SCHUMER REVEALS: RUSSIAN HACKERS ZEROING IN ON UPSTATE NY; FORCING SMALL GOVERNMENTS TO PAY BIG BILLS TO REMOVE “RANSOMWARE” THAT CAN BREACH MUNICIPAL COMPUTER SYSTEMS; UPSTATE TOWNS AND VILLAGES ARE EASY PREY FOR HACK ATTACK THAT ENDS UP COSTING LOCAL TAXPAYERS & COULD JEOPARDIZE PERSONAL INFO; SENATOR URGES FEDS TO GIVE LOCAL GOVERNMENTS THE TOOLS TO FIGHT BACK
Recent ‘Ransomware’ Attacks In CNY And Capital Region Point To Gaping Holes in Town & Village Cyber Security Systems; Schumer Pushes Feds – Who Have Expertise In Cyber Security – To Work With Local Governments to Protect Taxpayers
Schumer Launches 3-Pronged Effort To Protect Communities from Hackers – Says Each Cyber Attack Can Cost Taxpayers Thousands of Dollars and Result in Stolen Personal Information
Schumer: Feds Must Help Local Governments Hit Control-Alt-Delete On Ransomware
During a conference call with reporters, U.S. Senator Charles E. Schumer today launched a three-pronged plan aimed at better protecting communities from “ransomware” attacks. According to the Federal Bureau of Investigations (FBI), ransomware is an insidious type of malware that encrypts, or locks, a computer’s operating system and all of its valuable digital files until a ransom is paid. Schumer revealed that Russian hackers are targeting small towns and villages in Upstate New York because their computers are the most vulnerable. Schumer pointed to recent ransomware attacks against Central NY and Capital Region municipalities as evidence that this problem is not going away, and can cost local taxpayers thousands of dollars.
“Our country’s critical infrastructure is still far too vulnerable to hackers, and we must do more – and fast – to ward off this metastasizing threat. Russia’s recent ransomware hacks against municipalities and businesses in Upstate New York mean those in our small towns and villages are being forced to pay a big price,” said Senator Schumer. “Cybersecurity threats mean that our private information, like medical data, financial records, Social Security Numbers and more, is under assault like never before. These hacks show that our local communities need more resources and training, so they can better prevent these attacks in the future, and the federal government needs to better focus its attention on finding ways to ramp up our security efforts before it is too late – so we can hit Control-Alt-Delete on ransomware for good.”
Once a computer is infected with ransomware, there is no way to recover the files other than paying the ransom. Schumer therefore urged the federal government to step up its efforts to help stop and prevent these cyber-attacks in Upstate NY and around the country. Specifically, Schumer is urging the National Institute of Standards and Technology (NIST) – put in control of running the President’s Cybersecurity Commission – to make ransomware a focus. In addition, Schumer called on Senate appropriators to allocate more money to help state and local municipalities make the necessary infrastructure improvements and train employees to prevent future ransomware hackings.
The FBI estimates that cyber hackers using malware like ransomware collected more than $200 million in the first three months of 2016. Hackers are able to do this by extorting businesses, individuals and institutions when they infect computers with malware and encrypt their data, thereby taking computers and smartphones hostage, and then charge a ransom to retrieve it. These computer viruses are able to infect users’ devices by including downloadable email attachments or links to website URLs that seem legitimate when, in reality, they actually contain malicious ransomware code. According to an April 2015 CNN report, at this rate, ransomware is on pace to be a $1 billion a year crime industry in 2016. Schumer explained that most of these the cyber criminals reportedly operate out of Russia and the former Soviet republics of Eastern Europe. The origins of these attack are, therefore, often very difficult – if not impossible – to trace.
Since these hackers use sophisticated malware, victims are forced to pay the ransom in order to get their devices and files back; they have no other recourse once the files have been encrypted. Schumer said these hackers not only target businesses, police departments, hospitals, banks and other institutions that hold a large amount of sensitive, personal information, but they also target individuals on their personal computers. According to an Albany Times UnionAugust 2015 report, individual victims are usually asked for a ransom between $200 and $10,000 to unlock their files. According to a January 2016 report from The Atlantic, hackers strive to find a price equilibrium – a point at which they can extort a few hundred dollars, from a whole lot of people – depending on the target.
Schumer said that ransomware has two major, devastating consequences. First, victims cannot use the computer systems on which they depend until files are unlocked, rendering them virtually paralyzed in today’s digital age. Second, and more importantly victims’ personal, private information is often compromised when hackers gain access to either their home computers or the systems of banks, hospitals, police departments, online retailers and other businesses, which contain files like financial records, medical reports, Social Security Numbers and more. Even after the ransom has been paid and the information decrypted, Schumer said, hackers could still hold onto the information they gained access to and use it for malicious purposes down the road. With several incidents now reported in Upstate NY, Schumer said Congress must do more to prevent these hackers from targeting consumers and businesses across the state.
According to the FBI, there has been an uptick in ransomware usage among hackers. In 2015, law enforcement saw an increase in these types of cyberattacks, and particularly against organizations because the payoffs are higher. Schumer explained that there have been several reports of ransomware in Upstate NY over the last few years. According to the Utica Observer Dispatch, the Village of Ilion in Herkimer County paid $800 just two years ago to regain control of its computer systems. In March of this year, in the Town of Manlius, a town employee’s computer was attacked by hackers from Crimea, Russia. Luckily, the town had purchased cybersecurity insurance, and employees were trained in what to do if they suspected an attack. According to the Post Standard, the town’s IT department was able to thwart the threat by taking the computer off the system before the entire network could be impacted. In 2015, according to the Times Union, the Capital Region Chamber of Commerce pulled down its website following messages from members reporting that they were receiving alerts that their data had been locked and hackers were demanding cash in exchange for retrieving it. In addition, one hospital and a community center in the Capital Region reported being attacked by ransomware.
Schumer said these the U.S. must do more to thwart these attacks, as consumers’ personal information, like Social Security Numbers and financial information, along with law enforcement reports are at risk. Schumer therefore launched a three pronged push to help curb these cyberattacks:
- First, Schumer urged the Administration and the NIST, which is running the Commission on Enhancing National Cybersecurity, to focus on ransomware in order to find solutions to these malicious attacks. In February, President Obama announced his Cybersecurity National Action Plan (CNAP), which is focused on improving America’s cybersecurity posture. This plan created the non-partisan Commission on Enhancing National Cybersecurity, which is comprised of leaders in business, technology and academia who are focused on making recommendations to the President for actions that can be taken to strengthen cybersecurity. Schumer said this commission should be focusing on ways it can root out ransomware and better protect both the public and private sectors against it.
- Second, Schumer called on Senate appropriators to fully fund the President’s proposed Information Technology Modernization Fund (IMTF). The Administration’s 2016 budget proposed allocating $3.1 billion to this revolving fund. Schumer said this fund should receive all of the federal resources it needs to secure Federal networks and make investments to strengthen cybersecurity and cybersecurity education across the country.
- Finally, Schumer called on Senate appropriators to create a dedicated funding stream for state and local municipalities as well. Schumer said this would allow local governments to make infrastructure improvements and train employees to prevent ransomware hackings in the future. Schumer said businesses and municipalities, along with their employees, must receive the training they need to help stem these cyberattacks on the local level.
Copies of Schumer’s letters to both the Executive Director of the Commission on Enhancing National Cybersecurity and Senate Appropriators appear below:
Dear Ms. Todt:
I am writing to you out of concern from several recent ransomware attacks on institutions in my home state of New York. Many municipalities, hospitals, schools and banks have lost vital capital and resources to cyberthieves who have infiltrated their networks and held critical data hostage. Given the increasing number of these incidents in recent months, both in New York and across the country, I urge you to make ransomware prevention a principle pillar of your Commission on Enhancing National Cybersecurity.
I was pleased to see that in tandem with the Cybersecurity National Action Plan, the President created a Commission of experts dedicated to recommending actions on cybersecurity, and raising the level of cybersecurity awareness in both the public and private sectors. This investment is especially beneficial for professionals on the ground in New York who may lack the guidance needed to make the requisite infrastructure updates and prevent future attacks on their hardware. I applaud the current efforts of the Commission, but I am also concerned that many communities continue to suffer from advanced malware attacks.
Ransomware, a deadly spyware attack in which hackers lock or encrypt computer data until ransom is paid, is terrorizing individuals, businesses, and local governments across the entire country. In fact, the House of Representatives just experienced a ransomware attack last week. Those without the resources to defend against these attacks are left to suffer the loss of important commercial capital or even worse, pay high damages. According to the FBI, last year victims who reported attacks to the Bureau suffered nearly $24 million in damages. A recent Symantec report stated that never before in the history of humankind have people across the world been subject to extortion on such a massive scale.
As these thieves become more advanced, critical attention must be given to strengthen our online networks and protect consumers from future attacks. This becomes especially important as we continue the 21st century and expand our use of internet-connected devices. I hope you will prioritize ransomware prevention in your Commission on Enhancing National Cybersecurity and make it a key element of our nation’s cybersecurity action plan.
Again, thank you for your consideration of this request. I look forward to hearing from you and to working with you in the future.
Charles E. Schumer
Dear Chairman Boozman and Ranking Member Coons:
As you continue your hard work on the Fiscal Year 2017 Financial Services and General Government Appropriations bill, I respectfully request that funding be included to strengthen our efforts on cyber-hygiene at the federal, state and local level, with a particular focus on dealing with the scourge of ransomware across the country.
The President’s Fiscal Year 2017 budget requested $3.1 billion to create the Information Technology Modernization Fund within the General Services Administration. The creation of this fund, which was included in the President’s Cybersecurity National Action Plan, would help agencies replace antiquated equipment and transition to more secure and efficient IT infrastructure -- such as the cloud network. The Fund would enable agencies to annually refresh their IT systems based on up-to-date technologies and best practices. Put together, these reforms could make substantial network improvements that could help save money overtime.
Cybersecurity incidents against our federal networks recently hit a record high. A March 2016 Office of Management and Budget (OMB) report found that government attackers successfully executed 77,000 cyber incidents, including network breaches or data infiltration during fiscal year (FY) 2015. This is a 10 percent increase from FY 2014. An additional report by the Federal Information Security Modernization Act (FISMA) has stated that inconsistencies in the implementation of our information security policies and practices still remain. While many agencies have made significant progress within this area, the troubling reality is our agencies are not prepared to handle cyberattacks of the 21st century. Preliminary findings from the Government Accountability Office show that the government operates on 28 systems at least 25 years old. Another nearly dozen information systems date back to 1980 or earlier.
As you know, this issue is not limited to the federal level. In fact, in my home state of New York, several communities are suffering from the damages of ransomware attackers who have stolen their data and held it hostage. It is important that state and local governments not only have the funding needed to upgrade their systems, but that they also have the guidance necessary to train professionals in the proper security measures. These localities need all the help they can to fight against the threat of cyberthieves.
The state of our networks is an issue that we must take seriously. This is why I am urging you to fully fund the President’s IT Modernization Fund. I am also urging you to dedicate a funding stream to state and local governments, so that local communities have the resources to modernize their infrastructure and train employees on best security practices. Our society is at its best when our networks are protected and individuals have the ability to safeguard their data. I look forward to working with you on efforts to strengthen our nation’s cybersecurity defenses.
Thank you for your consideration of this request.
Charles E. Schumer