The State Department announced a $10 million reward for any information about hackers working for foreign governments.
The measure is aimed squarely at those participating in “malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act.” Officials said in a release that this included ransomware attacks targeting “critical infrastructure.”
In addition to ransomware, the notice mentions a number of other cyber violations and notes that it applies to government computers as well as “those used in or affecting interstate or foreign commerce or communication.”
Ransomware groups have made millions over the last two years attacking pipelines, manufacturers, hospitals, schools and local governments. While attacks on Colonial Pipeline and major meat processor JBS drew the biggest headlines, hundreds of healthcare institutions, universities and grade schools have suffered from damaging attacks. The DHS estimated that about $350 million in ransom was paid to cybercriminals in 2020.
The reward program is run through the Diplomatic Security Service and has organized a “Dark Web (Tor-based) tips-reporting channel to protect the safety and security of potential sources.”
“The RFJ program also is working with interagency partners to enable the rapid processing of information as well as the possible relocation of and payment of rewards to sources. Reward payments may include payments in cryptocurrency,” the State Department said.
“More information about this reward offer is located on the Rewards for Justice website at www.rewardsforjustice.net.”
POLITICO reported on Wednesday that the reward was part of a larger rollout of actions the Biden Administration was taking to address ransomware attacks. A multi-agency ransomware task force has been created that will lead both “defensive and offensive measures” against ransomware groups.
The White House is also giving the task force the leading role in pushing government agencies and “critical infrastructure companies” to improve their defenses and shore up cybersecurity gaps. The task force will give Biden’s team weekly updates on the effort to beef up the government’s cybersecurity, according to Politico.
US Senators met with deputy national security advisor Anne Neuberger on Wednesday afternoon where she explained the White House efforts to address ransomware attacks. CISA executive assistant director for cybersecurity Eric Goldstein was also on the call alongside officials from the FBI, DOJ and Treasury Department.
The leaders of the Senate Judiciary also announced this week that they planned to hold a hearing on July 27 about ransomware.
An anonymous source told Politico that cybersecurity officials asked for the authority to make some cybersecurity measures mandatory for certain infrastructure organizations.
Adam Flatley, director of threat intelligence at cybersecurity company [redacted], worked on the Ransomware Task Force and contributed to a comprehensive guide for battling ransomware in April. He lauded the stopransomware.gov site and said offering a central location with free resources to help prevent, prepare for, report, and respond to ransomware attacks would be helpful for the most vulnerable organizations.
“This is especially true for those organizations who have budget constraints that force them to go it alone, which is the case for so many good, hard working folks,” he added.
Some experts questioned whether the reward would be an effective mechanism for tips about cyberattackers.
Austin Berglas, who previously served as assistant special agent in charge at the FBI’s New York Office Cyber Branch, said there was potential for the reporting mechanism to turn “into a public payphone.”
“The difficulty is the amount of resources that will be necessary to separate the ‘signal’ from the ‘noise’ and identify the legitimate tips. Other considerations include attribution to, and information provided by the tipster. If there was an arrest made and follow on prosecution (based on an anonymous lead), investigators will have to be able to provide evidence of the crimes alleged by the anonymous party,” Berglas explained.
“This may or may not be possible without the cooperation of the anonymous lead source. Also, OFAC has to be considered when making anonymous payments — how is due diligence going to be performed prior to making a payment to a foreign national?”
Berglas also noted that rival malicious hacking groups may view this scheme as a way to make money and reduce the amount of competition in the market. He added that the measures could do little to address the elephant in the room — the fact that many ransomware groups are provided safe harbor in Russia.
“There are numerous existing cases where warrants are obtained and red notices are disseminated for criminals residing in these countries,” Berglas said.
Many cybersecurity experts also took notice of the specific language of the State Department’s notice, focusing in on the phrase “while acting at the direction or under the control of a foreign government.”
“It appears to be an attempt to short-cut the process of detailed attribution that is necessary to implicate a foreign government in collusion or cooperation with organized crime,” said Mike Hamilton, former DHS vice-chair for the State, Local, Tribal, Territorial Government Coordinating Council.
“If the US government can incentivize someone to provide evidence of such, paying out $10M is probably a good deal considering the resources we bring to bear with the intelligence community for the same outcome.”