[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]


                    HELD FOR RANSOM: HOW RANSOMWARE
                     ENDANGERS OUR FINANCIAL SYSTEM

=======================================================================

                                HEARING

                               BEFORE THE

                   SUBCOMMITTEE ON NATIONAL SECURITY,
                          ILLICIT FINANCE, AND
                  INTERNATIONAL FINANCIAL INSTITUTIONS


                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             APRIL 16, 2024

                               __________

       Printed for the use of the Committee on Financial Services     
    
                           Serial No. 118-87
                           
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 

                               __________

                   U.S. GOVERNMENT PUBLISHING OFFICE                    
56-438 PDF                  WASHINGTON : 2024                    
          
-----------------------------------------------------------------------------------

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

               PATRICK McHENRY, North Carolina, Chairman

FRANK D. LUCAS, Oklahoma             MAXINE WATERS, California, Ranking 
PETE SESSIONS, Texas                     Member
BILL POSEY, Florida                  NYDIA M. VELAZQUEZ, New York
BLAINE LUETKEMEYER, Missouri         BRAD SHERMAN, California
BILL HUIZENGA, Michigan              GREGORY W. MEEKS, New York
ANN WAGNER, Missouri                 DAVID SCOTT, Georgia
ANDY BARR, Kentucky                  STEPHEN F. LYNCH, Massachusetts
ROGER WILLIAMS, Texas                AL GREEN, Texas
FRENCH HILL, Arkansas, Vice          EMANUEL CLEAVER, Missouri
    Chairman                         JIM A. HIMES, Connecticut
TOM EMMER, Minnesota                 BILL FOSTER, Illinois
BARRY LOUDERMILK, Georgia            JOYCE BEATTY, Ohio
ALEXANDER X. MOONEY, West Virginia   JUAN VARGAS, California
WARREN DAVIDSON, Ohio                JOSH GOTTHEIMER, New Jersey
JOHN ROSE, Tennessee                 VICENTE GONZALEZ, Texas
BRYAN STEIL, Wisconsin               SEAN CASTEN, Illinois
WILLIAM TIMMONS, South Carolina      AYANNA PRESSLEY, Massachusetts
RALPH NORMAN, South Carolina         STEVEN HORSFORD, Nevada
DAN MEUSER, Pennsylvania             RASHIDA TLAIB, Michigan
SCOTT FITZGERALD, Wisconsin          RITCHIE TORRES, New York
ANDREW GARBARINO, New York           SYLVIA GARCIA, Texas
YOUNG KIM, California                NIKEMA WILLIAMS, Georgia
BYRON DONALDS, Florida               WILEY NICKEL, North Carolina
MIKE FLOOD, Nebraska                 BRITTANY PETTERSEN, Colorado
MIKE LAWLER, New York
ZACH NUNN, Iowa
MONICA DE LA CRUZ, Texas
ERIN HOUCHIN, Indiana
ANDY OGLES, Tennessee

                     Matt Hoffmann, Staff Director
          Subcommittee on National Security, Illicit Finance, 
                and International Financial Institutions

                 BLAINE LUETKEMEYER, Missouri, Chairman

ANDY BARR, Kentucky                  JOYCE BEATTY, Ohio, Ranking Member
ROGER WILLIAMS, Texas                VICENTE GONZALEZ, Texas
BARRY LOUDERMILK, Georgia            WILEY NICKEL, North Carolina
DAN MEUSER, Pennsylvania             BRITTANY PETTERSEN, Colorado
YOUNG KIM, California, Vice          BILL FOSTER, Illinois
    Chairwoman                       JUAN VARGAS, California
ZACH NUNN, Iowa                      JOSH GOTTHEIMER, New Jersey
MONICA DE LA CRUZ, Texas
ANDY OGLES, Tennessee
                           
                           C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    April 16, 2024...............................................     1
Appendix:
    April 16, 2024...............................................    31

                               WITNESSES
                        Tuesday, April 16, 2024

Koven, Jacqueline Burns, Head of Cyber Threat Intelligence, 
  Chainalysis Inc................................................     4
Sergile, Daniel, Senior Consulting Director, Unit 42, Palo Alto 
  Networks.......................................................     6
Stifel, Megan H., Chief Strategy Officer and Executive Director, 
  Institute for Security and Technology (IST)....................     7
Walden, Kemba, President, Paladin Global Institute...............     9

                                APPENDIX

Prepared statements:
    Koven, Jacqueline Burns......................................    32
    Sergile, Daniel..............................................    42
    Stifel, Megan H..............................................    51
    Walden, Kemba................................................    62

 
                    HELD FOR RANSOM: HOW RANSOMWARE
                     ENDANGERS OUR FINANCIAL SYSTEM

                              ----------                              


                        Tuesday, April 16, 2024

             U.S. House of Representatives,
                 Subcommittee on National Security,
                               Illicit Finance, and
              International Financial Institutions,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 10:16 a.m., in 
room 2128, Rayburn House Office Building, Hon. Young Kim [vice 
chairwoman of the subcommittee] presiding.
    Members present: Representatives Barr, Williams of Texas, 
Loudermilk, Meuser, Kim, Nunn, De La Cruz; Beatty, Gonzalez, 
Nickel, Pettersen, Foster, Vargas, and Gottheimer.
    Ex officio present: Representative Waters.
    Mrs. Kim. [presiding]. The Subcommittee on National 
Security, Illicit Finance, and International Financial 
Institutions will come to order.
    Today's hearing is entitled, ``Held for Ransom: How 
Ransomware Endangers Our Financial System.''
    I now recognize myself for 5 minutes to give an opening 
statement.
    I would like to begin by thanking our witnesses for taking 
the time to be here today, and to thank you for your patience. 
I am delighted to sit right next to my friend and colleague, 
Representative Beatty, and additionally, I, along with my 
colleagues on both sides of the aisle, wish Chairman 
Luetkemeyer a speedy recovery.
    Today's hearing will provide policymakers with essential 
information on the anatomy of a ransomware attack. This is a 
topic we have not discussed holistically since the committee 
held a hearing on pandemic-related fraud almost 4 years ago. It 
is my hope that this hearing will provide a deeper 
understanding of the inner workings and long-term impacts of 
one of the leading cyberthreats facing our nation today.
    Cyberattacks are carried out against organizations of all 
sizes and across every sector, including, but not limited to 
financial services, gaming, healthcare, education, and State 
and local governments. We all hear about ransomware. It is a 
frequent news topic, but the scale of the issue can be lost in 
the noise. In 2023 alone, ransomware attacks hit a record high, 
with over $1 billion extorted from victim organizations.
    The United States and the world is quickly learning that no 
matter how prepared a company may be or think they may be, the 
threat actors carrying out ransomware attacks have proven that 
no organization is safe from an attempt to infiltrate their 
systems. All the cybersecurity preparedness in the world cannot 
deter an employee from inadvertently providing identification 
credentials to a cybercriminal. As such, I look forward to 
learning more about how Congress can create incentives for 
proper cyber hygiene and training.
    We are pleased to welcome this panel of highly expert 
witnesses today, who will provide insights and advice on 
ransomware attacks. Whether it pertains to cybersecurity 
resilience, incident response and data recovery efforts, 
notification processes, policy considerations, or following the 
money, these witnesses can shed a light on gaps in the efforts 
to keep America safe from cybercrime and suggest what Congress 
can do to address those gaps.
    Just over a month ago, two cities not far from my district, 
Oakley and Pleasant Hill in California, were the victims of a 
large ransomware attack, prompting the City of Oakley to 
declare a state of emergency. The technology divisions in these 
cities dropped everything to work with law enforcement to get 
incident response and recovery missions underway. Ransomware 
causes lasting, real-world impacts for many across the country, 
as seen with this case in California.
    Similarly, in February, Change Healthcare, which is one of 
the largest healthcare intermediaries between providers, 
patients, and payers, fell victim to what has been called, 
``one of the worst ransomware attacks in years.'' The severity 
of this attack has forced the healthcare industry to re-
evaluate and re-establish entire facets of its supply chain 
efficiencies, payment cycle management, and cybersecurity 
readiness.
    I think it is fair to say that the ransomware threat is not 
going away anytime soon. As artificial intelligence (AI) 
continues to grow more sophisticated, cyber criminals will 
harness these technological advancements to exploit the 
vulnerabilities of their victims. This past weekend, Iran 
attacked Israel, our greatest ally in the Middle East, with 
drones and missiles launched from Iranian soil. Since Hamas' 
barbaric attack against Israel on October 7th, the United 
States has been aware of Iran's role as a major funding source 
for the terrorist organization. Additionally, Iran has been 
facilitating aggressive cyber operations, ransomware included, 
against the United States and its allies. In February, the 
Justice Department announced that an Iranian national had been 
charged for a multiyear hacking campaign targeting U.S. defense 
contractors and private sector companies.
    It is clear that our adversaries overseas will continue to 
employ cybercrime campaigns as a means to hurt our nation. 
Congress must properly educate itself on the severity of this 
issue to better protect not only U.S. citizens and businesses, 
but U.S. national security interests as a whole.
    I am grateful that the Minority has approached this hearing 
in a bipartisan fashion. This type of collaborative effort 
between committee staff and Members on both sides of the aisle 
is exactly how we must approach a threat of this severity. We 
all must row in the same direction if we want to undercut the 
incredibly lucrative ransomware marketplace.
    With that, thank you again to our witnesses for being here 
today, and I yield back.
    The Chair now recognizes the ranking member of the 
subcommittee, the gentlewoman from Ohio, Mrs. Beatty, for 4 
minutes for an opening statement.
    Mrs. Beatty. Good morning, and thank you so much, Madam 
Chairwoman, and thank you also for your collaboration with me 
on so many financial issues, and for holding this hearing 
today. And thank you to the witnesses who are here today to 
discuss necessary solutions to ransomware attacks.
    Every year, small and medium-sized businesses, including 
financial institutions, are the victims of ransomware attacks 
in which bad actors introduce malicious software or malware 
into a victim's computer system to cut off access to critical 
data or systems until a ransom is paid. These attacks have the 
potential to bankrupt businesses, especially small businesses 
that already have fewer resources in place to protect 
themselves, and can also pose grave threats to our national 
security and the broader economy.
    Ransomware attacks, which represent approximately 10 
percent of all cyberattacks, are sharply on the rise. In fact, 
the value of the United States' ransomware incidents has 
increased nearly tenfold, from $102 million in 2018, to $1.1 
billion in 2023. Since 2020, there has been an 85-percent 
increase in the number of attacks, as well as a steady increase 
in the total ransom values received by ransomware attackers. In 
2021 alone, the FBI received 3,729 ransom complaints.
    These figures, which don't even take into account the many 
victims who failed to report their attacks, are staggering. 
Although companies have the option to purchase cybersecurity 
insurance to cover financial losses and business interruption 
costs stemming from ransomware attacks, these policies are 
becoming increasingly more expensive and harder to obtain. It 
is time that Congress is able to identify and have bipartisan 
solutions to ensure that businesses have adequate awareness and 
preparation to protect themselves and consumers.
    Committee Democrats have worked with the Biden 
Administration to put forth real solutions and have proposed 
critical legislation to strengthen cybersecurity in the 
financial services industry. I am also incredibly grateful for 
the counter-ransom efforts led by Treasury and its agencies, 
such as the Financial Crime Enforcement Network (FinCEN) and 
the Office of Foreign Assets Control (OFAC). Treasury and the 
Financial Stability Oversight Council (FSOC) have been working 
around the clock to identify and to address these attacks, 
including releasing a package of red flags that will help 
financial institutions to identify and trace payments to bad 
actors who commit these crimes.
    It is critical that we continue to empower and support 
these agencies to do what is necessary to prevent these attacks 
and to protect the United States' businesses and consumers, 
rather than undermining and attacking them at every turn. In 
addition, attacks against law enforcement agencies, like the 
FBI and IRS Criminal Investigation, hamper these agencies' 
ability to use all of their resources to protect businesses 
that are vulnerable to these attacks. And finally, we certainly 
won't remedy this issue by undercutting the very agencies at 
the center of the solutions.
    I look forward to working with my Republican colleagues to 
address this growing national security threat, and thank you 
again to our witnesses. I look forward to hearing your 
testimony. I yield back.
    Mrs. Kim. Thank you, Mrs. Beatty.
    Today, we welcome the testimonies of: Jacqueline Koven, the 
head of Cyber Threat Intelligence at Chainalysis; Daniel 
Sergile, the senior consulting director at Unit 42 by Palo Alto 
Networks; Megan Stifel, the chief strategy officer at the 
Institute for Security and Technology; and Kemba Walden, the 
president of Paladin Global Institute.
    I want to thank each of you for taking the time to be here. 
Each of you will be recognized for 5 minutes to give an oral 
presentation of your testimony, and without objection, each of 
your written statements will be made a part of the record.
    Ms. Koven, you are now recognized for 5 minutes for your 
oral remarks.

   STATEMENT OF JACQUELINE BURNS KOVEN, HEAD OF CYBER THREAT 
                 INTELLIGENCE, CHAINALYSIS INC.

    Ms. Koven. Vice Chairwoman Kim, Ranking Member Beatty, and 
distinguished members of the subcommittee, thank you for 
inviting me to testify before you today on this very important 
topic. My name is Jacqueline Burns Koven, and I am the head of 
Cyber Threat Intelligence at the blockchain data platform, 
Chainalysis. In this role, I track ransomware operators and 
their enablers on the blockchain to empower policymakers and 
U.S. Government agencies with the data they need to 
investigate, attribute, and disrupt the ransomware supply 
chain. I also coordinate global ransomware research 
partnerships and joint initiatives.
    For the past 10 years, Chainalysis compliance and 
investigative solutions have been used by law enforcement, 
regulators, financial institutions, cryptocurrency businesses, 
and cybersecurity and incident response firms to investigate 
and disrupt threat actors engaged in ransomware and other 
illicit activities. Our data, investigative support, and 
software solutions have been involved in law enforcement 
activities resulting in the seizure of over $10 billion in 
assets held by illicit actors in numerous high-profile 
cybercrime cases, including those involving some of the most 
notorious ransomware actors.
    The subcommittee's focus on ransomware is well timed as 
2023 proved to be a landmark year in terms of ransom payments. 
According to our data, ransomware gains reached an 
unprecedented milestone, surpassing $1 billion in extorted 
cryptocurrency payments from victims, the highest-ever annual 
amount observed. The upswing in total ransom payments in 2023 
can likely be attributed to a major escalation in the 
frequency, scope, and volume of attacks. The 
professionalization of the criminal ecosystem has lowered the 
barriers to entry, making it easier than ever to deploy 
ransomware, and has given way to numerous ransomware strains.
    Although cryptocurrency is the predominant form of payment 
demanded in these attacks, cyber extortion dates back before 
the introduction of cryptocurrencies. The use of 
cryptocurrencies by ransomware actors provides a unique 
opportunity for those seeking to investigate and disrupt this 
activity, but it is a common misconception that these 
cryptocurrency transactions are completely anonymous and 
untraceable. Cryptocurrency transactions are inherently public, 
and the data from those transactions is preserved on a 
transparent and mutable ledger.
    At Chainalysis, we analyze the data from blockchains to map 
out the full network underpinning these campaigns, from the 
malware operators to the affiliates to the infrastructure 
providers. Our blockchain intelligence has supported a number 
of successful government operations involving arrests, asset 
seizures, and ransomware takedowns. For example, in 2021, 
Chainalysis solutions aided the FBI investigation of the 
infamous Colonial Pipeline ransomware attack. The Department of 
Justice was able to seize $2.3 million worth of Bitcoin from 
the ransom received by DarkSide, a Russian cybercrime group.
    Most recently, Chainalysis was leveraged as part of a 
multinational law enforcement operation to disrupt LockBit, a 
Russian-based Ransomware-as-a-Service, responsible for some of 
the most brazen attacks on the U.S. financial system last year, 
including attacks on ION, ICBC, and EquiLend. In February, the 
U.S. Department of Justice and the U.K. National Crime Agency 
announced that they had successfully seized servers, 200 
cryptocurrency accounts, and public-facing websites, and 
obtained decryptor keys for LockBit victims to recover their 
data without ever paying a ransom. These stunning takedowns 
show the cost incurred by threat actors choosing to engage in 
ransomware.
    Despite a record year in payment revenues and victim 
counts, our data suggests a nearly 50-percent decrease in the 
actual payments made compared to the year prior, a finding 
corroborated by incident response firms. This suggests that 
while it has become easier than ever to launch a ransomware 
attack, it has, in some ways, become more difficult to profit.
    This trend, while encouraging, is fragile, and we must 
maintain vigilance and enforce best security practices and 
capacity building to empower government agencies and our 
allies. We need to continue to make it more difficult and risky 
for threat actors that do receive payment, and demonstrate the 
ability to impose costs no matter where these ransomware actors 
reside around the world.
    We strongly believe that blockchain intelligence solutions, 
like Chainalysis, are the key to the continued success of 
operations like these and in fighting back on this growing form 
of cyberattack. To that end, we invite Congress' continued 
engagement on this topic, as addressing this issue requires a 
whole-of-government approach in collaboration with the private 
sector. And we recommend that Congress ensure that law 
enforcement and other Federal agencies have the resources 
necessary to comprehensively combat this issue. Thank you, and 
I look forward to your questions.
    [The prepared statement of Ms. Koven can be found on page 
32 of the appendix.]
    Mrs. Kim. Thank you, Ms. Koven. Mr. Sergile, you are now 
recognized for 5 minutes to give your oral remarks.

 STATEMENT OF DANIEL SERGILE, SENIOR CONSULTING DIRECTOR, UNIT 
                     42, PALO ALTO NETWORKS

    Mr. Sergile. Vice Chairwoman Kim, Ranking Members Waters 
and Beatty, and distinguished members of the subcommittee, 
thank you for the opportunity to testify on the ransomware 
threat landscape and the critical role incident responders play 
in helping organizations recover from attacks.
    My name is Daniel Sergile, and I am a senior consulting 
director of Unit 42, which is the Threat Intelligence and 
Incident Response Division of Palo Alto Networks. Prior to this 
role, I spent 25 years as a cybersecurity practitioner, and 10 
of those years as a chief information security officer. This 
includes the financial services industry.
    For those not familiar with Palo Alto Networks, we are an 
American-headquartered company founded in 2005, and have since 
become the cybersecurity leader. We support the U.S. Federal 
Government, critical infrastructure operators, 8 of the 10 
largest U.S. banks, and a wide range of State and local 
partners. This means that we have deep and broad visibility 
into the cybersecurity threat landscape. We are committed to 
being good cyber citizens and national security partners with 
the Federal Government.
    The current cyberthreat landscape demands that we all work 
together. The scourge of ransomware has taken cybersecurity 
from what was seen as an IT issue to something with day-to-day 
relevance for many Americans that presents reputational, 
operational, and financial risk for organizations of all sizes.
    My written testimony includes some concerning numbers and 
trends. We are seeing the ransomware threat grow, and attackers 
using sophisticated methods to extort money, including 
increased harassment activity and multi-extortion techniques. 
AI will further amplify the scale and speed of attacks and 
enable them to more quickly identify an organization's critical 
assets for exfiltration and extortion.
    An unfortunate reality of today's connected world is that 
many organizations lack the comprehensive visibility across 
their digital infrastructure. This includes computers, servers, 
mobile devices, and applications that are exposed to the 
internet. Simply put, our global attack surface looks porous 
and far too inviting to adversaries. This concern is often 
compounded by legacy IT, which has been problematic in the 
financial services sector. This underscores the need for robust 
cyber defenses.
    Palo Alto Networks recommends that organizations focus on 
the following actions to increase their resilience to 
ransomware and other attacks: one, maintain and test an 
incident response plan to prepare for and respond to cyber 
incidents, including ransomware tactics like extortion and 
harassment; two, ensure complete visibility of attack surfaces 
to help identify and mitigate vulnerabilities before they can 
be exploited; three, leverage the power of AI and automation to 
modernize cybersecurity operations and reduce the burden on 
overworked analysts--for too long, cyber defenders have been 
inundated with alerts to triage manually, and AI can help flip 
that paradigm; four, implement a Zero Trust network 
architecture to prevent or limit an attacker from moving 
laterally across the network; and five, protect cloud 
infrastructure and applications. As cloud adoption accelerates, 
cloud security cannot be an afterthought. In a world where 
ransomware attacks impact our daily lives, including 
disruptions to banking, healthcare, and hospitality, 
prioritizing these five recommendations will make a real 
difference.
    My team at Palo Alto Network specializes in helping 
organizations to respond and recover during their time of need. 
Our mission goes beyond just recovery. We aim to elevate the 
cybersecurity posture so they come out stronger than they were 
before. This is what makes this work so fulfilling for me 
personally. The spirit of partnership, the notion that we are 
all in this together, must remain in our collective DNA. As a 
company, we are proud to participate in a number of forums, 
like the Cybersecurity and Infrastructure Security Agency's 
(CISA's) Joint Cyber Defense Collaborative (JCDC), the 
Ransomware Task Force, and the Financial Services Information 
Sharing and Analysis Center (FS-ISAC), to share our situational 
awareness and understanding of the cyberthreat landscape with 
key partners.
    Thank you for the opportunity to testify, and I look 
forward to your questions.
    [The prepared statement of Mr. Sergile can be found on page 
42 of the appendix.]
    Mrs. Kim. Thank you, Mr. Sergile. Ms. Stifel, you are now 
recognized for 5 minutes for your oral statement.

   STATEMENT OF MEGAN H. STIFEL, CHIEF STRATEGY OFFICER AND 
EXECUTIVE DIRECTOR, INSTITUTE FOR SECURITY AND TECHNOLOGY (IST)

    Ms. Stifel. Vice Chairwoman Kim, Ranking Member Beatty, and 
distinguished members of the subcommittee, thank you for the 
opportunity to appear today to address how ransomware is 
impacting our financial system. My name is Megan Stifel, and I 
serve as the chief strategy officer at the Institute for 
Security and Technology (IST), a nonprofit organization 
dedicated to outpacing emerging security risks by bridging the 
gaps between technologists and policymakers. I began working in 
nonprofits when I left government service almost 10 years ago, 
and I began my career in national security in 1999 when I 
joined the staff of the then-House Permanent Select Committee 
on Intelligence. My commitment to our nation's national 
security has remained my highest professional priority, and I 
am grateful to continue to support it in my role at IST.
    IST convened the Ransomware Task Force in 2020 in response 
to the growing threat posed by escalating attacks on our 
critical infrastructure. The Ransomware Task Force includes 
participants from industry, academia, civil society, and 
governments, including the United States, the U.K., and Canada, 
as well as multilateral organizations such as Europol. In 
total, 60-plus organizations have participated in the task 
force, including organizations represented by my fellow 
witnesses.
    In a span of 4 months in early 2021, this coalition of 
stakeholders examined measures to help better deter, disrupt, 
prepare, and respond to ransomware. Three years ago this month, 
we published a report outlining key actions the task force 
identified, including a total of 48 recommendations, 12 of 
which related to financial services. Importantly, we called for 
closer regulation of the cryptocurrency sector due to its role 
in ransomware payments and resourcing, including through 
compliance with existing tools designed to reduce illicit 
payments, such as Know Your Customer/Anti-Money Laundering 
(KYC/AML), and Combating the Financing of Terrorism (CFT) rules 
and regulations.
    Ransomware attacks affect the financial services sector as 
they affect all of our critical infrastructure sectors, 
disrupting the provision of essential services and costing the 
industry millions. Ransomware and the financial services sector 
have a further relationship because cryptocurrency is the 
lifeblood of this criminal industry at this time. It enables 
attackers to get paid and move money around to their various 
partners and affiliates.
    Just days after we published our 2021 report, several high-
profile ransomware attacks occurred, leading to the disruption 
of fuel and meat distribution as well as the delivery of 
healthcare. While these were not the first attacks to target 
critical infrastructure, they formed a pivotal moment.
    Following these incidents, Congress and the Biden 
Administration, in a bipartisan manner, recognized that 
ransomware posed an increasing national security threat, and 
they responded. We established incident response and recovery 
reporting requirements, a cyber emergency response authorities 
provision, and State and local grant programs, and the 
Administration began leveraging sanctions together with law 
enforcement disruptions to combat the ransomware as a service 
business model.
    Much progress has been made, and much of it aligns with the 
task force's recommendations, and yet much work remains. Next 
week, we will publish our latest public progress report. 
Without creating too much of a spoiler, I can share that we 
have not seen further progress in 24 of the 48 recommendations. 
With respect to those 12 recommendations related to financial 
services recommendations, we assess that only 4 have seen 
significant progress.
    Unfortunately, the stakes keep getting higher. Today, as my 
fellow witnesses have identified, organizations can regularly 
confront not just encryption of their data, but also threats to 
release organizational and customer-sensitive data. This risks 
privacy and intellectual property, together with increasing 
physical threats to their employees and their families. As a 
result, there remains an ongoing urgent need for concerted 
action by Congress, the Administration, the American people, 
and our partners and allies in order to defeat ransomware.
    Cognizant of this urgency, I will focus on three ways to 
reduce the risk and impacts of ransomware to the financial 
services sector. First, financial sector resilience is 
essential to maintaining our role as the world's financial 
leader. Congress and the Administration should continue to 
explore how to better incentivize organizations across the 
ecosystem to develop and maintain their networks and products 
in the most secure and resilient manner possible.
    Second, in a corollary to resilience, we must ensure that 
government entities that underpin our role as the world's 
financial hub have adequate resources to investigate abuse of 
our services. In short, until we have a Secure by Design 
ecosystem in order to defeat ransomware, we must be able to 
follow the money. Timely and relevant information is essential 
to doing so, but in our experience, U.S. Government departments 
and agencies lack sufficient resources to adequately leverage 
this visibility to its fullest extent.
    This challenge is even further exacerbated outside the 
United States, where countries that harbor ransomware actors or 
are otherwise members of the Financial Action Task Force (FATF) 
have insufficient resources to fully fulfill their obligations. 
The United States can partner to close these gaps by helping 
bridge and scale legal and investigative capacity at home and 
abroad.
    Finally, the financial services sector has tremendous reach 
and can play an even greater role in helping raise our 
collective defenses. Congress and the Administration should 
explore avenues for the government and the financial services 
sector to partner to further drive adoption of known 
cybersecurity best practices.
    Thank you, and I look forward to your questions.
    [The prepared statement of Ms. Stifel can be found on page 
51 of the appendix.]
    Mrs. Kim. Thank you, Ms. Stifel. Ms. Walden, you are now 
recognized for your oral statement.

 STATEMENT OF KEMBA WALDEN, PRESIDENT, PALADIN GLOBAL INSTITUTE

    Ms. Walden. Good morning, Vice Chairwoman Kim, Ranking 
Member Beatty, and members of the subcommittee. Thank you for 
the opportunity to discuss ransomware attacks and to illustrate 
why improved governance, better resilience, meaningful 
information sharing, and public-private partnerships are 
critical to combating ransomware.
    My name is Kemba Walden, and I am the president of Paladin 
Global Institute, a think tank committed to ensuring that 
secure critical infrastructure and the safety of people online 
remain core to sustainable technological innovation. I am also 
a co-Chair of the Ransomware Task Force, which brings together 
experts across industries to combat ransomware. Prior to 
Paladin, I served as both the acting National Cyber Director 
and the Principal Deputy National Cyber Director. And before 
that, I stood up Microsoft's Counter Ransomware Office in the 
Digital Crimes Unit.
    Since my prior work at Microsoft and the stand-up of the 
Ransomware Task Force, we have seen new trends in ransomware 
attacks that highlight the importance of not only improved 
techniques for disruption, but also resilience and deterrence. 
Ransomware criminal syndicates will involve affiliates that 
specialize in obtaining access to an organization, 
reconnaissance of an organization's systems, identifying and 
stealing data, and developing malware that will do a variety of 
bad things to an organization's business systems, including 
locking them up. Victims of an attack will suffer extortion 
either to prevent its data from being exposed to the public or 
to unlock critical business systems. Victims may experience 
both types of extortion or just one.
    The cost of entering this crime is far too low and the 
profits are still too high. As these attacks have evolved to 
more sophisticated enterprise-like operations involving 
multiple players, countering these efforts requires a 
multistakeholder approach. My testimony will offer a few 
thoughts on raising the cost of entry into this crime, on the 
one hand, and lowering the profitability of this crime, on the 
other.
    Since the 2021 Colonial Pipeline attack, the private and 
public sectors raised the cost of committing this crime, but 
the barrier to entry still remains too low. Working with 
private sector law enforcement around the world, we were able 
to disrupt notorious ransomware groups like ALPHV, LockBit, and 
Scattered Spider, to name a few. These public-private takedowns 
raise the cost, but to move the needle even further, the public 
and private sectors must double down on infrastructure and 
supply chain disruption and make equal effort on improving 
organizational resilience.
    There are three opportunities for disruption: first, 
disrupt the ability of criminal syndicates and affiliates to do 
business with each other; second, disrupt the infrastructure by 
targeting the criminal actor's ability to communicate with the 
victim or publicly disclose stolen data; and third, disrupt the 
payment distribution system by targeting intermediaries that 
support the vulnerable elements of the system.
    On lowering profits, ransomware attackers will want to cash 
out. The most vulnerable point in the payment system is where 
attackers must convert cryptocurrency into fiat or victims must 
convert fiat into cryptocurrency. These transactions take place 
quickly, and, in my experience, quick collaboration between 
money services businesses and law enforcement entities is key 
to exploiting the vulnerabilities caused by this conversion 
process.
    Now, although disruption is important, improving 
organizational awareness and resilience is equally as 
important. Cyber criminals who install ransomware use tried-
and-true methods for access, methods that we know how to defend 
against. Encouraging organizations to prepare for the worst and 
improve their resilience will minimize downtime after an attack 
and make it easier for victims to recover from an attack 
without paying a ransom.
    Some technology companies recommend several basic steps to 
identify and close off vulnerable entry points to not only make 
it more difficult for an attacker to get into an organization's 
system, but to also improve organizational resilience such that 
if attacked, recovery is swift and downtime is minimal.
    These companies are also developing comprehensive solutions 
to combat ransomware attacks to cover every phase of the life 
cycle. These solutions range from attack prevention to malware 
detection to incident response and remediation.
    I am pleased to see that the U.S. Government, the security 
community, State and local governments, and the international 
community are coming together for a coordinated response to 
ransomware. Much work needs to be done, but I am optimistic 
that we have the leadership and the ability to accomplish our 
goals.
    In conclusion, the Ransomware Task Force published a set of 
thoughtful and measured policy and operational recommendations, 
including several that require legislative action, and 
approximately half have been implemented. I encourage all 
stakeholders involved to act where they can to reduce the 
incidence of ransomware attacks.
    [The prepared statement of Ms. Walden can be found on page 
62 of the appendix.]
    Mrs. Kim. Thank you to all of our witnesses for your 
opening statements. We will now turn to Member questions, and I 
recognize myself for 5 minutes.
    My first question is for Ms. Koven. Although ransomware 
attacks have existed for decades, they are now sometimes 
carried out using digital assets, so I want to ask for your 
perspective on the role that digital assets play in ransomware 
attacks, and how can law enforcement and Congress work to 
combat ransomware?
    Ms. Koven. Thank you for your question. Yes. Cryptocurrency 
is a liquid, instantaneous form of transport border payments, 
which has made it attractive to institutions and individuals 
for legitimate purposes. As with any new technology, there are 
always going to be bad actors looking to exploit it and use it 
for malicious purposes.
    As you mentioned, ransomware existed prior to the existence 
of cryptocurrency, and so did the threat actors involved in 
ransomware today. They were previously involved in banking 
malware and trojans harvesting financial credentials and 
accounts, but in dealing with cryptocurrency, they have 
incurred additional risk because of its traceability. We are no 
longer seeing ransom notes with cryptocurrency address 
plastered on the front because that is an Achilles heel to 
these operations, and we have so many examples of law 
enforcement using this cryptocurrency address against them 
because from----
    Mrs. Kim. Can you talk about and describe the level of 
coordination required to respond to the ransomware attacks? Can 
you talk about the coordination?
    Ms. Koven. Yes. From reported incidents involving 
cryptocurrency addresses, law enforcement is able to understand 
the entire ransomware supply chain. We can understand the 
malware used sometimes to access and even where they launder 
their funds. It is an incredible lead to understanding these 
networks better and being able to disrupt not only where they 
cash out, but the other entities involved in the supply chain.
    Mrs. Kim. Thank you. Ms. Stifel, where do you see 
ransomware trending as AI and other emerging technologies 
become even more sophisticated than they are now, and how will 
these advancements be exploited by threat actors, and how can 
law enforcement leverage the same technologies to stop these 
actors?
    Ms. Koven. Thank you for the question, Vice Chairwoman. In 
terms of where we see the direction of ransomware progressing, 
we at this time see that AI is having a limited impact, largely 
used to scale up the ability to undertake phishing. We do have 
tremendous concern about the future of AI and the direction 
that it is allowing criminal actors to potentially take, 
including making more sophisticated deepfakes and the like that 
ultimately form the first step in the chain of ransomware 
attacks.
    On the flip side, however, we also know that AI can be 
leveraged by some of the companies represented here and other 
members of the task force to boost cybersecurity defenses. That 
applies both to incident response and digital forensics in 
firms as well as within networks by allowing organizations to 
better maintain their IT networks to identify when patches are 
disseminated, to allow them to install the most essential 
patches first.
    But we also need to be quite vigilant as to the direction 
and shape of AI overall, and I think it is important that we 
think about the overall governance of AI and the need for 
organizations leveraging these capabilities to consider both 
the positive impacts that can have on society as well as the 
detrimental impacts. Ultimately, we seek to see a more 
sustainable digital future, and that is one that requires a 
risk-based approach.
    Mrs. Kim. Thank you. Mr. Sergile, the National 
Cybersecurity Alliance has said that when dealing with 
cybercrime, an ounce of prevention is worth a pound of cure. As 
policymakers, what should we do to highlight the need for 
adequate cybercrime prevention frameworks and education?
    Mr. Sergile. I actually use that statement with most of my 
customers, and it is more about the preventative side of 
things, right, the bolstering, the shoring up of basics of a 
cybersecurity program. Part of the issue that we see within 
most organizations is that as quickly as businesses are moving, 
and as quickly as it is moving, some of the cyber hygiene or 
basics of that are not there. I am more of a practitioner and 
more of a technologist, so I will talk about the implications 
of just basic hygiene rather than policy.
    If you want to have a discussion about policy, we have 
folks who can talk about policy as a whole. What I will say is 
that because of new technologies and how quickly we are 
implementing them across-the-board, and in a lot of 
organizations or attack surfaces, so forth, and then not 
knowing about it, I think concentrating on the foundational 
aspects of----
    Mrs. Kim. Thank you, Mr. Sergile. I hate to cut you off 
there, but you can please present your longer response in 
writing, if you like, because my time is up. Thank you so much.
    I now recognize the distinguished ranking member of the 
subcommittee, Mrs. Beatty, for 5 minutes.
    Mrs. Beatty. Thank you, Madam Chairwoman. And again, to all 
of our witnesses, thank you for your detailed information and 
certainly your experiences in figuring out how to tackle this 
issue.
    Let me start with you, Ms. Walden. We certainly are all 
well aware of the recent ransomware attacks on large companies 
and can name them. It could be Johnson Control, or MGM Resorts, 
or art or health services, and the list goes on, but because of 
that, there seems to be some common misconception that 
cyberthreat actors who commit ransomware attacks are more 
likely to target large companies and not small companies. Can 
you address this, and should small businesses be concerned 
about ransomware attacks? Please give us your opinion on that.
    Ms. Walden. Thank you, Congresswoman Beatty. Yes, small and 
medium-sized businesses should be concerned about ransomware 
attacks. These criminal gangs are using opportunity. They are 
really just looking to make a buck, and the best way to do that 
is to go for under-resourced communities, so that is why you 
see ransomware attacks increasingly on schools, on hospitals, 
and on public safety. These are opportunities for ransomware 
criminals to make a buck. So, helping small and medium-sized 
businesses remain vigilant and resilient and aware and 
proactive, I think is key to getting after the problem.
    Mrs. Beatty. Ms. Stifel, I see you nodding at that. Would 
you like to add anything? Well, maybe I can just go down the 
row, because now I see Mr. Sergile. Quickly, is there any way 
they may be impacted differently than the larger firms, that 
you want to add to that?
    Ms. Stifel. Thank you, Congresswoman Beatty. I would just 
echo Ms. Walden's remarks that it is, unfortunately, often 
those who are cyber poor who are targeted for these types of 
incidents, which oftentimes can drive these organizations out 
of business, and with small businesses being the lifeblood of 
the American economy, they do need additional support. Now, 
there are some early term funds available through the 
Department of Homeland Security and a grant program that was 
established in late 2021. I would encourage Congress to further 
support that grant program and explore other avenues to 
approach this community, which is essential to our----
    Mrs. Beatty. Thank you. Mr. Sergile, because you also said 
we should work together in bipartisan----
    Mr. Sergile. No, absolutely. In my past, I was the CFO for 
a regional bank, and I had to make the same choices that you 
are talking about. Do I go and invest my funding into providing 
for my customers? Do I secure? And that is kind of the crux of 
the issue for a lot of organizations because they have to make 
those hard decisions. And in that case, it very much goes to 
exactly what I was talking about earlier about that 
foundational, that cyber hygiene, making sure that you have the 
core basics of a security program. There is a reason why we 
call it concentric rings of protection or defense in depth.
    A lot of organizations don't have that, they don't have the 
funding for technology, so, in essence, what they end up doing 
is implementing. For me, it was everything from Federal 
Financial Institutions Examination Council (FFIEC) regulations, 
and dealing with the Office of the Comptroller of the Currency 
(OCC), and basically taking the audit-based approach, where you 
see that they got audited and what they spent on that audit.
    Mrs. Beatty. I hate to cut you off, but my time is running 
out and I want to get to one more question, and it was kind of 
triggered because Madam Chairperson asked us what could we do 
differently or more through education, so let me ask it in this 
same way. What can we do in Congress, specifically under the 
jurisdiction of this Financial Services Committee, to address 
this growing problem? We will start with you, Ms. Walden.
    Ms. Walden. For this committee under this jurisdiction, I 
think perhaps tax credits incentivizing smaller regional 
entities under this jurisdiction to adopt cybersecurity 
practices, to be able to integrate certain tools that are 
necessary to maybe do an improved training and awareness 
adopting cyber response plan, grants, as my colleague Ms. 
Stifel mentioned, grants that is attached to funding is also--
--
    Mrs. Beatty. Let me ask you this, because I have about 30 
seconds left. Are there any legislative measures that we have 
on the table now or anything that we should bring up? And I am 
asking that, Madam Chairwoman, because we are in such a good 
role today, that we have witnesses who are nodding their heads. 
And maybe that is because Madam Chairwoman and I are co-
chairing this, and we want to end on a good note. My time is 
up, but I just, again, want to say thank you. Please submit the 
answer in writing, because this is a historic moment for us 
when we are doing all this state-of-the-art, that we can make a 
difference in, say, small and large businesses. Thank you.
    Mrs. Kim. Thank you. The Chair now recognizes the gentleman 
from Kentucky, Mr. Barr, for 5 minutes.
    Mr. Barr. Thank you, Madam Chairwoman. Mr. Sergile, there 
is a shortage of cybersecurity professionals in the financial 
services sector where they are desperately needed for reasons 
being discussed today. We need more people like you in our 
country. According to the Carnegie Endowment for International 
Peace, the scarcity in cybersecurity talent in banking is one 
of the six priorities for protecting financial systems against 
cyberthreats. The cybersecurity workforce is obviously 
paramount to the safety and soundness of the U.S. economy, and, 
ultimately, our national security, and any shortages need to be 
addressed. Do you agree that the cybersecurity financial 
services workforce supply levels are a problem, and what do we 
need to do to fix it?
    Mr. Sergile. I completely agree with you, and that is not 
only within financial services, but cybersecurity in general, 
but on the financial services side, I think continued 
partnership and education programs, such as the ones that we 
have at Palo Alto Networks--we have a Unit 42 Academy where we 
are able to train people to help fill those positions as well 
as our engineering academy. Kemba has done a wonderful job with 
her time at the White House with the cyber workforce that we 
helped to sponsor as well.
    I think a lot of this deals with, if we look at the 
earliest times that people can get excited about cybersecurity 
or excited about IT, it is going to be that K-12 period, and 
the continued support of Science, Technology, Engineering, and 
Mathematics (STEM) programs throughout the United States 
educational system will help with that as well.
    Mr. Barr. Thank you. Ms. Stifel, the Ransomware Task Force 
has done a comprehensive analysis of cyber insurance and 
ransomware. What do you believe are the biggest challenges 
facing the insurance industry when it comes to ransomware 
coverage?
    Ms. Stifel. Thank you for the question, Congressman. With 
regard to the biggest challenge facing the insurance sector in 
cybersecurity at this point in time, our information is that 
only a very small percentage of the marketplace actually has 
cyber insurance, which means that many of these organizations 
are not reached by the requirements to achieve in order to 
achieve insurance, meaning that we are, more broadly, very 
vulnerable across the ecosystem. The insurance industry can be 
a partner in raising national cybersecurity resilience. But 
unfortunately, many organizations aren't able to achieve, as I 
mentioned, insurance. So there are, I think, opportunities for 
the insurance sector to partner with a range of organizations 
to raise this level of cybersecurity in order to----
    Mr. Barr. Is that an issue of underwriting challenges? Are 
there actuarial difficulties in that, or is it an affordability 
question for small or medium-sized enterprises?
    Ms. Stifel. Congressman, I am not an insurance expert, but 
I would say it is a combination of the above. Unfortunately, 
our responses to manage ransomware and a range of cybersecurity 
risks are undercapitalized because we don't have sufficient 
information. So when you speak about actuarial tables, we don't 
have great data to back up some of the investments that need to 
be made in order to shore up our cybersecurity. Insurers can 
play an important role in that space.
    But also, I would recognize that it is on a State-by-State 
basis, where we need to then leverage all of this information 
across the ecosystem, both in the United States and with our 
partners and allies, to get the data that can drive adoption of 
better cybersecurity best practices and also inform policy 
decisions, including the ability to undertake disruptive 
efforts and resource.
    Mr. Barr. Obviously, for small businesses with modest cash 
on hand, affordability is a big problem here because they need 
that cash week to week to keep their businesses alive. And if 
they were ransomed, failure to pay could be an existential 
issue for those small and medium-sized enterprises, so 
protecting American businesses is really important, and that is 
why we need to make insurance available and affordable. But at 
the same time, I am curious if any of the witnesses have 
thought about whether or not ransomware attackers take 
advantage of the fact that their victims actually have 
insurance coverage, and that is the flip side of that problem. 
Any thoughts on the attractiveness of a target based on 
coverage?
    Ms. Koven. Thank you for your question. In our opinion, we 
actually see insurance as a driver of best practices in terms 
of security defenses, a plan if and when attack. We actually 
attribute our decline in ransom payments in 2022 to more 
stringent insurance policies after a high year in 2021. The 
Royal United Services Institute (RUSI), a U.K. think tank, has 
also attributed insurance as a vehicle for supporting these 
best practices.
    Mr. Barr. I think insurance coverage is better than not 
having insurance coverage, but we need to think through these 
problems, these questions, and obviously, a more robust 
insurance marketplace to protect our country is important. With 
that, I yield back.
    Mrs. Kim. Thank you. I now recognize the ranking member of 
the full Financial Services Committee, the gentlelady from 
California, Ms. Waters.
    Ms. Waters. Thank you, Madam Chairwoman. Before I begin my 
questions, I would like to take a moment of personal privilege 
to recognize one of our witnesses here today, Ms. Kemba Eneas 
Walden, who is one of America's foremost experts on 
cybersecurity and, particularly, this issue of ransomware. She 
also happens to be someone I have known for decades, from back 
when she was a child living with her family in the Bahamas. Her 
father, Dr. Judson Frazier Eneas, served as the American 
ambassador when my husband, Sidney Williams, was the United 
States Ambassador to that nation. In the decades since then, I 
have continued my close relationship with the Eneas family, 
including Marcheta, Kemba's mother, and it is why I am 
personally very pleased to see Ms. Walden on the panel today, 
and I extend my welcome to her, and thank you, Madam 
Chairwoman, for allowing me the time. And with that, I will go 
right to a question that I have for Ms. Walden.
    Ms. Walden, I would like to discuss the ransom payments 
that public and private sector victims make to ransomware 
threat actors. It has been said that there is one reliable way 
to end ransomware altogether, and that is to starve the 
criminals of their proceeds. This is why some cybersecurity and 
national security experts have recommended that Congress ban 
ransom payments altogether, perhaps with limited exceptions for 
situations that have national security implications. Others, 
though, have pointed out that to do so would mean risking not 
only those affected by the failure to bring their business 
operations back online, but that it would call the attacks to 
focus on critical infrastructure, meaning those organizations 
that we can least afford to lose, like 9-1-1 systems, schools, 
power plants, and banks. Could you please discuss the benefits 
and detriments of banning ransomware payments, and, in your 
opinion, how should this issue be handled?
    Ms. Walden. Thank you so much, and it is lovely to see you, 
Ranking Member Waters. To answer your question, I am a part of 
the Ransomware Task Force, and we recently issued an open 
letter explaining the pathway to a ransomware ban for payments. 
As I explained earlier, the profits are still too high and the 
costs are still too low, so we need to shift that balance, and 
there are a number of policy options that we can take in order 
to get to the point where profitability is no longer a 
motivator for ransomware actors.
    I know this: If we banned ransomware payments today, we 
could bankrupt the very small and medium-sized businesses upon 
which the American economy relies. Think rural hospitals that 
serve four or five municipalities. Those can go bankrupt. What 
we need to do is prepare for the worst, prepare those 
organizations to be more resilient against a ransomware attack, 
because a ban on payments is not going to stop the attacks from 
happening, but it will starve those businesses. So in that 
vein, do what we can to make sure that those critical 
infrastructure entities are prepared to be able to bounce back.
    Ransomware actors will exploit the downtime that it takes 
for a company or an entity to come back online and cause more 
pressure about paying, right? And the MGMs of the world can 
withstand the downtime and not pay, but your small local 
hospital or your local school system may have a bit more 
difficult time. So, we need to focus on resilience in order to 
be able to achieve the ransomware payment ban that we do need 
to have.
    Ms. Waters. Thank you. Have you seen or heard about 
ransomware when our national security was at stake? What was 
that like?
    Ms. Walden. It is never fun. But here is the good news. 
President Biden, at the beginning of his Administration, 
declared ransomware a national security concern, which 
galvanized the global security community around getting after 
the problem. We have ransomware actors that are protected in 
safe havens around the world. The four countries of concern 
that come to mind immediately are Russia, China, North Korea, 
and Iran. And we need to be able to work together in order to 
make sure that these ransomware criminal gangs are not 
operating with impunity and doing the country of concern's 
bidding for them, but it does take a global effort. It is not 
fun to withstand ransomware attacks.
    Ms. Waters. So, there are some instances where we must do 
what we must do in order to protect the national security, and 
we must recognize that when we talk about, should we or should 
we not pay up. Thank you very much for being here today.
    Ms. Walden. Thank you.
    Ms. Waters. And I yield back the balance of my time.
    Mrs. Kim. Thank you, Ms. Waters. I now recognize the 
gentleman from Georgia, Mr. Loudermilk, for 5 minutes.
    Mr. Loudermilk. Thank you, Madam Chairwoman, and thanks to 
all of our witnesses for being here and testifying today.
    Three years ago this month, the ransomware gang gained 
access to an unused VPN account belonging to the Colonial 
Pipeline Company operated out of Alpharetta, Georgia. Using 
this account, they were able to exploit the company's trust in 
that account, exfiltrate and encrypt data, and ransom it back 
to the company for millions of dollars. Luckily, the company 
was able to cut off the hackers access to downstream systems to 
protect the pipeline infrastructure, but doing so caused a 
major disruption to the flow of oil in the Eastern United 
States. While security professionals and law enforcement are 
still analyzing the attack, the chain of events highlighted a 
cross-sectoral cybersecurity vulnerability, which is trust.
    Ms. Stifel, the same year that the high-profile Colonial 
Pipeline attack happened, the Financial Crimes Enforcement 
Network (FinCEN) received a number of ransomware-related Bank 
Secrecy Act (BSA) filings worth approximately $1.2 billion. 
This was an 188-percent increase over the previous year's 
total. While the latest data isn't available yet, I am 
concerned by the trend apparent in the data that we have. Ms. 
Stifel, are you aware of this trend more broadly, and do you 
think it is driven by a real increase in the number of 
ransomware attacks or is it improved reporting or both?
    Ms. Stifel. Thank you for the question, Congressman. I do 
think it is a combination of the above. As I was saying in my 
remarks, we need information to drive our ability to disrupt 
this business model, so it is critical that organizations that 
are victims of ransomware incidents report that information. It 
is also critical that those who have visibility on ransomware 
payments, which is not only limited to those who have to file 
under the Bank Secrecy Act, share information and have 
protections to share information so that we can bring all of 
the capabilities that we have in both the public and private 
sectors to this question.
    I also think that as we have seen with extortionate moves 
to leverage reporting requirements, some threat actors are 
perhaps encouraging organizations to ensure that they do 
report. We have seen some tactics of that nature. So, I think 
that it is also the case that more organizations are coming 
forward to report those incidents out of fear that their data 
may become available on a weak site and they will not get ahead 
of the message. But again, I think this comes back to the 
question of resourcing and the ability for departments and 
agencies who receive this information to leverage that 
information to the fullest extent, including by partnering with 
the private sector to undertake disruption.
    Mr. Loudermilk. Great. Thank you very much. Mr. Sergile, to 
address trust as a vulnerability, many companies have pivoted 
or are pivoting to Zero Trust architectures. At a high level, 
could you explain how this actually works?
    Mr. Sergile. Absolutely. And first and foremost, Mr. 
Loudermilk, growing up in Roswell and as a current resident, 
thank you.
    Mr. Loudermilk. Okay. Thank you.
    Mr. Sergile. If we take a look at cybersecurity, we started 
off with trust but verify, and then within the financial 
institutions, you have this wonderful concept of four eyes 
principle when you are looking at certain things. Your trust, 
in this essence, is you don't trust anybody or anything that is 
on your network, and you need to verify everything that has 
access into your network. What that allows you to do is, 
basically, work together across the totality of your 
infrastructure, so your identity, your device, your network, 
your internet being able to pull those all together to verify 
along the way that you are supposed to be you are who you are 
on what you are supposed to be to get to what you need. That is 
the short answer.
    Mr. Loudermilk. Okay. After spending 30 years in the IT 
sector, one of the rules that we live by was not if you were 
going to be hacked, but when you were going to be hacked, and 
to build a secure network based on your risk. I remember I 
worked for Honeywell Federal Systems, and they built a network 
that was totally secure, but it was so slow that no one could 
use it. Considering the risk factor, though, do you think that 
financial services firms are more susceptible to a breach than 
non-financial service firms?
    Mr. Sergile. At the end of the day, it really comes down to 
what the threat actor is looking for, and nation-states 
typically are looking for an advantage or a way that they can 
leverage something from you. Those that are looking for 
financial gain will go after where the money is, and in this 
case, it is going to be a financial services firm. Across-the-
board, there are certain things that I see, and I have the 
dubious honor or the dubious distinction of having been on the 
largest breaches in the last 18 months. What I can say across-
the-board in what I have seen with breaches is four core 
principles. One is lack of segmentation, so it is wide open for 
threat actors to come across, and a few other factors.
    Mr. Loudermilk. Okay. Thank you.
    Mr. Sergile. You bet.
    Mrs. Kim. Thank you. I now recognize the gentleman from 
North Carolina, Mr. Nickel, for 5 minutes.
    Mr. Nickel. Thank you so much. And thank you to our 
witnesses for being here.
    Small and medium-sized businesses, including financial 
institutions, fall prey to ransomware attacks yearly. These 
attacks can drive companies into bankruptcy and threaten our 
national security. We need to find bipartisan solutions that 
equip businesses with the tools and knowledge to safeguard 
themselves and their customers. It is a common misconception 
that when cryptocurrency is used as a ransomware payment, these 
transactions are completely anonymous and untraceable. However, 
the transparency of the blockchain is actually used to 
investigate and disrupt ransomware attacks.
    My first question is for you, Ms. Koven. Can you explain 
how that works?
    Ms. Koven. Yes. Thank you for your question. Sometimes, 
investigators will use analysis proprietary data but also the 
reporting mechanism of these victims and may have to encourage 
these victims to report as quickly as possible because 
laundering the cryptocurrency can take anywhere from minutes to 
hours. And basically, law enforcement can trace these funds to 
cryptocurrency exchanges where they will have KYC information 
able to identify and disrupt, but really, speed and training 
and resourcing is really necessary to equip law enforcement 
entities around the United States and around the world to be 
able to react quickly.
    Mr. Nickel. Thank you so much. My next set of questions tis 
o you, Ms. Walden. Many organizations still have a long way to 
go to better protect their businesses from ransomware and other 
cyberattacks. Based on your experience, what are the key 
components of a cybersecurity program a company should 
incorporate into that framework?
    Ms. Walden. Thank you for your question. Yes, a lot of 
companies, a lot of entities, State and local governments, all 
of it, need to do more in order to protect themselves and 
prevent ransomware and criminal actors from getting into their 
systems in the first place, so I have some very basic tried-
and-true methods.
    One is to know your assets, to know your network, to 
understand where your crown jewels are, and to protect them 
well, using those Zero Trust principles. Another is to deploy 
multi-factor authentication. It is still a thing that we need 
to be able to identify how to do that. The third I would say 
would be to patch, patch, and patch again. It turns out that 
there are a handful, maybe a few dozen vulnerabilities that 
exist where there is a patch that exists, that still are 
vulnerabilities and that remain unpatched. CISA's Known 
Exploited Vulnerabilities Catalog is a great place to start. 
Training and education and good governance would be my fourth.
    So, an entire enterprise needs to be trained at some level, 
some more than others, and CISA needs to know what CISA needs 
to know, but the line worker needs to understand a bit of 
security as well. The entire enterprise has to be well-informed 
about security practices and when to help incident responders. 
Those incident responders will need to know who is in charge to 
make decisions, so you need to have a plan, and to practice 
that plan on a regular basis. And then my final thing, I 
promise, would be that ransomware actors are now not just 
locking up critical business systems and stealing data, but 
they are locking up backups. And we have been telling 
enterprises appropriately to back systems up, but now, we have 
to be very specific that those backups should be offline and 
off-premises.
    Mr. Nickel. Thanks. Ms. Walden, ransomware payments in 2023 
surpassed the million-dollar mark--we have heard that already--
increasing nearly tenfold from $102 million in 2018. Why do you 
see that happening?
    Ms. Walden. I think there are a number of reasons. One, 
ransomware criminals operate with impunity, and without much 
consequence in certain countries of concern that I mentioned 
earlier: Russia, China, North Korea, and Iran. The other is 
that the demands are actually higher, so the number of payments 
are reduced, but the dollar value is higher. We will see 
ransomware actors going after the most-willing participants to 
pay the high prices, and a lot of companies don't have the 
resources to withstand the kind of downtime that locking up a 
backup, for example, would cause.
    Mr. Nickel. I am running out of time, but where should 
Congress be focused to try and prevent these ransomware 
attacks?
    Ms. Walden. I think there are a number of things. One, we 
need to really focus on how do we get to a place where the 
American economy is resilient enough to withstand a ransomware 
payment ban. That is the North Star, but there are some real 
steps that have to be taken because, ultimately, we need to 
protect the American economy and the American people. So, that 
is one. Two, we need to be able to allow certain intermediaries 
in the payment system to be able to share information laterally 
and with law enforcement to be able to stop the process.
    Mr. Nickel. Thank you. I yield back.
    Mrs. Kim. Thank you. I now recognize the gentleman from 
Texas, Mr. Williams, for 5 minutes.
    Mr. Williams of Texas. Thank you, Madam Chairwoman. 
Ransomware attacks were first seen in late 1980s, but they have 
become more and more common, as we know. I am a small business 
owner in Texas, and I can tell you that small business and Main 
Street are getting hammered by this, and it is devastating. 
These kinds of attacks started off fairly simple. An individual 
would click on a fake link, and their computer would be locked 
down by the attacker until they paid the attacker a small 
amount of money or sum of money. And recently, these attacks 
have become much more sophisticated by using new technologies, 
like artificial intelligence, and are able to go unnoticed by 
law enforcement.
    As quickly as technology is evolving around the world, we 
must stay up-to-date on the most-advanced ways that technology 
is being used for illegal activity and stay ahead of the curve 
in our defense against these bad actors.
    So, Mr. Sergile, could you expand on how ransomware attacks 
have evolved over the years, and what can this committee and 
Congress do to keep up with that evolution and best counter 
these attacks?
    Mr. Sergile. Thanks for the question. To start off, you are 
absolutely right. What we are seeing across-the-board is that 
the speed, scale, and sophistication of the attackers is 
increasing in monumental increments. Megan was talking earlier 
about artificial intelligence being used by threat actors. We 
are seeing that as well. The one way that we are able to combat 
that is by using artificial intelligence ourselves to be able 
to kind of clear through the clutter and be able to respond 
automatically.
    One instance, a breach back in February, was the first time 
that we saw AI being used in an active attack. A very well-
skilled and well-tooled Security Operations Center (SOC) was 
not able to keep pace and parity, but with tooling that has 
machine learning and artificial intelligence, we can absolutely 
keep pace and parity, and knock down the alert fatigue that we 
see on a regular basis because that is part of the problem. 
Critical alerts go missed, so fighting fire with fire is a 
simple answer.
    Mr. Williams of Texas. So, like any other bad guy, they are 
always one step ahead of you.
    Mr. Sergile. The kind of silver lining in this is that 
their use of machine learning and AI is actually a generation 
or two behind us. We first kind of saw the first implementation 
of a generative pre-trained transformer (GPT) for threat actors 
back in March of 2023 with ChatGPT, and now I think we have 
eight different types of AI tooling for threat actors. But it 
is a concept of good data and being able to cleanse that data, 
and they don't have that at this point, but if they do come 
together, that is going to be different.
    Mr. Williams of Texas. We have seen an increase in 
ransomware attacks on individual Americans--we talked about 
that, we know that--but also, large multinational companies, 
like attacks we see and so on, on MGM and Caesars, and the 
payouts for these large attacks have grown in scale, driving 
the attackers to target more and more high-profile victims. 
These bad actors are going after companies across all 
industries, from healthcare companies to refined product 
pipelines, which is showing how protection against ransomware 
is becoming a necessity for national security, and the big 
expense is on small businesses to protect themselves.
    In order for us to best protect everyone, the United States 
must have safety and security measures in place should there be 
an attack on key infrastructure in the United States.
    So Ms. Koven, could you elaborate on the national security 
risks that large-scale ransomware attacks pose?
    Ms. Koven. Thank you for your question, and we certainly do 
see the phenomena of big game hunting, large entities being 
targeted by ransomware operators in our dataset. As much as 75 
percent of the overall ransomware payments we have seen are 
comprised of payments of a million dollars or more, so these 
actors are becoming more sophisticated at using dark net market 
resources that they can buy and sell. But luckily, we can track 
those purchases, and those are a great identifier in enabling 
us to disrupt that.
    Earlier, we noted that nation-state actors engaged in 
ransomware are from China, Russia, and Iran, and they are 
testing ransomware not only for financially-motivated activity, 
but we are seeing ransomware used to obfuscate nationally, 
politically-motivated activities, like disruption and 
espionage. So, it is important that we involve multiple 
agencies with every lens of visibility available to us, 
following the money, following the tooling, the infrastructure, 
and the people.
    Mr. Williams of Texas. Okay. Thank you. I yield back.
    Mrs. Kim. Thank you. I now recognize the gentlelady from 
Colorado, Ms. Pettersen, for 5 minutes.
    Ms. Pettersen. Thank you, Madam Chairwoman, and thank you 
all for this discussion today.
    I had a lot of things that kept me up at night before 
coming to Congress, and you can definitely add this to my list. 
I was astonished to learn about the increase just from 2018 on 
ransomware; it went up to $1.1 billion. It is moving in the 
right direction, as you have noted, Ms. Koven, about a 15-
percent decrease in payments with people being able to be 
better prepared. Something that was highlighted during the 
testimony, Ms. Stifel, was how we need to invest in the legal 
and investigative capacity, and what does that look like? I 
know that is difficult when we have our adversaries 
internationally, who are, unfortunately, not being held 
accountable. What should we consider for specific steps here in 
Congress to support that work? And then, I want to open it up 
to you, Ms. Walden, as well about additional steps we can take 
to put pressure on Iran and China and Russia when they are 
engaging in this.
    Ms. Stifel. Thank you for the question, Congresswoman. In 
terms of resourcing, we are looking particularly at agencies 
which have investigative and enforcement authority within the 
committee's jurisdiction obviously, at the agencies at the 
Department of the Treasury, but they work hand-in-hand with 
other elements of the U.S. Government. With respect to the 
number of Suspicious Activity Reports (SARs) that were 
mentioned earlier, all of these reports are coming into the 
government. They are being disseminated to a small number of 
departments and agencies. There are a lot of reports, and it 
has been said before in prior testimony to the committee that a 
Suspicious Activity Report doesn't mean illicit activity, but 
we have to look at all of the information.
    Unfortunately, there is a shortage, as we have heard today 
in testimony, of a capable workforce. That also applies to 
investigators. It does take a higher degree of understanding to 
put the pieces together to leverage capabilities that some of 
the witnesses have, to bring greater light to the activity that 
is being undertaken, by whom, and the tactics, techniques, and 
procedures that they are leveraging. That means that we need to 
also have officers, supervisory special agents, and the like 
over at the FBI and the Secret Service, and also in Treasury, 
who have the training necessary to understand how to leverage 
what is available.
    I think it is also important to look at ways that we can 
incentivize companies to report but also make sure that we are 
breaking down the barriers limiting the ability for the 
government to partner with private sector partners, to build a 
more holistic picture, and leverage each entity, both public 
and private capabilities, to reduce the ability for these 
threat actors to maintain access to our networks. Certain 
actors in the ecosystem, the public sector, and private sector 
entities have the ability to frustrate their ability to 
continue to operate. We don't see the incentives being in the 
right place right now, and we do think there is an opportunity 
for Congress to clarify.
    Ms. Pettersen. Thank you. Ms. Walden, do you have a follow-
up on what we can do to put pressure on countries that are 
engaging in this?
    Ms. Walden. Absolutely. I think what the FBI, in 
particular, has been doing is it has been naming and shaming, 
the FBI in combination with the DOJ, and indicting, even though 
these actors remain in safe haven spaces. Then, they were able 
to work with law enforcement across the world to be able to 
grab folks because ransomware actors are just like the rest of 
us, they like to take vacations, for example, and they don't 
necessarily want to stay in their home agency or their home 
country. So, that would be one.
    Another would be diplomatic efforts, not necessarily 
something that Congress can do, but something that we have to 
continue to engage on. There was one opportunity, it was thinly 
veiled, I admit, but we had some Chinese nationals that were 
apprehended by Chinese authorities. We had, I think, some of 
the ransomware criminal actors who were apprehended by Russian 
authorities. Again, not perfect, but these are opportunities 
that we can continue to capitalize on.
    And I would echo what Ms. Stifel said, expanding the 
ability for the IRS, the Secret Service, Homeland Security 
investigations, and the FBI to be able to understand signals 
that are available from large technology companies and cloud 
service providers, and understand the signals that are 
available from blockchain analysis and the forensics to be able 
to access and review SARs, and put the whole picture together 
really tremendously improves law enforcement's ability to get 
after these threat actors.
    Ms. Pettersen. Thank you very much. I also wanted to ask 
all of you, and I am running out of time, but how can we as 
Members of Congress engage our local municipalities, our 
businesses, and give them the information that they need to 
protect themselves and have those precautions in place?
    Ms. Walden. I can take a quick stab; I am sure everybody 
has something to say. The first is awareness has improved, but 
we need to be proactively going out to local municipalities.
    Ms. Pettersen. Sorry. Now, I am out of time. I should have 
asked that. Yes, we need more time. I apologize.
    Mrs. Kim. I now recognize the gentleman from Iowa, Mr. 
Nunn.
    Mr. Nunn. Thank you very much, Madam Chairwoman. And I want 
to thank the panel for being here. I think this is incredibly 
important, on a bipartisan level, to be able to both understand 
not only the threat, but talk about some real solutions behind 
this. I know each of you have worked on this in a really 
incredible way.
    We all know that with each passing day, our adversaries are 
continuing to shift their dominance, particularly in 
cyberspace, and the threat posed is not just from state actors; 
it is down to criminal elements, lone wolf actors, as well as 
some really advanced technology, like artificial intelligence, 
is starting to play in this space.
    In the last 3 years alone, we have seen a 15-percent 
increase in ransomware, and for the average, main business, 
that is a $4-million chunk out of your paycheck, which means 
that it has a trickle-down effect on the entire economy. This 
is a billion-dollar problem that we are addressing, and that is 
just starting with what is happening right now.
    As a former counterintelligence officer, I have had the 
privilege of working with some of you in this realm before. We 
have to address the threat as it continues to evolve, and one 
of those things is looking at groups, Madam Chairwoman, like 
Volt Typhoon coming out of the communist element within China, 
where they have offloaded into a proxy element the ability to 
go after this while holding themselves not accountable that 
they are bad actors. The truth of cyber warfare is when it is 
rooted in the idea that this is a situation of a when this 
attack occurs, not if this attack occurs, and we have to take 
an all-hands-on-deck approach to it.
    With that, I want to highlight some of the things that we 
are trying to address, and I appreciate those of you who have 
helped weigh in on our Public and Private Ransomware Response 
Coordination Act to address some of the issues we are coming up 
with today, so I would like to get into it. We have worked 
together before, but, Ms. Stifel, one of the things I want to 
talk about first is, can you share with us a little bit about 
Ransomware-as-a-Service, the background on how this is and how 
it really empowers people with a very minimal level skill set 
to perpetrate something that is very dangerous to all of us?
    Ms. Stifel. Thank you for the question, Congressman, and 
for your ongoing service to the country. Ransomware-as-a-
Service, as a business model, has become a major problem in 
this space. As Ms. Walden identified, it is far too easy for 
someone with very little capability to be able to procure, 
oftentimes on the dark web, the set of capabilities that allows 
them to leverage access, in many cases, that someone else has 
obtained, and a network to deploy a ransom instead of malware 
that has probably been developed by yet a third person. So, it 
is almost like a spider web where you have different actors, 
many of whom may not have much sophistication, piecing together 
the number of vulnerabilities that are resident in our 
ecosystem in order to have an outsized impact on our economy.
    In many cases, these actors don't know each other, but as 
Ms. Walden also identified, they do communicate with each 
other. So, we need to be able to facilitate access to all of 
the information that both the public and private sectors have 
on these threat actors' communications in order to begin to 
better prepare ourselves to take action.
    The Ransomware-as-a-Service business model also leverages 
capabilities in cloud service providers and other types of 
bulletproof holsters. Many of these bulletproof holsters are in 
jurisdictions outside our reach, so to speak. Nonetheless, 
although those jurisdictions are partners and may have 
relationships with some of our partners, I think about the 
Ransomware Initiative, which has now grown to over 50 countries 
and organizations. This collective effort could be a great tool 
to leverage, with appropriate resources, the ability to take 
and put pressure on these threat actors who are living in safe 
havens. And I think there is an opportunity there for Congress 
to consider resourcing, as I have been saying, departments and 
agencies to boost our support to our Counter Ransomware 
Initiative peers, to begin to extend our net overseas.
    Mr. Nunn. I fully agree on this. Thank you both for your 
work in this area. One of the things I want to highlight here 
is that those who are on the frontline, and, Ms. Koven, I am 
going to come to you next here, is our private sector folks 
around the world who are addressing this.
    In my home district in Iowa, public schools got hit with 
ransomware, that as soon as one was hit, they used that same 
technique to hit the next one and the next one and the next 
one, to a point where not only is it costing taxpayers money, 
but we are breaching critical information about our kids. Look, 
in this bill, we are focused on threat detection, rate of 
information sharing, response time, and threat suppression. 
Talk to us a little bit about how, in your experience, 
partnerships like that can really help learn from the private 
sector to help the public sector?
    Ms. Koven. Thank you for your question. Information sharing 
is so critical in these spaces in getting information to law 
enforcement to identify, track these payments, and disrupt 
them, but also to prevent future victims from falling prey to 
attack. In my experience, the best public-private sector 
collaborations have involved dynamic bidirectional sharing. It 
sounds simple, but it is radical for some agencies to engage in 
this culturally different practice, and we have had stunning 
successes. We have been able to freeze North Korean stolen 
funds ransomware payments from Colonial Pipeline because of the 
collaboration.
    Mr. Nunn. My time has expired. I appreciate the work that 
all of you are doing in this field. Thank you.
    Mrs. Kim. Ms. Koven, feel free to submit a response in 
writing.
    I now recognize the gentleman from Illinois, Mr. Foster, 
for 5 minutes.
    Mr. Foster. Thank you, and thank you to our witnesses for 
joining us.
    As several of you noted at the starting point, Zero Trust 
is a secure digital identity that identifies all participants 
who are active on your internal network. It strikes me that the 
single-most useful thing that we in Congress could do is to 
establish a federally-recognized standard for presenting 
illegally-traceable identity, like a digital driver's license 
or digital passport or something like that, and I have been 
working on that and I appreciate your endorsement. Is there 
anyone who thinks that is not a useful contribution to 
cybersecurity in general?
    [No response.]
    Okay. Thank you for not objecting to that. I think it 
should be a no-brainer, and I am disappointed that we haven't 
done this many years ago.
    Mr. Sergile, in your testimony you note that AI is 
providing scammers with new tools that they can use for social 
engineering and ransomware more broadly. Their companies are 
also using AI to improve the company's ability to respond to 
cyberattacks, so it appears like we are really entering an arms 
race here.
    Ransomware is only one tool that bad actors use to exploit 
vulnerabilities of a firm. 60 Minutes last week reported pure 
social engineering hacks of the casinos in Las Vegas, which 
were very disruptive, and now with the fake impersonations, we 
are starting to see instances where an attacker does not even 
need to gain access to a network to be successful. Last year, 
an employee of a Hong Kong-based financial firm was tricked 
into wiring $25 million to a scammer following a Zoom meeting 
with his management. And it turns out that everyone on that 
Zoom was a deepfake impersonation, and the money was stolen 
without any actual breach of the company's internal systems.
    There are two trains of thoughts about dealing with these 
deepfakes. The first one is to imagine developing systems to 
automatically detect deepfakes, which I personally think is 
going to be a losing game over time. The other one is simply to 
look at the other side of the coin and say every citizen who 
wishes should have a way of proving they are who they say they 
are by presenting a digital ID of some kind, and several States 
have already issued mobile driver's licenses. The technology is 
in every one of our cellphones. Basic technology and protocols 
were developed at the National Institute of Standards and 
Technology (NIST) almost a decade ago. And places like the 
European Union and India and elsewhere are already rolling out 
digital ID systems, and they are very effective at providing 
really high-quality two-factor authentication.
    First off, do you believe that a digital ID system such as 
those that have been implemented in other countries would be 
useful in presenting and preventing at least the social 
engineering things?
    Mr. Sergile. I have a couple of points about that. I stated 
earlier that I am very much a technologist, I am not a policy 
person myself, and we have a team with whom I can put you in 
contact. What I will say about a digital ID is that, just like 
any other type of technology, it is not going to be infallible. 
If you take a look at technologies as a whole, it may be. What 
I explained to folks is that there is going to be a point in 
time where it is 100-percent secure, and that might change from 
the next second to the next minute to the next hour or days. My 
only kind of apprehension as a technologist would be that it 
could possibly be hacked, and I don't know enough about it to 
give a definitive answer either way. I tend to be a skeptic 
because of the industry that I am in.
    Mr. Foster. Yes. These systems rely on trusting the silicon 
in your cellphone. The biometric login is the core of it 
associating your REAL ID license with the silicon in your 
cellphone with you and trusting its biometric login, but I 
think that is probably about the best you can do to ensure it. 
And I think the fact that there is this technology and we are 
not implementing it as a country is a tragedy that is driving a 
lot of the success of the criminal gangs that we are seeing 
here.
    You mentioned also, and actually, Ms. Walden, maybe you 
have experience in this, when you are training AIs on 
ransomware response, is there a dataset that you would really 
like to get your hands on? If you had a dataset of all of the 
successful and unsuccessful responses to ransomware, is that 
something that would really be useful if the government can 
provide that on some confidential basis?
    Ms. Walden. In one word, yes, that would be quite useful. 
However, we don't have great measurements. We don't have great 
data, and until the Cyber Incident Reporting for Critical 
Infrastructure Act (CIRCIA) was passed, it was not required. 
You can't manage what you don't know, but yes.
    Mr. Foster. Yes. Well, if you have any ideas on what useful 
datasets the Federal Government can make, please submit them in 
writing. Thank you. I yield back.
    Mrs. Kim. Thank you. The gentleman's time is up. I now 
recognize the gentleman from Pennsylvania, Mr. Meuser, for 5 
minutes.
    Mr. Meuser. Thank you, Madam Chairwoman. And thank you to 
our witnesses.
    In Pennsylvania alone, there was a loss of $360 million due 
to cyber threats, as the data states, and over 16,000 
complaints in 2023 alone, according to the FBI Internet Crime 
Report, and they are very often devastating attacks. A business 
within my district recently told us that they fear for small 
businesses that aren't equipped and tech-savvy and do not have 
the proper IT infrastructure, and that same company is spending 
20 to 30 percent more on IT to protect themselves, costing more 
than a million dollars a year additional. So, it is a big deal.
    And then meanwhile, just on the tax side of things, I can't 
help but say that we need to look after small businesses with 
bonus depreciation and R&D tax credits and the small business 
tax cut, which was passed in the House and for whatever reason 
is languishing in the Senate. But we just need to be far more 
serious about these threats and the additional crises that our 
small businesses and large businesses as well face.
    Ms. Stifel, may I start with you? Small and medium-sized 
companies, what can they do to better prepare and ward off such 
a cyberattack and deter cyberattacks? What companies are more 
vulnerable, what industries, and what makes these ransomware 
groups attack one company over another?
    Ms. Stifel. Thank you, Congressman, for the question. I 
agree with you that small businesses need a tremendous amount 
of support, and the ways that they can protect themselves are a 
few-fold. The first, as I mentioned here and in my written 
testimony, is that unfortunately, we have an ecosystem that is 
riddled with insecure technologies, so we need to move and 
shift security left. We need to have an ecosystem dominated by 
Secure by Design technologies. Until then, we are only taking 
holding measures. That means that small businesses need to, if 
they can, leverage the resources of experts. If they can't, 
there are more secure operating systems than others, and I 
won't name names, but doing a bit of research and leveraging 
those more secure systems will be the first step.
    As Ms. Walden mentioned, they need to know what is on their 
network. The first thing, as Ms. Walden also said, is you can't 
defend what you don't know, but there are basically five simple 
steps: know what you have, making sure that your systems are up 
to date, using multi-factor authentication, backing up your 
data. And another one that we haven't talked about yet is using 
a protective Domain Name System (DNS) service, which 
essentially blocks users from going to malicious websites. 
These are free resources in many cases. My prior nonprofit, the 
Global Cyber Alliance, has a resource for small businesses, and 
that is also supported by MasterCard. So, being aware and 
leveraging what is out there is a first step.
    We also, though, need to think about other ways to help 
small businesses, and I think it was raised, the idea of 
looking at tax incentives. There are also grants that have been 
made available, most recently in late 2021 and 2022. Those 
grant programs should be examined, looked for measures of 
impact and were successful, and I think they will be in raising 
our overall collective resilience. There is an opportunity for 
Congress to continue to support those grant programs to help 
small businesses boost their hygiene.
    Mr. Meuser. Okay. Good. Thank you.
    Mr. Sergile, is cyber insurance getting more competitive? 
Is it affordable for small to medium-sized businesses?
    Mr. Sergile. Cyber insurance as a whole--we deal with it on 
a regular basis. We actually partner with cyber insurance from 
a proactive standpoint. I can tell you having been a 
practitioner and what I used to go through to acquire cyber 
insurance, it is dramatically different today, and I think a 
lot of that had to do with newcomers into the cyber insurance 
world. And the amount of attacks that have happened, especially 
with everybody going home with COVID, it used to be you could 
fill out a spreadsheet and they would tell you what your 
premiums were. Now, it is a lot more detailed where audits will 
happen. The amount that you spend versus the benefits or the 
coverage that you get has dramatically changed, and we are also 
seeing some insurance organizations not basically dealing with 
the nation-state attacks in different ways to include----
    Mr. Meuser. I am almost out of time already. Regarding the 
60 Minutes that was brought up and Russia and some of these 
crime organizations existing there, if you have any thoughts 
for what Congress can do to sanction those, we would appreciate 
it. I yield back, Madam Chairwoman.
    Mrs. Kim. I now recognize the gentlelady from Texas, Ms. De 
La Cruz, for 5 minutes.
    Ms. De La Cruz. Thank you, Madam Chairwoman, and thank you, 
witnesses, for being here today.
    There were several things that stood out to me, mostly as a 
small business owner myself, and I think that education and 
bringing awareness is certainly key, starting with a hearing 
just like this. And there was something that Ms. Stifel said 
that actually intrigued me because as a small business owner, 
we don't have the resources that the larger banks or the larger 
companies do. And many times, you are working 10-, 12-hour 
shifts in your business just to put food on the table. So, they 
might not be watching C-SPAN right now to listen to this really 
exciting hearing, right?
    I think that you mentioned many tools, but one that stood 
out to me was even giving tax incentives because something that 
a small business owner certainly does pay attention to is their 
taxes, and they can take advantage of a tax incentive that 
actually brings to light what importance this has. Do you have 
any further information or have any specifics on that?
    Ms. Stifel. Thank you, Congresswoman, for the question. We 
do think it was in a recommendation from the early days of our 
task force report that tax incentives be explored, so we would 
be happy to get back to you on that question.
    I think it is important to ensure that small businesses 
have the opportunity to really understand the capabilities and 
the qualifications of an organization that might be essentially 
selling them services that they might use this tax incentive to 
procure. We would want to make sure that the system that is 
developed to support that tax incentive base be an ounce of 
prevention and not a greater problem, but we are happy to get 
back to you on it.
    Ms. De La Cruz. Excellent. Thank you.
    And I see Ms. Walden shaking her head, yes. Share your 
thoughts with us, please?
    Ms. Walden. I completely agree. Just to add a bit of value 
on top of what Ms. Stifel said, I think the State of Maryland 
Institute has a tax credit that they are reevaluating and 
assessing to see the impact of it, but that might be a good 
place to start for some ideas. But small businesses, like you 
said, have very thin margins, and we need to be a little bit 
more proactive for incentives and finding incentives.
    Ms. De La Cruz. As I listened to my colleague, Ms. 
Pettersen, ask a little bit ago, what can we do as legislators, 
right? We can hold this hearing, but the reality is a small 
business owner is probably not watching right now, so I think 
that exploring the tax part of it is something that as 
legislators we would be able to look at as a bipartisan measure 
at the suggestion from both of you. So, thank you so much for 
your input there.
    I would like to ask Mr. Sergile, are there benefits to 
engaging in negotiations with the threat actors to drive down 
payments?
    Mr. Sergile. Unit 42 last year, out of all their cases, 75 
percent of them were ransomware, and I would say in a majority 
of those cases, there was some kind of ransom asked for or some 
kind of payment asked for. So, there are a couple of different 
benefits to discussions with ransomware actors. One is to 
elongate the time that it takes to understand how impactful 
that breach is. Secondarily, it is also a mechanism that we use 
to be able to ensure that we have the right tools for the 
customer, such as their backups, where we can recover from that 
without having to make a payment. So, we use ransomware 
negotiations in a couple of different ways, and it is purely 
based on the situation on the ground.
    Ms. De La Cruz. Thank you. And lastly, Ms. Stifel, how do 
cyber insurance policies affect the ways in which victim 
organizations respond to ransomware attacks?
    Ms. Stifel. Thank you, Congresswoman, for the question. The 
impact that insurers can have are few-fold. First, most 
insurers now require a baseline set of capabilities, 
cybersecurity hygiene practices by their insureds in order to 
qualify for coverage. As part of that coverage, they will most 
likely require them to develop an incident response plan, but 
they will also identify for their insureds firms that they 
should leverage in the event of an incident. And in many cases, 
as was just mentioned, incident response firms also work with 
negotiators. One of the things I would like to add is that 
working with the negotiators also buys time for law enforcement 
to develop a response plan, as well in working with the victim 
to come after these actors.
    Ms. De La Cruz. Thank you. I yield back.
    Mrs. Kim. Thank you very much. Seeing no other Members in 
the room, that concludes our Member questioning, and I would 
like to thank all of you for your testimony and for answering 
all of our questions today.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    And with that, this hearing is now adjourned.
    [Whereupon, at 11:52 a.m., the hearing was adjourned.]

                            A P P E N D I X


                             April 16, 2024
                             
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                            [all]