Federal cybersecurity leaders argued against the effectiveness of cyberinsurance as a way to ease financial burdens associated with ransomware attacks during a House Homeland Security Committee panel hearing on intelligence and counterterrorism on June 28.
In her opening remarks at the hearing, Rep. Elissa Slotkin, D-Mich., urged critical infrastructure providers to consider purchasing cyber insurance to help them deal with the impact of ransomware attacks that might be launched against them. At the same time, she acknowledged that using insurance policies to pay ransoms and restore systems after a cyberattack remains an uncertain prospect for organizations with fewer resources.
“We know that small and medium businesses, small and medium governments, don’t have companies to take care of everything for them, and not everyone can afford cybersecurity insurance, which I ‘encourage all leaders to review.’” Rep. Slotkin said.
Federal government cybersecurity experts testifying before the subcommittee pushed back against the member’s promotion of cyberinsurance options.
Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience Policy in the Department of Homeland Security’s (DHS) Office of Strategy, Policy, and Plans, highlighted how underwriting a cyber insurance policy could make organizations a more attractive target for cybercriminals.
“They will do their market research on victims who can afford to pay, and they will look at people who have cyber insurance to see if they are more likely to pay. [the ransom]Kahangama said.
Matt Hartman, the Cybersecurity and Infrastructure Security Agency’s (CISA) Deputy Executive Assistant Director for Cybersecurity, agreed with Kahangama and identified basic cybersecurity measures that organizations should proactively implement. He also stressed the importance of contacting CISA for assistance.
“We regularly engage with [state, local, tribal, and territorial government] partners, including [at] events specifically aimed at governors and county leaders, as well as the private sector. [We also] continue to issue cyber alerts containing technical details and mitigations,” Hartman said.
Hartman explained that fighting ransomware is a top priority for the Biden-Harris administration, and that CISA is working with federal agencies to improve collective defense, and with the private sector to ensure it has the tools needed to detect, disrupt and investigate cybercriminals.
“Our approach to cybercrime must be multi-pronged. We must pursue a comprehensive strategic approach that prioritizes close partnerships with law enforcement, both domestic and foreign, as well as the private sector,” Hartman said.
An example of this, according to Hartman, is CISA’s 2021 Cyber Awareness Campaign – known as “Reducing Ransomware Risk” – which promoted resources and best practices to mitigate ransomware risk and is focused on supporting COVID-19 response organizations, K-12 educational institutions, and state and local governments.
Kahangama also pointed to DHS’s global network of 44 Secret Service-led Cyber Fraud Task Force organizations as another element in the fight against ransomware attacks. The CFTF partners with state, local, tribal, and territorial governments and foreign law enforcement agencies, the private sector, and academia to share information and conduct joint investigations.