Testimony of Christopher C. Krebs [Director of the Cybersecurity and Infrastructure Security Agency] Before the Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation U.S. House of Representatives On Responding to Ransomware: Exploring Policy Solutions to a Cybersecurity Crisis – May 5, 2021. Washington: “…Simply put, ransomware is a business, and business is good. The criminals do the crimes and their victims pay the ransom. Often it seems easier (and seemingly the right thing to do from a fiduciary duty to shareholders perspective) to pay and get the decryption key rather than rebuild the network. There are three problems with this logic: (1) you are doing business with a criminal and expecting them to live up to their side of the bargain. It is not unusual for the decryption key to not work. (2) There is no honor amongst thieves and no guarantee that the actor will not remain embedded in the victim’s network for a return visit later, after all the victim has already painted themselves an easy mark. (3) By paying the ransom, the victim is validating the business model and essentially making a capital contribution to the criminal, allowing them to hire more developers, more customer service, and upgrade delivery infrastructure. And, most worrisome, go on to the next victim. We must address the ransomware business model head on and disrupt the ability of victims to pay ransom. We need to prioritize countering ransomware as a nation. That includes appropriately investing in our government agencies and their ability to investigate, disrupt, and apprehend criminals. We need to do more to understand the ransomware economy and the various players in the market. And at the points where cryptocurrency intersects with the traditional economy, we need to take action to provide more information, more transparency, and comply with the laws that are already on the books. This includes Kiosks, Over the Countertrading desks, and cryptocurrency. Lastly, we don’t know enough about the ransomware economy, as it operates in the shadows. We lack a clear understanding of the scale of the problem, including the number of victims of ransomware – the denominator we are trying to improve against….