How far can Congress go in forcing new cybersecurity measures on the private sector?

Congress recently hosted the CEO of Colonial Pipeline, Joseph Blount, at a hearing where he was asked a series of questions about May's cyber-attack that halted the delivery of fuel to the East Coast.  The attack led to fuel shortages and price increases and displayed the vulnerability that many vital industries still show in a world littered with sophisticated hacking groups, many of which are sponsored by foreign governments.  One of the key issues discussed was the $4.4-million ransom payment netted by Russia's DarkSide Ransomware Gang.

The decision to pay the hackers was seen as a major mistake that many on Capitol Hill believe encourages hackers to continue their criminal activities.  In an effort to halt these actions, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) had already taken action last October in the form of an advisory that warned against making ransom payments to individuals or groups under U.S. sanctions and threatened civil damages for entities found in violation of the advisory.

Colonial's Blount, citing the uncertainty in the days following the breach, made the decision to pay DarkSide while acknowledging that he was aware of the OFAC directive.  Blount specifically told lawmakers, "I do know that repeatedly throughout the process, the fact of whether DarkSide was on the sanctions list or not was fact-checked repeatedly."

Although most Republican lawmakers generally tend to prefer a hands-off approach to the private sector, because of the potential disaster posed by major hacking attacks, many of these lawmakers are demanding additional oversight.  "As I've said before, no one is safe from these attacks, including us," the ranking member of the Senate Homeland Security and Governmental Affairs Committee, Ohio Republican Senator Rob Portman, said at the hearing.

Part of the reason why bipartisan support for additional oversight is building is that for major hacks like Colonial, the government is being forced to intervene.  In fact, the FBI was responsible for helping Colonial Pipeline recover most of the $4.4 million in ransom ($2.3 million in Bitcoin) that was paid to DarkSide.

Additionally, it seems that the cyber-insurance industry may likely come under scrutiny shortly.  Many American businesses carry insurance against hacks, and now many experts, including former security and counterterrorism official, Richard Clarke, are amplifying their belief that insurance companies' willingness to cover ransoms in lieu of paying their customers to rebuild their networks is contributing to the rise of major attacks.  In a N.Y. Daily News column from May, Clarke and Robert K. Knake wrote regarding corporate hacks, "Usually it is a corporation that never tells the public about the attack.  The companies do tell their insurance carriers, and they, in turn, pay up.  It's cheaper for the insurance companies to pay the hackers to unlock the networks than to pay computer security companies to rebuild the corporate network from scratch."

Regardless of the past week's hearing, the march toward additional government intervention on cyber-matters has already begun.  Just weeks ago, the Department of Homeland Security (DHS) established new cyber-related measures aimed at protecting America's leading pipeline businesses and will require them to immediately disclose the details of any hacking incidents.

Although the headlines are generally dominated by hacks against large corporations, the vast majority of cyber-crime victims are still individuals.  The average American is regularly faced with the decision of whether to pay hackers what is generally a much smaller ransom.  In most cases, the amount of the requested ransom is less than the trouble involved in replacing infected software or hardware.  Seasoned ransomware gangs that target individuals will generally price their ransom in a way likely to compel payment.

One of the most often seen attacks nowadays involves members of the STOP/Djvu Ransomware Family.  These strains share similarities and are distinguished by a unique four-letter sequence appended to every encrypted file.  The STOP/Djvu Family includes the variants Ehiz, Pahd, Nusm, Mppq, Paas, and countless others.   

Potential victims of these gangs can avoid a crisis by maintaining offline backups of their files.  This would be the easiest way to avoid having to pay ransoms, as you can always re-upload your important files to a new device.

As a result of the Colonial hack and others, including a major attack against Ireland's health care infrastructure, the next few months should be key in establishing a new American defense against hackers.  There are changes expected at the Cybersecurity and Infrastructure Security Agency (CISA), and we will also likely see additional congressional hearings on the matter.  The question is, will America suffer another major infrastructure attack in the interim?

Julio Rivera is a business and political strategist, the editorial director for Reactionary Times, and a political commentator and columnist.  His writing, which is focused on cyber-security and politics, has been published by websites including Newsmax, Townhall, American Thinker, and BizPacReview.

Image via Peakpx.

To comment, you can find the MeWe post for this article here.

If you experience technical problems, please write to