The US government is doing a really bad job of tracking ransomware (opens in new tab), a report from a Senate committee has found.
The Senate Homeland Security and Governmental Affairs Committee has released its findings following 10 months of investigation into ransomware attacks and related cryptocurrency payments.
It said reports of previous attacks are “fragmented and incomplete”, and blame was partially laid on the fact that both the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) both have a “one-stop-shop” website for all things ransomware reporting.
The FBI’s figures, for example, were described as a “subset of a subset” of actual data, something even the Bureau agrees with, saying its data is “artificially low” due to the fact that it was shared voluntarily.
It took the committee ten months to draft the report, and in the meantime, a lot has changed. The Senate passed the Cyber Incident Reporting Act of 2021 in March, which required firms to report a malware (opens in new tab) cyberattack to CISA within 72 hours, and a ransomware attack within 24 hours.
Following up on the new regulation, CISA said back then that it would share all of the reports with the FBI immediately. However, the report states that wasn’t exactly the case.
"While the agencies state that they share data with each other, in discussions with committee staff, ransomware incident response firms questioned the effectiveness of such communication channels' impact on assisting victims of an attack," the report said.
FBI and CISA aside, other organizations within the U.S. government, such as the U.S. Treasury, the Transport Security Administration, and the Security and Exchange Commission, have their own reporting practices. These are only adding more complexity to an already complex problem, as they “do not capture, categorize, or publicly share information uniformly”.