Top FBI official advises Congress against banning ransomware payments

A senior FBI official advised members of the Senate Judiciary Committee on Tuesday against the idea of banning companies from paying hackers behind ransomware attacks, which have become a national security concern in recent months.

“It’s our opinion that banning ransomware payments is not the road to go down,” Bryan Vorndran, the assistant director of the FBI’s Cyber Division, said in response to a question by Sen. Mazie Hirono (D-Hawaii). 

Vorndran stressed that this was due to the increasing sophistication of ransomware attacks, as many cyber criminals not only encrypt a company’s network and demand payment, but also steal data from companies to use for additional blackmail if the attack is reported. 

“It would be our opinion that if we ban ransom payments, now you are putting U.S. companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities,” Vorndran testified. “It is a really complicated conversation, but it is our position that banning ransom payments is not the road to go down.”

Vorndran noted that the FBI estimates that between “25 and 35 percent” of cyber incidents are not reported to federal law enforcement, making it difficult for the FBI and other agencies to fully assess the scope of the ransomware attack problem and respond accordingly.

Jeremy Sheridan, the assistant director of the U.S. Secret Service’s Office of Investigations, testified to the committee Tuesday that banning ransomware payments would only serve to lower reporting. 

“Reporting is one of our biggest challenges related to this,” Sheridan said. “Banning the payments would further push any reporting to law enforcement into obscurity and make it virtually impossible for us to have that relationship.”

Hirono noted following their testimony that “this is quite the conundrum for all of us.”

The hearing came on the heels of months of escalating cyberattacks, including major ransomware attacks in May on Colonial Pipeline, which provides 45 percent of the East Coast’s fuel, and on meat producer JBS USA. Both companies chose to pay the ransom demanded by the hackers, though the Justice Department was able to recover a majority of the funds paid to Russia-linked group DarkSide by Colonial. 

While both Colonial and JBS paid the hackers behind the attacks, many companies do not, causing weeks and months of disruption to business. Software company Kaseya announced earlier this week that while it had obtained a decryption key for its systems following a major ransomware attack earlier this month, it had not paid the hackers behind the attack. 

After these and other attacks, both the House and Senate have been seriously considering the idea of legislation creating mandatory cyber incident reporting for certain groups. 

All but three members of the Senate Intelligence Committee last week introduced a bipartisan bill that would mandate reporting of cybersecurity incidents by federal agencies, federal contractors and groups critical to national security within 24 hours of the attack. 

Vorndran and other witnesses on Tuesday advocated for this type of legislation to be signed into law in order to fight back against ransomware attacks and other cyber incidents.

“We are very significant advocates for mandatory breach reporting,” Vorndran testified. 

Eric Goldstein, the executive assistant director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), testified that more incident reporting was “absolutely essential.”

“Certainly steps taken to increase reporting across the country will be highly beneficial, and we look forward to working with Congress towards that important goal,” Goldstein said.