorism, as determined by the secretary of state under a series of controlling legal authorities dealing with acts of international terrorism.
The bill also directs the treasury secretary to submit a report to Congress that describes, for each of the past five years, the number and geographic locations of individuals, groups and entities subject to sanctions imposed by the Office of Foreign Assets Control who were subsequently determined to have been involved in a ransomware demand scheme.
It further asks the comptroller general to issue a report that outlines the legal authorities available to the Federal Bureau of Investigation, the Secret Service, the Cybersecurity and Infrastructure Security Agency, Homeland Security Investigations and the Office of Foreign Assets Control to respond to foreign-based ransomware attacks.
“What’s different here is this is the first attempt I’ve seen to elevate something that has traditionally been taken care of by law enforcement to be at that level of terrorism designations that we enacted a couple decades ago,” Drew Bagley, CrowdStrike’s vice president and counsel for privacy and cyber policy, told CyberScoop.
“With existing terrorism provisions, you would have to still meet the definition of traditional terrorism, even if ransomware was used as part of that,” he said. “If you look at how pervasive ransomware is and even attacks on critical infrastructure and whatnot, it doesn’t all necessarily fit nicely into those older definitions that were used for non-state actor terrorism twenty-five years ago. This is an effort to bring new policy tools to this fight.”
Giving the intel community a green light to target ransomware actors
The bill would also require the U.S. intelligence community to treat ransomware as a national intelligence priority. It requires the Director of National Intelligence (DNI) to deem ransomware threats to critical infrastructure a national intelligence priority component of the National Intelligence Priorities Framework.
It asks the DNI to identify individuals, groups and entities that pose the most significant threat; the locations from which these groups operate; the infrastructure, tactics and techniques they commonly use; their relationships with their governments or countries of origin and any intelligence gaps that are impeding the ability to counter ransomware.
Ari Schwartz, managing director of cybersecurity services and policy at Venable, said these provisions would make sure the intelligence community is collecting information on ransomware actors.
“There are entities that are out there that seem to be criminal gangs that are state-sponsored actors. They’re the arm of the state sponsor of terrorism through cyber means,” Schwartz said. “The bill ties it all together, saying, ‘Hey, director of national intelligence and intelligence agencies, this is a national security priority. Go look into ransomware actors.'”
Some experts say the intelligence community already knows a lot about ransomware actors and that the bill might provide legal clarity in pursuing anti-ransomware action.
“It looks like it’s raising the priority of ransomware threats within the three-letteragencies so that they can then apply resources to try to help defend the national interests of the US intended citizens,” Emsisoft’s Connolly said. “There are people getting a tap on the shoulder who are going to do things that we won’t know about, would be my guess.”
Questions about the bill’s effectiveness
Some experts doubt whether treating ransomware like terrorism will make the U.S. more effective in combatting it.
James Lewis, the director of the strategic technologies program at the Center for Strategic and International Studies, scoffs at the bill. “The ransomware part seems like kabuki,” he told CyberScoop. “Countries don’t always know about ransomware efforts, and it’s a stretch to call it terrorism. The intentions are very different.”
Others say sanctions related to ransomware may be ineffective given that countries likely to be considered state sponsors of ransomware already operate under significant sanctions. “I’d say the deterrent effect will be questionable,” Maruyama said. “China has its own robust economy. North Korea has been sanctioned to a point where I don’t know that we can inflict any more economic harm. And Iran and Russia have proven quite resilient to sanctions thus far, both on a state and an individual actor level.”
Maruyama thinks that the state-sponsor of ransomware labels should be applied only when national security is at risk. “If we’re thinking about attacks that target retail services and outlets, there may be an argument that a nation-state level sanction, particularly if they’re harboring rather than directing the cyber actors involved, could be a disproportionate response to those acts.”
Despite these concerns, the bill’s provisions do convey the message to the rest of the world that the U.S. is escalating its efforts to tackle the ransomware problem. “The fact that they are equating state sponsors of ransomware with state sponsors of terrorism tells me that there’s an ongoing arms race between governments who are trying to protect their citizens and their industries and the bad guys,” Connolly said. “And the bad guys seem to be winning. The U.S. government is saying, this is getting really serious.”
