Senators introduce bipartisan bill to sanction nations involved in ransomware attacks

Senate Intelligence Committee Vice Chairman Marco Rubio (R-Fla.) and Sen. Dianne Feinstein (D-Calif.) on Thursday introduced legislation that would sanction countries involved in state-sponsored ransomware attacks. 

The Sanction and Stop Ransomware Act would impose penalties on nations deemed by the secretary of State and the Director of National Intelligence to be a “state sponsor of ransomware” through harboring or providing support for cybercriminals carrying out such attacks. The president would then be required to impose sanctions that are consistent with those levied on nations deemed sponsors of terrorism.

Ransomware attacks have been on the rise over the past year during the COVID-19 pandemic, reaching the level of a national security threat with the May attacks on the Colonial Pipeline, which provides 45 percent of the East Coast’s fuel, and meat producer JBS USA.

The legislation would require federal agencies, government contractors and owners and operators of critical infrastructure to report ransomware attacks within 24 hours to a system to be set up with the Cybersecurity and Infrastructure Security Agency (CISA), which has 180 days to put in place the reporting operation. 

Further, the legislation would require the development of cybersecurity standards for critical infrastructure groups, such as those in the electric or water sectors, in order to help prevent successful attacks. 

The bill would address concerns around the use of cryptocurrency by hackers for ransomware attack payments by victims, requiring the development of regulations on cryptocurrency exchanges and that records of ransomware payments be made available to the federal government. 

“Ransomware attacks threaten the health and safety of countless Americans,” Rubio said in a statement. “Our bipartisan bill provides the tools necessary to help safeguard critical infrastructure while discouraging and disrupting these criminal organizations, including the regimes who harbor them.”

Feinstein noted that ransomware attacks were aimed at groups of all sizes, saying that it is necessary for Congress to take steps to address the ongoing tide of attacks that have held hostage the networks of everything from hospitals to schools to government agencies. 

“Congress must do more to support all organizations and companies struggling to deal with these escalating attacks,” she said in a separate statement. “Our bill will help the private and public sectors avoid ransomware attacks, reduce incentives to pay ransoms and hold foreign governments accountable if they provide a safe haven for ransomware perpetrators.”

The bill was rolled out amid escalating tensions between the U.S. and Russia over cybersecurity concerns. 

The FBI tied both the attacks on Colonial Pipeline and JBS USA to Russia-based cyber criminal groups, and the more recent ransomware attack on software company Kaseya that affected up to 1,500 companies was also tied to Russian hackers by cybersecurity experts. 

President Biden discussed his concerns around Russia-linked attacks with Russian President Vladimir Putin during their summit in Geneva in June, and urged him to crack down on cybercriminals operating within Russia. 

Biden imposed sanctions on Russia in April after U.S. intelligence agencies linked the SolarWinds hack, which compromised nine U.S. federal agencies, to Russian government-backed hackers. The administration also separately called out China for its involvement in exploiting vulnerabilities in Microsoft Exchange Server application this year to compromise thousands of organizations.  

The bill is not the first to address the surge in cybersecurity concerns, with both Rubio and Feinstein also sponsoring legislation alongside most of the Senate Intelligence Committee that would require certain critical groups to report cybersecurity incidents to CISA within 24 hours. 

Rubio stressed the need Thursday to stand up to governments who allowed malicious hackers to target U.S. organizations. 

“It is time for the United States to take strong, decisive action to protect American businesses, infrastructure, and government institutions,” he said.