WASHINGTON —Energy Secretary Jennifer Granholm said Sunday that she supports a law that would ban companies from paying ransom to hackers holding their information hostage after a recent spate of cyberattacks on companies responsible for crucial parts of the U.S. infrastructure.
In an interview on NBC’s “Meet the Press,” Granholm acknowledged that she is not sure whether Congress or President Joe Biden are ready to take that step, but she warned that paying ransom only emboldens hackers. And she said private companies need to take responsibility and tell the government when they are attacked for the good of the country.
“Everyone needs to wake up and up their game in terms of protecting themselves, but also in terms of telling the federal government if they are a target of attacks. Many of these private companies don’t want to let people know. They should not be paying ransomware, but they should be letting us know so we can protect the rest of the country,” she said.
“I don’t know whether Congress or the president is at that point,” she said of a ban on paying ransom, “but I think we need to send this strong message that paying a ransomware only exacerbates and accelerates the problem. You are encouraging the bad actors.”
While cyberattacks aren’t new, recent high-profile attacks have shined a light on the vulnerabilities that have threatened key infrastructure and supply chains in the U.S. and around the world.
Last month, an attack prompted Colonial Pipeline to shut down key pipelines that supply the Eastern U.S., causing gas shortages and skyrocketing prices. And last week’s attack on JBS, one of the world’s largest meat suppliers, briefly raised concerns about a broader ripple effect on the meat industry.
Both attacks involved ransomware, in which hackers infiltrate a system and demand ransom. Colonial Pipeline ultimately paid.
Cybersecurity experts have long warned about such attacks, particularly by hacking groups based in Russia, where U.S. officials say hackers are given broad leeway as long as they attack only the West.
NBC News reported that the White House is considering cyberattacks against Russian hackers after the recent incidents.
Sen. Roy Blunt, R-Mo., called on the U.S. to treat Russia as “virtually a criminal enterprise” to push back against a series of cyberattacks and other aggressive actions by the country.
Blunt, head of the Senate GOP’s policy arm, argued that the U.S. needs to meet Russian aggression with a stronger offensive response, saying retaliatory cyberattacks are one way to push back.
“You really have to treat Russia like it’s virtually a criminal enterprise. They harbor criminals. They don’t appreciate the rule of law or any kind of level of personal freedom,” Blunt said on “Meet the Press.”
“We have to push back when there’s no penalty, there’s no sanctions,” he said. “It’s hard to find who is doing it, and even when you can find where they are, we haven’t really effectively sanctioned the countries that are protecting this kind of activity.”
Senate Intelligence Committee Chair Mark Warner, D-Va., warned in a separate interview that the scale of the cyberattacks is an even larger risk if hackers decide to take aim at critical infrastructure.
Warner said the debate over whether to outlaw paying ransomware attackers is a “debate worth having.” But he pitched a three-prong strategy: legislation that would require companies to notify the government when they are hacked, an effort to foster international cooperation to hold bad actors accountable and a push for additional transparency if a company decides to pay ransom.
“We’ve been talking about cyber for a long time, but finally, the American public is starting to wake up to the ramifications of these cyberattacks,” Warner said.
“What I’m really worried about is if we saw the kind of massive, across-the-system attack that took place last year, the SolarWinds attack,” he said. “There, Russians got into 18,000 different companies. If that attack had been an effort to shut down our system, our economy would have come to a halt.”