WASHINGTON, DC – Rep. John Katko (R-NY), Ranking Member of the House Committee on Homeland Security, and Rep. Andrew Garbarino (R-NY), Ranking Member of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, delivered the following opening statements in a subcommittee hearing entitled, “Responding to Ransomware: Exploring Policy Solutions to a Cybersecurity Crisis.”

Ranking Member Katko’s Opening Statement (as prepared for delivery)

Thank you, Chairwoman Clarke, and Ranking Member Garbarino for holding this important hearing.

In 2020 we witnessed one of the worst years on record for ransomware attacks, and it could not have come at a more tenuous time for our society. With the onset of the pandemic, the nation drastically shifted to remote work and services. While this yielded great benefits, it also provided a more expansive attack surface for cyber criminals. As COVID-19 cases increased, so did the number of devastating ransomware attacks. This trend represents an acceleration of what has impacted communities all across America for the past several years. In my district, the Syracuse City School District and Onondaga County Library System previously fell victim to ransomware attacks that shut down their systems and halted the critical services they provide.

I cannot emphasize this strongly enough: State and local governments and small businesses should leverage the free services the Cybersecurity and Infrastructure Security Agency (CISA) offers to help prevent and mitigate the scourge of ransomware attacks. CISA’s guidance and services can help SLTT, and small businesses take meaningful steps to increase the cybersecurity posture of their networks. These left-of-attack preventative actions can make the difference between a devastating cyber event and business as usual.

We also must ensure CISA has the resources and capabilities to go toe to toe with sophisticated cyber criminals. CISA has made strides to keep pace with the evolving threat, but there’s more to be done. The Fiscal Year 2021 National Defense Authorization Act provided important authorities that I advocated for that will ultimately allow CISA to rise to the challenge, but these must be met with resources to implement them. As I have continued to say, Congress needs to put CISA on a path to being a $5 billion agency.

I have been pleased to see CISA leveraging some of its newly established authorities including state cybersecurity coordinators. These coordinators will be CISA’s main point of contact embedded in each state government and be critically important to ensuring it has a strong understanding of the needs of our state and local governments. Additionally, I am happy to see CISA is fully leveraging its new authority provided by the DOTGOV Act to administer the top-level domain to provide secure and trustworthy .gov domains to state and local governments at no cost. CISA should also be doubling down on its efforts to stand up the Joint Cyber Planning Office to widen and streamline channels of communication between the federal government and industry.

We must think outside the box when it comes to slowing the rapid expansion of ransomware. Equipping state and local governments with the resources to bolster their defenses is an important step, and I’m looking forward to working with Subcommittee Chairwoman Clarke and Chairman Thompson on the State and Local Cybersecurity Improvement Act to achieve that goal. But we can’t stop there. I look forward to hearing testimony from our witnesses on the innovative approaches that Congress should consider as we strive to tackle this problem once and for all. The recommendations from the Ransomware Task Force are a great place to start, but let’s keep the pedal to the metal.

Ranking Member Garbarino’s Opening Statement (as prepared for delivery)

The global cost of ransomware has risen to $20 billion a year.

Over the past several years ransomware attacks have increased at an alarming rate. Attacks like NotPetya and WannaCry have had devastating impacts to critical sectors across the globe.

Just a few months ago, both the Bay Shore and Lindenhurst school districts on Long Island were hit with cyberattacks. I am determined to work with hospitals, schools, and small businesses in New York’s 2nd district and across the country to improve their cybersecurity posture in the wake of increasing threats.

I believe it is now more important than ever to work with agencies like CISA, the Secret Service, and the Treasury Department to combat malicious cyber actors from targeting our struggling small businesses, healthcare institutions, and state and local governments.

We must think of new innovative ways to interrupt cyber criminals’ ability to see this as financially viable way of doing business.

It should come as a surprise to no one in this hearing that these ransomware attacks have devastating real-world consequences for Americans. Every minute that a hospital goes down is a minute of missed critical care. The same goes for almost every industry.

We must work to put a stop to this.

We need to double down on ensuring state and local entities and small businesses are prepared and adopt basic cybersecurity best practices to mitigate cyber risks. These practices can include: 2 factor authentication, strong passwords, retaining backups, developing a response plan, and updating software.

CISA, in partnership with the Multi-State Information Sharing and Analysis Center (MS-ISAC), also offers several no cost services across the nation that should be leveraged by state and locals and the private sector. This includes the Joint Ransomware Guide, developed by both CISA and the MS-ISAC that includes industry best practices and serves as a consolidated resource for SLTT and the private sector.

I am a proud original cosponsor of the Chairwoman’s State and Local Cybersecurity Improvement Act. While we all can agree more resources for our state and local governments are necessary, we must also ensure these funds are spent responsibly, and effectuate meaningful impacts on risk reduction. This important bill is a tremendous step forward in our fight, but we can’t stop there.

While somewhere near only 2% of all cryptocurrency payments are nefarious, we know that most, if not all ransomware payments utilize the anonymity of cryptocurrencies.

We must adopt an “all of the above” approach to dealing with this scourge. There is no single silver bullet.

I look forward to hearing from our witnesses today about the innovative solutions Congress should consider as we work to degrade, and ultimately eliminate the viability of ransomware.

Thank you, Madam Chair, for bringing this important issue before us today.

###