Uneven cyber data makes US policy success hard to assess

Despite months of new regulations, policy changes and law enforcement actions targeting ransomware groups based in Russia and elsewhere, government officials say it’s unclear whether their efforts are working because private companies do not report every attack.

Incomplete data on the number of companies hacked is hampering efforts to determine the full impact of government actions, John Carlin, the United States’ senior deputy attorney general, told a WSJ Pro Cybersecurity conference that was held on Wednesday.

“The way we know about attacks, often, is down to casualty reporting, and right now not all victims report,” he said.

The Justice Department has launched a number of initiatives designed to tackle cybercrime, and in particular ransomware, in which hackers cripple a software system until they receive a bounty. Earlier this year, the department launched a task force focused on analyzing how ransomware gangs work and what steps can be taken to attack their operations. Additionally, the department announced new cybersecurity rules that federal contractors must follow and has been involved in law enforcement operations targeting ransomware operators based in countries like Russia.

But without the information reported by the victims, Mr Carlin said, he could not answer questions as to whether attacks from these gangs have diminished or not.

John Carlin, Senior Assistant Deputy Attorney General of the United States, speaks at a WSJ Pro Cybersecurity virtual conference on December 1.


The Wall Street Journal

“If we knew the full picture, the Federal Bureau of Investigation or someone else would be able to spit out a response that we have 100% reports and we have seen an increase or decrease. We are not here at the moment, ”he said.

Mr Carlin’s remarks follow a number of different statements by law enforcement officials and the Biden administration in recent weeks about the pace of attacks on U.S. businesses. In October, a senior White House official told reporters that Russia had taken action against cybercriminals within its borders as a result of direct U.S. diplomatic efforts.

However, during a House Oversight Committee hearing in November, Bryan Vorndran, deputy director of the FBI’s cyber division, said the agency had not seen a decrease in attacks.

Congress is debating bills that would require critical infrastructure companies such as pipeline operators and electric utilities to report cyber attacks to government, but they differ in specific requirements. Some invoices, for example, give a 72-hour grace period before companies are required to report breaches, while others require reporting within 24 hours.

At a House Homeland Security Committee hearing in November, Rob Silvers, Under Secretary for Strategy, Policy and Planning at the Department of Homeland Security, also said incomplete reports made it difficult to understand the scale of the cyber attacks against the United States.

“It’s difficult to assess because the vast majority of ransomware incidents go unreported to the government,” he said.

Write to James Rundle at [email protected]

Copyright © 2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

Comments are closed.