At present, there is no comprehensive federal breach notification law, and state-level laws are too decentralized, too focused on personal information instead of risk to systemically important critical infrastructure, and sometimes create a perverse incentive for companies not to investigate attacks. In the case of complex supply chain attacks like “Holiday Bear,” one company’s failure to publicly report a breach can have wide-reaching implications. For example, if cybersecurity company FireEye had not voluntarily and publicly shared evidence of their own compromise and that SolarWinds was the attack vector, the public and the government may not have known about this highly impactful attack for many months to come. Yet, FireEye had no legal obligation to report this breach under existing law. They should be praised for their courageous decision, but unfortunately, not all other victims have followed their lead in transparency. 4. Congress should take steps to increase security standards for vendors supplying high-risk software via government acquisition processes. Government agencies and private-sector businesses currently rely on a number of companies such as SolarWinds whose software runs with high levels of privilege on their networks. Yet these agencies and businesses have little to no sense of the security levels of that software. Borrowing from a widely-used private sector practice, Congress should compel these vendors to undergo annual, independent third-party audits of their source code and penetration exercises of their networks. The government could require that companies provide the results of these stress tests as part of the federal procurement process, or even require companies to publish the results of those audits publicly on their website. Not only would this process increase transparency for their customers, but it would also incentivize companies to quickly and efficiently patch vulnerabilities in their networks or source code and get a clean bill of health, as no one would want to publish a failed audit. 5. Congress should support stricter “Know Your Customer” (KYC) requirements for worldwide cryptocurrency exchanges to target the business model of ransomware criminals. Dangerous ransomware attacks pose an existential threat to critical infrastructure and many small and medium businesses in this country. For example, criminal attacks on hospital systems—a favorite target of ransomware attacks—put the lives of American citizens in danger, especially during the pandemic, when hospital beds are already in short supply. Ransomware criminals rely on widely-available and largely anonymous cryptocurrency, such as Bitcoin, to collect hundreds of millions of dollars in ransom payments without risk of disclosing their identities to victims or law enforcement. It is no coincidence that the explosion of ransomware attacks occurred only after the invention of cryptocurrency platforms, which are the oxygen that fuels the fire of these criminal operations. And while it remains very difficult to purchase goods and services, such as real-estate, cars and other luxury items that these criminals may want, with cryptocurrency, it is currently easy to anonymously use cryptocurrency exchanges to convert ransom payments into reserve currency like dollars or euros. The bottom line is that we need stronger tools to undermine the ability of criminals and nation-states to use cryptocurrency to receive and convert ransom payments and purchase illicit 6
Homeland Cybersecurity: Assessing Cyber Threats and Building Resilience Page 5 Page 7