Rethinking Ransomware: Why US DOJ and FBI Need to Redefine Success Metrics in Cybercrime Fight

September 23, 2024 | Cybersecurity
By Ashwani Mishra, Editor-Technology, 63SATS

An internal audit of the Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) has revealed that current strategies for combating ransomware fall short in tracking meaningful success metrics.

Conducted by DOJ Inspector General Michael Horowitz, the 26-page audit covers ransomware efforts from April 2021 through September 2023 and critiques the DOJ’s response to the growing cybercrime threat.

The report arrives at a crucial time, as ransomware continues to plague organizations across various sectors, from healthcare to education, often causing significant operational and financial damage.

Also Read: Ransomware Rampage: A Month of Digital Insecurity and Data Breaches in August 2024

Despite the DOJ and FBI’s noteworthy successes in takedowns of prominent ransomware gangs such as LockBit, Hive, and AlphV, the audit finds that the agencies lack adequate measures to truly assess the impact of their actions on ransomware disruption.

The Need for Better Metrics

One of the central findings of the report is that the DOJ and FBI need to redefine how they measure success in the fight against ransomware.

Currently, success is often gauged by actions taken within a 72-hour window of a reported ransomware incident.

While the FBI reported improvements in this area—action was taken in 47% of cases in 2023 compared to 39% in 2022—this metric alone doesn’t fully capture the effectiveness of disruption efforts.

The audit suggests that the DOJ needs more robust metrics to evaluate its ransomware response, such as tracking the number of ransomware disruptions and the quantity of decryptor keys distributed to victims. These metrics would offer a clearer picture of the DOJ and FBI’s impact on ransomware ecosystems, which extend beyond the initial 72-hour response window.

Ransomware Takedowns: Successes and Setbacks

The DOJ and FBI have indeed made significant strides in their efforts to disrupt ransomware groups.

High-profile takedowns of LockBit, Hive, and AlphV helped law enforcement agencies distribute hundreds of decryption keys to ransomware victims.

The FBI has developed a strategic approach that targets the core elements of ransomware—actors, infrastructure, and finances. By focusing on these areas, the agency aims to dismantle the ecosystems that support ransomware operations.

However, despite these successes, the audit highlights areas where the DOJ and FBI are still falling short. One notable gap is the lack of a formal action plan for ransomware strategies for the next two years. Moreover, the DOJ has not updated its ransomware-related progress on performance.gov as required, creating uncertainty about how progress is being tracked.

Infighting and Coordination Issues

The audit also uncovers troubling issues related to coordination between various law enforcement agencies involved in ransomware investigations.

The failure to properly coordinate between federal prosecutors and other law enforcement divisions has caused significant setbacks in several investigations. According to the report, some prosecutors overseeing related ransomware cases failed to share critical information, undermining the DOJ’s deconfliction policy, which is designed to prevent overlap and inefficiency.

The lack of coordination has led to wasted resources, damaged relationships between agencies, and reduced public confidence in the DOJ’s ability to handle ransomware cases effectively. As ransomware attacks become more frequent and sophisticated, seamless collaboration between agencies will be essential to combat these cyber threats efficiently.

The Role of Task Forces: A Mission in Limbo

Another major issue outlined in the audit is the unclear mission of the FBI-led National Cyber Investigative Joint Task Force (NCIJTF) Criminal Mission Center. Once responsible for coordinating government-wide ransomware efforts, the NCIJTF’s role has become muddled since the creation of the Joint Ransomware Task Force (JRTF) in 2022. The audit notes that since the inception of the JRTF, the NCIJTF has struggled to produce meaningful outcomes in the fight against ransomware.

This ambiguity has left the NCIJTF without a clearly defined role, raising concerns about whether the task force is effectively contributing to the DOJ and FBI’s broader ransomware strategy. Both the FBI and DOJ have pledged to address this by clearly defining the task force’s mission and ensuring that its efforts align with the overall goal of disrupting ransomware networks.

Looking Ahead: Recommendations for Change

The audit concludes with several recommendations for improving the DOJ and FBI’s ransomware response.

Inspector General Horowitz emphasizes that the DOJ must establish clearer, more impactful metrics to assess the success of its efforts. These should include not only the speed of action in ransomware cases but also broader measures of disruption, such as the dismantling of ransomware infrastructure and the number of successful decryptions facilitated by law enforcement.

Additionally, the report urges the FBI to clarify the role of the NCIJTF and ensure it plays a crucial role in future ransomware strategies. Better coordination between agencies is also a top priority to prevent the kind of infighting that has already derailed several high-profile ransomware investigations.

A Need for Refined Focus

The DOJ and FBI have made strides in addressing ransomware threats, but the internal audit reveals significant areas for improvement. With ransomware attacks showing no signs of slowing down, a clearer focus on measurable success metrics, better coordination between agencies, and a refined role for task forces like the NCIJTF will be critical to the DOJ’s future efforts. As the ransomware threat continues to evolve, so too must the strategies and success metrics of those tasked with combating it. By addressing these shortcomings, the DOJ and FBI can more effectively disrupt ransomware operations and safeguard organizations from future attacks.