U.S. Senator Ben Sasse, the chairman of the Senate Judiciary Subcommittee on Oversight, released the following statement after sending an oversight letter to the Department of Justice regarding a 2016 cyberattack that targeted OrthoNebraska, Nebraska’s only hospital specializing in orthopedics and a leading employer in the state. Last month, the Department of Justice indicted two Iranian nationals for carrying out cyberattacks against American targets, including OrthoNebraska.

“Cyber attackers don’t just target tech companies in Silicon Valley and government agencies in Washington, they’re hitting businesses and infrastructure. In 2016, Iranian hackers blackmailed an Omaha hospital demanding a ransom. That’s not science fiction – it’s right here in Nebraska. We need a coherent cyber doctrine to blunt and respond to these attacks because the threats are only going to get more serious.”

Text of Senator Sasse’s letter can be found below:

Dear Mr. Rosenstein,

     I write to you today regarding the November 26 indictment of two Iranian nationals for crimes conducted in the commission of ransomware attacks against numerous American targets. I recognize the uniqueness of this particular indictment, both in its specifics and its scope, and I applaud your efforts to expose cybercriminals and bring them to justice.

     The attacks described in the indictment targeted critical American infrastructure, municipal governments, universities, and health systems beginning in December 2015 and continuing through November 2018. The attacks cost the affected entities millions of dollars and prevented ports, hospitals, and cities from being able to fully carry out their missions. The targets of these wide-ranging attacks included OrthoNebraska, Nebraska’s only hospital specializing in orthopedics and a leading employer in the state. Victims were forced to pay a ransom in virtual currency in order to recover lost data, as the defendants penetrated systems before deploying the malware, crippling their operations. Until we are able to come up with a coherent doctrine for blunting and responding to these attacks, our economy, our local governments, and our critical infrastructure—including our healthcare systems—will remain vulnerable.

     The attacks also raise several pressing questions about American law enforcement’s ability to bring overseas cybercriminals to justice and address the ways in which cryptocurrencies and new financial technologies make stolen funds more difficult to track and recover. This indictment illustrates how two individuals can cause significant damage to American municipalities and companies, with victims forced to choose between paying a ransom or suffering shut-downs in daily operations. 

In light of these events, I am requesting a briefing from your agency to discuss the following:     

1) Specific details of this attack, with particular focus on how OrthoNebraska was affected;

2) The evolution, in both sophistication and target selection, of ransomware attacks and the Department’s ability to address these challenges;

3) The role of cryptocurrency in cybercrime and how your Department is responding to this development;

4) How your Department’s authorities and capabilities fit into the government-wide effort to deter foreign hackers, especially those from rogue states such as Iran, and to impose punitive measures on them (and any state sponsors) for their behavior.

Please respond in writing to confirm receipt of this letter within the next 15 days. If you have any questions, please contact my staff at (202) 224-4224. I look forward to your prompt response. 

Ben Sasse