Ransomware attacks pose 2021 challenges for Congress

Ransomware cyberattacks are expected to pose a growing threat to hospitals and schools next year, putting pressure on Congress to draft a legislative response.

At the other end of Pennsylvania Avenue, the Biden administration will have its own set of challenges, mainly building a new cybersecurity leadership team at the federal level and taking stock of what aspects of election security from 2020 should be replicated in the future.

Here’s what to watch for in 2021.

Ransomware attacks

Cyber criminals have steadily stepped up attacks on critical institutions over the past two years, increasingly turning to ransomware to extort vulnerable groups for funds.

The issue has been magnified by the COVID-19 pandemic, with hackers targeting stressed hospital networks and school districts that have moved online, along with local governments that are more likely to pay a ransom to ensure networks are running again as quickly as possible.

Targets in recent months have included hospital systems in Vermont and New York, and school districts in Miami Dade County, Fla., and Baltimore County, Md. In all cases, operations were significantly affected, slowing critical services.

Key leaders on Capitol Hill say they are aiming to take action to address these concerns next year.

“Getting federal resources to state and local governments for their cybersecurity efforts will be one of our top priorities next year,” House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) told The Hill.

Thompson said that “early next year” he and other lawmakers intend to reintroduce the State and Local Cybersecurity Improvement Act, a bipartisan bill that would create a $400 million grant program to provide financial resources to defend against and respond to cyberattacks.

Rep. Lauren Underwood (D-Ill.), the new chair of the House Homeland Security Committee’s cybersecurity subcommittee, said in November that addressing the widespread ransomware attacks would be a top priority for her panel in 2021, with the goal of providing federal funds to state and local governments.

Rep. John Katko (R-N.Y.), ranking member on the subcommittee, told The Hill that the attacks on hospitals in his home state should be a “wakeup call for lawmakers.”

“We have to take meaningful action to address our vulnerabilities,” said Katko, who recently announced he was running to be the new ranking member on the House Homeland Security Committee. “In the upcoming Congress, I’ll bring cybersecurity to the forefront and work to advance comprehensive measures that strengthen our nation’s cyber defenses.”

Election security lessons

Securing U.S. election systems has been a major topic in the spotlight over the past four years after Russian agents interfered in the 2016 presidential election through hacking and disinformation efforts.

The 2020 election proved mostly uneventful and quiet on the cybersecurity front, with top officials declaring victory after four years of coordination at the federal, state and local levels to ramp up security.

Despite the relative calm, some officials are calling for more action to be taken next year to ensure the lessons learned since 2016 continue to be applied to future elections.

 “You can’t take your eyes off the ball, you have to continue your diligence. The attack profile is still there,” said Christopher Painter, who was State Department cybersecurity coordinator under both the Obama and Trump administrations.

He pointed to improvements ensuring voting machines across the country had paper records, and focusing on ways foreign adversaries could interfere. But he emphasized that the threats from both domestic and international disinformation will remain.

“We also need to deal with this difficult issue of social media and how we deal with that given freedom of expression,” Painter said. “You run into very difficult political issues on that one, but I think that is something we have to do.”

Matthew Travis, former deputy director of the Cybersecurity Security and Infrastructure Security Agency (CISA), said during the Aspen Institute’s Cyber Summit in December that disinformation was a key threat in 2020, and that there had been some unsuccessful cyber targeting of election infrastructure.

“It is a hybrid threat where you have both foreign actors who are looking to undermine Western democracies, but obviously … there are voices from within this country that as we see the continuing polarization are going to use the same tactics and techniques to do the same thing, which is to sow discord,” Travis said. 

One topic of partisan divide on Capitol Hill that may carry into next year revolved around federal funding for election officials. Congress has appropriated more than $800 million for election security needs since 2018, but Democrats and election officials have called for far more.

Thompson told The Hill that the funding fight will not fade away in the next Congress and when President-elect Joe Biden takes office.

“We will also work with the incoming Biden administration to continue to improve election security and restore public confidence in the electoral process after months of irresponsible rhetoric from the White House,” Thompson said. 

“We will continue to advocate for ongoing, predictable funding for state and local governments to continue to replace outdated election equipment and improve security training for election officials,” he added.

Cyber priorities for new administration 

More focus on cybersecurity coordination and policies is expected under the Biden administration.

Senate Intelligence Committee Vice Chairman Mark Warner (D-Va.) said he saw several issues as being “top of mind” for the incoming administration, including “deepfakes, 5G and AI.”

Senate Homeland Security and Governmental Affairs Committee ranking member Gary Peters (D-Mich.) told The Hill that “Congress and the incoming administration must work together to secure our critical infrastructure and protect our communities and institutions from online attacks — including our health care systems, schools, small businesses and local governments.”

A spokesperson for the Biden campaign told The Hill in November that the incoming administration plans to focus on issues like restoring the nation’s leadership role in cyberspace, reinvesting in securing critical infrastructure, imposing costs on nations attacking the United States in cyberspace and securing election systems.

Painter said creating a cyber czar position would help achieve many of those goals. He said the post could be established through legislation or direct action by the Biden administration. The annual National Defense Authorization Act looks set to include a clause establishing the position after a bipartisan group of lawmakers lobbied for it.

“I do expect that you’re going to see this shift to it being more of a presidential priority,” Painter said of cybersecurity at the executive level.