The virtual summit convened by the White House last week to discuss the rising transnational ransomware threat with global partners opened the conversation about how to cooperate more effectively and “really coordinate our fight,” Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said.
The meetings held last Wednesday and Thursday brought together ministers and representatives of Australia, Brazil, Bulgaria, Canada, Czech Republic, the Dominican Republic, Estonia, European Union, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Poland, Republic of Korea, Romania, Singapore, South Africa, Sweden, Switzerland, Ukraine, United Arab Emirates, the United Kingdom, and the United States.
In a joint statement, the nations said they recognize the “threat of ransomware is complex and global in nature and requires a shared response,” and “a nation’s ability to effectively prevent, detect, mitigate and respond to threats from ransomware will depend, in part, on the capacity, cooperation, and resilience of global partners, the private sector, civil society, and the general public.”
Efforts discussed by the partners include “improving network resilience to prevent incidents when possible and respond effectively when incidents do occur; addressing the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable; and disrupting the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors, addressing safe havens for ransomware criminals, and continued diplomatic engagement.”
Neuberger told PBS News Hour on Friday that “you could have the human attackers in one country, the exchanges that they used to facilitate the movement of illicit currency in a second, registered in one country, operating in a third country, and the infrastructure from which they conducted an attack in yet a fourth, fifth or sixth country.”
Countries represented at the summit “talked about what’s working today in that cooperation, where the gaps are, and committing to working together across those gaps to fight ransomware more effectively.”
Asked why Russia and China weren’t invited, Neuberger said the White House is directly addressing ransomware threats with those countries.
“We brought together countries who each have a stake in truly addressing those components, building resilience, tracing illicit use of virtual currencies, addressing and putting in place, implementing diplomatic norms, and disrupting those actors,” she said “And this is not the last meeting. It was a first meeting of a set of countries. And we look forward to including more countries in that fight moving forward.”
Neuberger said a main goal is “really looking to see a reduction in core disruptive ransomware attacks against critical infrastructure overall.”
The joint statement from the countries that took part in the ransomware summit stressed that network resilience should incorporate “several universal cybersecurity best practices” including working with the private sector to promote maintaining offline data backups, use of strong passwords and multi-factor authentication, ensuring software patches are up to date, and education against clicking suspicious links or opening untrusted documents.
Information sharing between nations should be improved, the statement continued, as well as engaging with private-sector entities “to promote incident information sharing and to explore other opportunities for collective buy-down of risk.”
As ransomware is “primarily a profit-seeking endeavor,” the countries also noted “the significant potential for combating ransomware through enhanced international cooperation to inhibit, trace, and interdict ransomware payment flows, consistent with national laws and regulations, which will drive down economic incentives for ransomware actors.”
“Cooperation can include a wide range of activities, such as efforts intended to facilitate customer due diligence, suspicious activity reporting, and transaction monitoring,” the partners added. “Taking action to disrupt the ransomware business model requires concerted efforts to address illicit finance risks posed by all value transfer systems, including virtual assets, the primary instrument criminals use for ransomware payments and subsequent money laundering.”
The nations also vowed to “take appropriate steps to counter cybercriminal activity emanating from within our own territory and impress urgency on others to do the same in order to eliminate safe havens for the operators who conduct such disruptive and destabilizing operations.”
“We intend to cooperate with each other and with other international partners to enhance the exchange of information and provide requested assistance where able to combat ransomware activity leveraging infrastructure and financial institutions within our territories,” nations said in the joint statement. “We will consider all national tools available in taking action against those responsible for ransomware operations threatening critical infrastructure and public safety.”
They also pledged to “leverage diplomacy through coordination of action in response to states whenever they do not address the activities of cybercriminals,” calling this collaboration “a critical component to meaningfully reduce safe havens for ransomware actors.”
Neuberger stressed that the U.S. is “trying a lot of creative approaches” to combat ransomware — “not all are we public about, not all can we talk about.”
“One of the challenges the U.S. government has is having adequate visibility, because so many ransomware attacks are not reported,” she said. “And that’s one of the reasons why encouraging notification to the U.S. government when ransomware attacks occurs, so we can better trace the attackers, trace the infrastructure that they use to drive disruption efforts, is so important.”
Neuberger said they’re focused on the four approaches to disrupt ransomware outlined in the partner nations’ statement — resilience, countering illicit finance, disruption and other law enforcement efforts, and diplomacy — “and seeing and testing each one of those approaches.”
“What are the outcomes?” she said. “Overall, do we see a reduction in ransomware?”