Lawmakers have not ruled out legislation that could ban private companies from making ransomware payments, Sen. Gary Peters of Michigan, chairman of the Senate Homeland Security Committee, said Tuesday.
“It’s a possibility that we ban [ransomware payments],” the Michigan Democrat said during an Washington Post Live event. “I’m not closing the door on that.”
Peters pointed to a $100 million Cyber Response and Recovery Fund, included in the bipartisan infrastructure bill passed by the Senate over the summer, as a step toward reducing the number of companies who feel compelled to make ransomware payments.
“We have to right now be focused on working with companies to understand that there are alternatives to paying a ransom, particularly if they get assistance from the federal government and look at the federal government as a partner,” Peters said.
The FBI already recommends that companies do not pay ransoms to criminals who hack their computer networks, but private entities are free to ignore this advice under current law.
The event comes amid news that the Russia-linked hackers behind the massive 2020 SolarWinds breach of hundreds of major corporations and U.S. government agencies have stepped up their efforts to compromise American institutions.
Tom Burt, corporate vice president for customer security and trust at Microsoft
published a blog post Monday reporting that the “Russian nation-state actor Nobelium,” which was responsible for the SolarWinds
attack, attacked 609 of its customers more than 22,000 times between July 1 and Oct. 19 of this year, more than in the previous three years combined.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government,” Burt said.
The Russian government’s support of hacking groups has been a major point of contention between it and the U.S. Tensions increased earlier this year following the hack of Colonial Pipeline, which disrupted fuel deliveries across the Eastern U.S.
In June, President Joe Biden met with Russian President Vladimir Putin, where he pressed the Russian leader to crack down on cybercrime originating within its borders, naming 16 “critical infrastructure” sectors from the energy industry to water systems that should be “off-limits” to ransomware attacks.
Earlier this month, the Biden administration convened an international summit focused on combating the global epidemic of ransomware attacks, which brought together leaders from more than 30 nations for virtual sessions to strategize on how to better collectively blunt these attacks.
Senior administration officials said that Russia was not invited to the summit, though they stressed that the Biden administration remains in communication with Russian officials on the topic and that the Russian government has taken steps to curb its ransomware industry.