Published by The Lawfare Institute
in Cooperation With
The coronavirus pandemic has been a boon for malicious cyber actors who engage in criminal activity. In 2020, at least 2,500 U.S. government entities, health care facilities and schools were victimized by ransomware. Nation-states, too, engage in these types of malicious activities. Last summer, the Justice Department indicted two Chinese hackers for trying to steal coronavirus vaccine research on behalf of the Chinese government. Half a year later, the National Counterintelligence and Security Center warned that the Chinese government is trying to steal Americans’ genomic data.
Deterring and imposing consequences for these criminal acts needs to be at the top of the agenda for President Biden’s cybersecurity team and congressional committees with cybersecurity mandates. Yet our research at Third Way shows that Congress has not prioritized introducing or passing legislation that punishes malicious cyber actors, nor do current federal grants provide the necessary resources to state, local, tribal and territorial (SLTT) entities responding to and investigating cyber incidents. Fortunately, the new administration and the 117th Congress can build off of previously introduced legislation and existing grant programs to help close these gaps.
Our recent analysis of the 116th Congress found that members are increasingly becoming comfortable creating legislation related to cybersecurity, introducing 40 percent more cyber bills than their 115th counterparts. Of the 316 bills introduced, more than half were bipartisan, with 12 of the 14 bills signed into law having bipartisan co-sponsorship. This show of bipartisanship was a continuation from the 115th Congress, when more than 60 percent of cyber-related bills introduced had bipartisan co-sponsors, and it will likely continue in the 117th Congress, increasing the probability of Congress passing cyber-related bills. Notably, nine of the bills signed into law in the 116th Congress were related to appropriations or agency authorizations, with several cyber provisions attached. In fact, the National Defense Authorization Acts for fiscal 2020 and 2021 included 32 cyber provisions that were initially stand-alone bills. (Note: Our analysis did not examine cyber provisions included in authorization or appropriations bills that were not previously introduced as individual bills.) A breakdown of the 316 bills shows that roughly half of them dealt with defending critical infrastructure, protecting consumer data and advancing foreign policy priorities.
While defending critical infrastructure and protecting Americans’ data is vital, these provisions did little to impose consequences on malicious cyber actors. Only 11 percent of the bills introduced in the 116th session, and just three of the 14 provisions signed into law, focused on imposing consequences on the human actors behind cyberattacks. These bills, if signed into law, would have imposed sanctions, created cyber enforcement strategies, revised criminal statutes, and provided resources to countries to apprehend the actors behind cyber incidents.
Compounding the lack of legislation that punishes malicious actors is the limited federal funding available for SLTT governments to fight cybercrime. While arresting the perpetrators behind these incidents remains difficult due to federal and international jurisdictional issues, among other challenges, local law enforcement struggles to respond and assist victims because they lack trained personnel, tools and funding. The Center for Strategic and International Studies (CSIS) in 2018 surveyed the obstacles law enforcement faces in accessing and using digital-evidence forensics. The survey found that local criminal justice agencies had insufficient digital forensic tools to investigate digital evidence (files, photos and text) left behind on digital devices (computers and cell phones), which impeded their ability to investigate and prosecute cybercriminals. The survey further illustrated that only 45 percent of local law enforcement agencies felt they “had access to the resources needed to meet their digital evidence needs.”
While the true funding gap to pay for these tools and resources remains unknown, 95 percent of the CSIS survey respondents said they sought outside assistance from federal and state labs to examine digital evidence. This trend extends to cybersecurity writ large among state governments, as half of the state chief information security officers rely on Department of Homeland Security (DHS) grants to cover their cybersecurity expenses. These and other data points illustrate that SLTT agencies need more federal help to fill their cybersecurity and cyber enforcement needs.
We found that current homeland security and criminal justice federal grants do not reflect a high priority for combating cybercrime compared to other criminal justice issues. Neither the Justice Department nor DHS sufficiently funds the few grants that support efforts to fight cybercrime. In fiscal 2019, the Department of Justice and DHS operated 11 grants worth $1.8 billion—not including Victims of Crime Act grants—that SLTTs could use for responding to and investigating cybercrime. While limited data is available on how these grants are used for cybercrime-enforcement purposes, three data points suggest that the uses are limited.
First, only three Justice Department grants in fiscal 2019 totaling $12.7 million were dedicated to responding to cybercrime—the Economic, High-Technology, White Collar, and Internet Crime Prevention National Training and Technical Assistance Program; the Intellectual Property Enforcement Program; and the Student Computer and Digital Forensics Educational Opportunities Program. For reference, Emsisoft estimates that ransomware incidents may have cost the U.S. government upward of $7.5 billion in 2019. Second, the Justice Department has not carved out nor identified cybercrime as an “Area of Emphasis” for the Edward Byrne Memorial Justice Assistance Grant (JAG) Program—the largest criminal justice grant awarded to SLTTs. And only 2 percent of all DHS preparedness was spent on all cybersecurity matters in fiscal 2019. While DHS grants are primarily spent to protect critical infrastructure from human-made and natural disasters, DHS does allow grant recipients to spend funds on “software … to investigate … computer-related crimes.” Yet DHS’s 2020 annual preparedness report does not detail how much of that 2 percent was spent for these purposes.
Fortunately, the 117th Congress and the Biden administration can take meaningful actions to punish malicious cyber actors and ensure that SLTTs have resources commensurate with the threats they face.
Congress, in the wake of the SolarWinds hack, should strengthen ties with the private sector by working with the newly authorized national cyber director to develop legislation that improves timely and actionable information sharing with private partners. This will help continue to build private-sector relationships with federal law enforcement agencies to take down criminal infrastructure, as was seen in the NetWalker and EMOTET ransomware takedowns. Second, Congress should reintroduce the Cyber Diplomacy Act of 2019 to establish and adequately fund a cyber bureau within the State Department to work with international partners to pursue cybercriminals abroad. Third, while Congress considers creating a separate cybersecurity grant program for SLTTs, the Biden administration can tackle several low-hanging fruits to provide additional funds to SLTTs. This includes prioritizing grant awards to applicants who want to support their cybercrime enforcement efforts through the JAG Program, the Paul Coverdell Forensic Science Improvement Grants Program, and the State Justice Statistics Program for statistical analysis centers.
To be sure, these measures are not a panacea for the cybersecurity threats confronting the United States, nor would they have prevented a SolarWind-type incident. But unless the federal government takes clear, concrete and bold steps to shore up the nation’s cyber defenses, it can expect more schools, hospitals and small businesses to fall victim to cybercrime. The U.S. government needs to do better.