The U.S. State Department said on July 15 it is offering up to $10 million in reward money for information that leads Federal authorities to anyone who is conducting cyberattacks against U.S. critical infrastructure at the behest of foreign governments.
The reward offers are being made through the State Department’s Rewards for Justice program – which has more traditionally been used to pursue foreign terrorism suspects. The bounty offers indicate that the Biden administration is putting additional muscle behind its public and private efforts to choke off foreign-power sponsorship of cyberattacks on U.S. infrastructure.
At its highest levels, the Biden administration’s push-back on foreign-based attacks has taken the form of meetings with Russian President Vladimir Putin and public admonishments of the Russian government for either allegedly backing such attacks or allowing them to be launched from that country. Much of the U.S. government’s efforts to deter attacks on critical infrastructure undoubtedly happen outside of the public eye.
The Biden administration’s line in the sand with the Russian government is clear: no attacks on critical infrastructure. The two governments are having high-level meetings aimed at an agreement on the issue, and President Biden has said it may take between six and 12 months to determine whether any real progress has been made.
More than just publicizing the reward money, the State Department is trolling the dark web to advertise the potential payoff.
“Commensurate with the seriousness with which we view these cyber threats, the Rewards for Justice program has set up a Dark Web (Tor-based) tips-reporting channel to protect the safety and security of potential sources,” the agency said.
The State Department also said it will make payoffs for tips in the form of cryptocurrency, and “is working with interagency partners to enable the rapid processing of information as well as the possible relocation of and payment of rewards to sources.”
The State Department’s offer of reward money promises “up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”
The notice then breaks down CFAA statute violations into several categories including: “transmitting extortion threats as part of ransomware attacks; intentional unauthorized access to a computer or exceeding authorized access and thereby obtaining information from any protected computer; and knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.”
Computers protected by the statute, the State Department said, “include not only U.S. government and financial institution computer systems, but also those used in or affecting interstate or foreign commerce or communication.”
Since it was launched in 1984, the Rewards for Justice program says it has paid out more than $200 million for actionable intelligence that has helped prevent terrorism, bring terrorist leaders to justice, and otherwise “resolve threats to U.S. national security.”