Lawmakers and top Biden administration officials discussed Sunday an alarming uptick in Russian-based ransomware attacks in the U.S, citing “deep concerns” that Moscow could go even further in their hacks on U.S. critical infrastructure.
Their remarks come in wake of two major attacks in recent weeks on Colonial Pipeline and meat supplier JBS. Both were attributed to Russian-based cyber criminals – further straining ties between Washington and Moscow ahead of President Biden’s planned sit-down with Russian President Vladimir Putin in Geneva later this month.
Appearing on NBC News’s “Meet the Press,” Senate Intelligence Committee Chairman Mark Warner, D-V.A. told host Chuck Todd said the U.S. is finally starting to “wake up” to the ramifications of these attacks, and called for higher cybersecurity standards in the private sector, as well as liability for U.S. companies who do not alert the government when they are breached.
Warner said he is deeply concerned about the possibility of a Russian-based “massive” cross-system cyberattack on the U.S.
“What I’m really worried about is if we saw the kind of massive, across-the-system attack that took place last year, the Solar Winds attack,” Warner said. “There, Russians got into 18,000 different companies.”
He added: “If that attack would have been an effort to shut down [U.S. systems], operations would have come to a halt, the way it did when Russia attacked Ukraine.”
Asked how the U.S. could best deter future aggression, Warner cited the need to partner with other countries to implement “international repercussions” for nations that continue to engage in malicious cyber activity.
Warner also stressed the need for the creation of incident reporting legislation, which would require private U.S. companies to inform the government if their networks were breached.
Roughly 85% percent of cyberattacks are waged in the private sector, according to a Cyberspace Solarium Commission report – underscoring the need for companies to shore up cyber defenses alongside the federal government.
“We need more transparency because right now, what’s happening around ransomware is, not only are the companies often not reporting that they are attacked, but they’re not reporting the ransomware payments,” Warner sad.
Asked what it will take to curtail Putin’s behavior, Warner said he believes the U.S. needs the ability to punch back and go on the offensive when necessary.
“I do think we need the ability to use some of our offensive capabilities” Warner said. “But what we also need is [a] level of international norms, so that a country like Russia would know, if it shut down a health care system, for example,” there will be “international repercussions rather than the U.S. acting alone.”
The ranking Republican on the Senate Intelligence Committee, Sen. Roy Blunt (R-Mo.) echoed Warner’s concerns: “You really have to treat Russia like a criminal enterprise," Blunt said. “They harbor criminals, they don't appreciate the rule of law or any kind of level of personal freedom."
Appearing on CNN’s “State of the Union,” Energy Secretary Jennifer Granholm did not mince words when it came to the existential threat posed by these hackers. Asked by host Jake Tapper if she thinks U.S. adversaries “have the capability, right now,” to shut down the U.S. power grid, Granholm responded without missing a beat.
“Yes,” she said. “They do. I think there are very malign actors who are trying even as we speak.”
“There are thousands of attacks on the energy sector and the private sector,” she added. “It’s happening all the time. … The bottom line is we all have to up our game on cyber defenses.”
During a separate appearance on Meet the Press, Granholm said she would support a law to formally ban ransomware payments.
“I would, I would say” that I’d support the legislation, she told Todd, though she added: "I don't know whether Congress or the president is [behind it] at that point."
Granholm’s remarks appear to be the strongest stance any senior administration official has taken on the matter to date.
"Everyone needs to wake up and up their game in terms of protecting themselves, but also in terms of telling the federal government if they are a target of attacks," Granholm said Sunday. "Many of these private companies don’t want to let people know, they should not be paying ransomware but they should be letting us know so we can protect the rest of the country."
Also appearing on CNN Sunday was Sen. Angus King, I-Maine, another Senate Intelligence Committee member and co-chair of the Cyberspace Solarium Commission. Earlier this week, King said he “could not overstate how concerned he is” about these cyberattacks.
“We need to step up our efforts” in cyber, King told Tapper. “As we've had these series of cyberattacks from North Korea, from Russia, from China, we really haven't responded. We’ve been a cheap date. And you can't defend yourself simply by bobbing and weaving and patching.”
“The adversary has to understand they’ll pay a price, there’ll be a cost, for attacking the United States or attacking our critical infrastructure. And thus far they haven’t felt that.”
Of the U.S.’s failure to act sooner, King said: “We keep getting wake up calls. And we keep not waking up.”