A Discussion of the 2023 Counter Ransomware Initiative with DNSA Anne Neuberger
James A. Lewis: Good morning. Thank you for coming to CSIS. Most of you know that the Counter Ransomware Initiative’s third summit concluded yesterday, and we’ll hear about – I think one of the reasons we’re doing this is I think this initiative deserves more attention because it is remarkably successful. Trey Herr of The Atlantic Council would have chaired this but he’s out of town, unfortunately, and so you could imagine getting people’s schedules to align is difficult.
Let me quickly introduce people.
Anne Neuberger, deputy assistant secretary to the president and deputy national security adviser for Cyber and Emerging Technologies. Anne has graciously taken time out of her schedule in explaining the AI executive order to come and talk about ransomware. (Laughter.) Well, I have an AI question, and of course we’ll take questions from the audience too.
David Koh – is there anyone in the room who does not know David Koh? He is, in some ways, the guru of ASEAN cybersecurity, an international figure, tremendous progress. I hold ASEAN up because of your leadership as the region that’s done the most interesting work.
And finally – Jamila, I’m going to mangle your name. I apologize. Jamila Ade – is that OK?
Jamila Akaaga Ade: Yeah.
Dr. Lewis: OK, good – the head of the Cybercrime Unit of the Nigerian Federal Ministry of Justice. She’s also the Nigerian representative to the Budapest Convention and the national coordinator of the Global Action on Cybercrime, and co-chair – more importantly for us, co-chair of the Diplomacy and Capacity Building Track of the Counter Ransomware Initiative.
So three real experts and me. We will have a discussion. I’m going to ask Anne to make some opening remarks, then we’ll turn to Jamila and David. We’ll have talk among ourselves and then ask for questions from the audience.
Are we using – Julia, are we using notecards? Yeah, so if you want to ask a question, hold your hand up, you’ll get a notecard, fill it out, and we’ll take it from there.
With that, let me turn it over to Anne.
Anne Neuberger: Great. OK. So good morning. Great to see everyone here. It’s really exciting to talk about the International Counter Ransomware Initiative and the work that’s been underway in partnership with two key international leaders here, as well as some others who lead the policy panel.
So a bit of an introduction to the history of this effort, what led to it and where we are and why we are and where we are at this moment in time.
So President Biden has committed to working to build a more secure and safe cyberspace, keeping Americans, our schools, our hospitals, our companies, and critical services safer online. Ransomware is the most disruptive cyber threat at this moment in time, disrupting the operations of hospitals, putting students’ data publicly online, sensitive kids’ data, disrupting companies in almost every sector of economies around the world. And it’s the very definition of a transnational threat: attackers in one set of countries using infrastructure in another set of countries to attack victims all around the world. The United States remains the most highly targeted country, with 46 percent of ransomware attacks globally happening against U.S. entities.
So the Biden-Harris administration has focused – in tackling ransomware is focused on three core things: first, improve cybersecurity at home; second, disrupt the attackers and the infrastructure they use to conduct their attacks and launder ransom; and finally, build an international coalition, work with partners around the world, because this truly is a global threat. We want to contribute the capacity. We have – we want to learn from allies and partners, lift up so we tackle this together.
The White House’s third International Counter Ransomware gathering brought together 50 entities, 48 countries, the European Union, and Interpol. Since the meeting just Tuesday and Wednesday this week, another country joined, so now we’re at 51 countries who make up this initiative, to drive the international work to make ransomware less profitable and less effective at being the disruptive global threat that it is.
The Counter Ransomware Initiative is the largest cyber partnership in the world. It’s also one that covers both policy and operations, the key things we need to tackle together for impact. And this year’s gathering focused on three things: first, developing capabilities to disrupt attackers and the infrastructure they use to conduct their attacks; second, improving cybersecurity through sharing information; and finally, fighting back against ransomware actors. There were a number of great deliverables. I don’t want to take the panel’s thunder since we worked all of this together, so I’ll only highlight one, and that is the first-ever collective statement that the CRI member governments will not pay ransoms. So CRI members, from India to Egypt to Costa Rica to Nigeria, Singapore, and the United States, our governments made that commitment because we recognize that ransomware payments are the money that’s fueling the ongoing attacks.
Why does countering ransomware matter? I mentioned the scale is global and it’s growing. In the first half of 2023, ransomware attacks worldwide increased by 45 percent over last year. And I mentioned the attacks’ impact: disrupting surgeries at hospitals, halting critical manufacturing processes, and disrupting food supplies around the world. Victims are paying more too. Overall ransom payments’ amount are up by 120 percent. The amounts in the U.S. are significant. By government estimates, in the U.S., U.S. entities paid $1.3 billion in ransoms from mid-2022 to mid-2023.
I was talking with an individual and talking about the problem, and he kind of captured it for me in one sentence. He said, Anne, of course the numbers are going up; it pays. And that’s one of the fundamental issues we’ve been discussing how to tackle in this international coalition.
So in closing, this is a problem that takes government and private sector working together. There are great U.S. government resources from StopRansomware.gov to reporting incidents to law enforcement so they can pursue the actors and put out best practices that other companies, entities can learn from. And fundamentally, it’s truly international. That international partnership is why we’re here today to talk about that and to talk about the detailed work, with deep gratitude to two of the key international partners in this initiative.
So with that, Jim, over to you.
Ms. Ade: Great. Thank you.
Let’s turn to the international partners and have David and Jamila give their viewpoints.
So, Jamila, if –
Dr. Lewis: I have a list of all the questions.
Ms. Ade: (Laughs.) OK, just like Anne had mentioned, one of the key things that Nigeria has in focus is maintaining international cooperation when it has to do with combating cybercrimes and then, of course, improving its cybersecurity posture, and this is one of the reasons why Nigeria is very active on the Counter Ransomware Initiative. And one of the key things, of course, is to note the fact that fighting ransomware cannot be done in isolation, and so that now explains why Nigeria, as a regional leader, I would say, is a part of this particular initiative. And back at home in Nigeria, one of the things that we seek to achieve, of course, is to see how efforts that are being taken at the international level are translated nationally because, of course, we note that this issue of ransomware is not something to be dealt with only at the national level.
And so the participation that we have at the Counter Ransomware Initiative level is one that has been very key for us as an African country, noting, of course, that the issue of ransomware is not one that we can say that one has got experience with and, of course, looking at the fact that there is an issue of capacity building, there’s sharing of information, these are all benefits of being a part of such an international partnership.
So I would say that Nigeria is happy to be a part of the CRI and notes the importance and the benefits and, of course, to fight ransomware we’ve got to have such an initiative live and active and very happy to be a part of it.
So, in conclusion, I’ll just leave my opening remarks that simple to say that Nigeria has international cooperation as a key step, key effort in fighting cyber crimes, improving cybersecurity posture, and CRI has proved to be that very initiative that would help achieve this and it’s good to be a part of it. So happy to be here this morning and get to see you all.
Dr. Lewis: Great. Thank you. David?
David Koh: Thanks, Jim. It’s great to be here in CSIS and be part of this panel. If I can share with you Singapore’s perspective on the Counter Ransomware Initiative and ransomware as a whole.
I admit that when we – ransomware wasn’t a particular high priority for us. Our starting points were really about essential services, et cetera. Then after the Colonial Pipeline assessments changed quite significantly.
(Off mic) – what Anne has said, but you know, the recognition is that this really is an international problem. It is the epitome of a transnational issue, and although it’s driven by criminal gangs it is something which, obviously, we have to come together to work on.
Now, the first challenge that we had was that – trying to get interagency cooperation. Yes, Singapore is a small country, nowhere as large as Nigeria or the U.S. But we also have stovepipes of excellence in our country, interagency rivalries, et cetera. They’re scalable. We have them in Singapore. (Laughter.) So perhaps the only difference is that as a small country we can get everyone locked into the same room and no one is allowed to leave until they solve the issues.
Now, then the realization is that I admit from the Cyber Security Agency’s perspective our initial entree into ransomware – counter ransomware was that we saw it as an operational technical issue. So we started issuing advisories, cyber hygiene, et cetera, make backups, that kind of thing.
Then very quickly the realization is that this is not just an operational or technical issue. It’s a law enforcement issue. It’s a legal issue. You have to deal with other countries, and, ultimately, the recognition is that it is a financial issue. It is driven by the money flows. As some have said, why are the ransomware criminals active in this space? Because this is where the money is.
So these were groups of people that we were not instinctively used to working with so it took us a while to contact the right people. It took us a while to build up the domestic relationships and understanding and then the processes.
So I’m very happy to say that our experience was that the Counter Ransomware Initiative, which the U.S. had initiated, led, was instrumental from Singapore’s perspective to precipitate all of these connections domestically and this is one key message that I wanted to put out, that actually it is not natural, it is not normal, or it’s not instinctive for these domestic agencies to want to work together or recognize that the counter ransomware requires cooperation, coordination, and trust across these agencies.
So having that impetus, having that catalyst for us to realize this and then do the domestic coordination and integration was actually very important to us and I daresay it will be similar in other countries.
Now, the second thing that I want to say is that I think it’s key that CRI maintains its – it’s a big tent. Ransomware is a problem that many countries, I would say, face across the world regardless of geography, state of development, et cetera. I think I want to flag out in particular the U.S. wisdom and leadership in framing the Counter Ransomware Initiative as one targeted against criminal activity. This allows a wide swath of countries, different geographies, different states of economic development, different governance systems, to be able to sign up and take action against criminals.
They’re a common enemy that all of us face regardless of your location on the globe, regardless of your economic sophistication or even your geostrategic considerations. So it’s a common enemy that all of us can band together around and cooperate to work against and I think this has been instrumental in facilitating the huge expansion of the number of members in the CRI.
I remember when we started it was 20-something entities. We have more – (inaudible, background noise) – now. We have 51 – 49 countries and two entities – and I think this is remarkable. The momentum that we have achieved I think is remarkable and I’m committed to continuing to do this.
I think that Anne alluded to one of the big deliverables that we have for this third summit and that’s the collective statement that governments should not pay ransom. I think this is excellent. It shows that there is a common vision and a common commitment, and hopefully it is something that will inspire other countries who are not part of CRI to want to go – come towards.
The second – the next point I want to talk about is actually that we should leverage existing initiatives and not reinvent the wheel. So one of the key initiatives that I want to bring up is the international Financial Action Task Force, FATF. They have various standards on anti-money laundering, combating the financing of terrorism, AML CFT, for virtual asset service providers.
So one of the key recommendations that we have been pushing is that under the FATF recommendations there’s a recommendation number 15 and this actually is targeted at AML CFT for VASPs – virtual asset service providers.
Why this is important is going back to the framing for the Counter Ransomware Initiative. Ransomware it’s not just an operational technical issue. Ultimately, it is driven by the money and a lot of the money actually are crypto currencies.
There are two ways – so we have to deal with the money flows and we have to deal with the cryptocurrency flows. There are two ways to do it – deal with this. One is a bit more high profile. It’s actually hacking the hackers, their crypto wallets, et cetera.
The second one is more mundane but I think it’s important because it can help to throw sand in the wheels, make it more difficult for the criminals, and that is the standard financial sector regulations of “know your customer,” AML CFT type regulations. So the second key deliverable that we have achieved for this Counter Ransomware Initiative this year is a collective statement that we – the countries will also implement the FATF recommendation number 15 and if we do this then we will begin to squeeze some of the financial flows.
Why this is so is because ultimately the criminals move the money around in crypto but for them to benefit from it they have to transfer it back to fiat and once you have to do this then regulations that impede the AML measures, KYC measures, will make a difference.
So I’ll just end on that note in saying that these are some of the experiences that we’ve had and some of the deliverables that we’ve achieved, and I think Singapore continues to be wanting to be a key part of this and we see the great benefit and potential in the CRI.
Dr. Lewis: David is always two steps ahead of me and it’s a little irritating because my next two questions were about FATF and the no-pay requirement. And, yes, I had to look up FATF Section 15 – Article 15 as well. It’s like, who knew? But FATF, or if you’re French GAFI, is important for, I think, the Counter Ransomware Initiative.
Let me do one of the questions that both – all three of you touched on but I think people are interested in right off the front. Tell us a little more, if you can, about the agreement not to pay because that turns out to be a really effective tool.
- I think I will just touch on the fact that it’s when you pay – when ransoms are being paid it doesn’t guarantee that the attack ends there. There could be a double extortion. It could even get to the triple level where a lot of other things could have that chain. So making that payment doesn’t guarantee that even the data will – that whatever has been encrypted will be decrypted.
So with that understanding it’s a collective effort at the CRI level to see that. At the national level that is not encouraged, that whatever it is national governments do not commit to making that kind of payment because you only empower the criminals by making such ransomware payments. And I think, essentially, that is at the root of what got to having CRI member countries come up with that joint statement. It’s a policy field in this sense, so I think I’ll just hand it over to Anne and David to maybe elucidate some more on it.
Ms. Neuberger: That’s exactly something I was going to highlight, to Jamila’s point, that within the Counter Ransomware Initiative the key work streams are all led by countries around the world because it really is an international problem and we wanted that leadership.
So Singapore and the U.K. lead the policy panel that made this happen, and as you can imagine, while it’s wonderful that the CRI has doubled in the last two years when you’re trying to come up with a policy statement that every country who is a member of signing up to the bigger it gets the harder it gets.
So I’ll turn it over to David, given he and his team really co-led this work, to talk a bit more.
Mr. Koh: Thank you very much. Thanks very much, Jamila and Anne.
It is a remarkable achievement and if I can share with you all a bit of the backstory of how this came about. Firstly, a clarification. The commitment – the statement that we have come out is that governments should not pay ransom. It’s not a prohibition and the reason is because in environments like this never say never. You don’t know exactly what the circumstances might be even when this happens.
Now, the – how it happened was that we were at a meeting in Belfast and one of the countries updated that their government had decided to put out a policy position that they will not pay ransom. This country is New Zealand. So I was actually quite stunned because, you know, coming from the operational side of the house it’s like – it’s not that easy to say no and there are possible extenuating circumstances and you would think twice before saying this.
So I clarified with them and then in the clarification I realized that their policy position was exactly the same as Singapore’s. In the main they strongly discourage but they will keep a little bit of space open, that perhaps there might be extenuating circumstances that might allow the payment on an exception basis.
But the difference was that they had decided to say that this means that we will come out to say that we will not be paying ransom and the footnote is except in extenuating circumstances. In Singapore’s case and in many other countries the footnotes and the extenuating circumstances come up in the front and it prevented us from having that affirmative statement.
So it got us thinking, and I remember this was just six months ago, seven months ago, and got us thinking and said, like, what – wouldn’t it be great if we could follow New Zealand’s example. My staff were not particularly pleased with my response and reaction but it resulted in a half a year’s frantic work as we tried to corral all the different countries, and to our great surprise from initial conception idea until now a policy statement I think under a year is remarkable for 50 countries.
Why is this so? Because actually the realization is that we are all more or less the same policy position, plus/minus, but coming out together collectively to make this public declaration that governments should not pay ransom is very powerful and that has inspired all of us, and I hope it will inspire countries who are outside the CRI as well, and, hopefully, together if we move this way it will also make the ransomware ecosystem less attractive.
Dr. Lewis: Well, I want to come back to the membership issue because I think that’s a good topic to discuss with the expansion. But maybe we probably should have started with this. How are we doing when it comes to ransomware? What’s actually working? Is it arrests? Is it disruption? Is it cryptocurrency?
How are we doing? You know, now this is the third year. Numbers are still going up or are they going down? Give us a sense – give the audience a sense of how we’re doing on ransomware.
Ms. Neuberger: So by the number the numbers are going up – I referenced a couple of statistics in the opening remarks – and that is despite a lot of concerted effort. We kicked off the international Counter Ransomware Initiative to get the energy flowing with success stories. So we had, for example, the Department of Justice, FBI and their Dutch and German colleagues brief on a number of takedowns, specifically the Hive takedown, the Genesis Marketplace takedown, the Bitzlato-related arrests. There have been focused efforts to disrupt the infrastructure, arrest the attackers, and really do so.
And there have been focused efforts to improve resilience. One of the key data takeaways is in the U.S. system Laura Galante, who leads the Office of the Director of National Intelligence – she’s the national cyber executive – she convened a discussion with key ransomware negotiators and one of the things we learned, they said, is that companies that had good backups were able to recover more quickly in days versus the weeks for companies that paid a ransom and got a decrypter.
So the resilience efforts are paying fruit as well. However, the data shows the number of attacks are going up and, frankly, the disruptive impact. You know, in any given month I’ll get a late night call about a hospital system. Prospect Health – 18 hospitals across four states still working to recover from a disruptive attack. We saw the impact on Clorox manufacturing processes here in the United States. Certainly, we saw the impact on other companies, two major casinos’ operations as well, although some would talk about that.
In any event, and I think the core reason is because of the reason David referenced as well, which is it pays. In the United States we paid in one year’s time U.S. entities $1.3 billion in ransoms. Then with everyone’s efforts on disruption and with the improvements made on resilience it still remains a problem and that’s why this partnership matters so much, and we can talk a bit more about the deliverables.
Dr. Lewis: Jamila, how about Nigeria?
Ms. Ade: Where it has to do with attacks? Well, I think one of the challenges I would say that we have and which may not be very particular to just Nigeria alone is when such attacks occur you have little or no reporting on it is so you may not even have the data as regards what kind of attacks, how many, what the numbers are and all of that particularly because for us it’s just something that is just coming on.
So we’re working – it’s more – rather than have it reactionary, so we’re taking steps before it becomes something that goes up for us, so.
Dr. Lewis: Great.
Ms. Ade: Yeah.
Mr. Koh: Yeah. Let me speak a little bit. Firstly, within Singapore the numbers have not gone up. But I’m Asian so I don’t want to speak too much about this. Otherwise, I’ll jinx it. (Laughter.)
The bigger issue, I think, if I look across the board internationally we shouldn’t just look at the numbers. I think there are two trends. One is the trend of the criminals expanding their capabilities, their processes, and their reach. But the second element of it are the international – the governments internationally – are we expanding our defensive capabilities, and I think these two trends are operating independently of each other and eventually they’ll interact.
But I think that on the second one, are we getting better, I think the short answer is yes. So I’ve spoken – there are three levels that I will say. One is that domestically each country has to realize that this is not just a technical issue. The money flows. It’s what fueling – what is fueling this whole ransomware ecosystem and deal with it holistically, and the Counter Ransomware Initiative is hugely successful in initiating these conversations in domestic governments and improving – precipitating those improvements.
The second element of it is capacity building and best practice. Many countries are coming into this having to figure it out themselves, work out the answers themselves. This is highly inefficient. So part of the Counter Ransomware Initiative benefit is that you get to benefit from other people’s learnings and we are coming out with playbooks, best practice, so that we can come up with capacity building that will ultimately build resilience in our governments and in the companies – firms within our countries.
And the third element of it which Anne talked about is collective action. It takes a system to deal successfully with a system. So the criminals have their own ecosystem. We need a coalition of – on our side to deal with this effectively. So governments – Hive takedown is a good example, four or five different countries’ law enforcement agencies with different capabilities, different equities, different legal authorities, working together across borders to take down this highly successful cyber-criminal gang.
But the second dimension of it is that it’s not just governments alone. We need public-private partnerships. So we’re needing very much to partner with big tech, and small and medium tech as well, who have niche capabilities who can help us in terms of intelligence, in terms of tracking, in terms of taking action against the cybercriminals. As part of the CRI summit this year and last year, we have had sessions specifically dedicated to public-private partnership with tech companies not just from the U.S. but around the world taking part in this. That’s an important initiative. I can’t overemphasize the importance of public-private partnership in all of cyber world, and especially the CRI.
Dr. Lewis: That leads to a question that probably is something people are thinking about. You’ve got governments to agree not to pay. Are there any plans for the private sector? And it’s certainly a mixed bag, but maybe all three of you could talk about, what are you thinking when it comes to private sector requirements for paying ransomware?
I’ll note – I may get this wrong so I apologize, but the French have imposed a requirement that to qualify for an insurance payment, you have to notify of a cyber incident within 72 hours. That’s a very interesting incentive for people. But it still doesn’t say don’t pay; it just says tell us. So what are you thinking, what are the three of you thinking when it comes to the private sector and the payment requirements?
Ms. Ade: OK. Well, I would just glean from a capacity-building workshop we had in Garmisch. As part of the Capacity Building Pillar efforts that the CRI had, there was a workshop, which held sometime in July this year, and both policy leaders and those who are also in the operational sector were brought together, and part of the things that we had brainstormed over was this issue of the payments and then the impact it would have where it has to do with the private sector. I know the issues of incentives were being raised as well. How do you make them – first of all, there’s the issue of whether they will even tell the government if they had an incident or not, not to talk more of the payments, if at all. So I think that’s something that I would say that the Capacity Building Pillar is looking at, trying to come up with how the private sector part of it will play when it comes to the issue of payment. So I think it’s still in the place of the policy pillar to say some more. (Laughs.) But at least there’s a little part of it.
Dr. Lewis: That’s great. Thank you.
Mr. Koh: In Singapore, the payment of ransomware is not illegal, so we had a big debate on this and, as of now, the policy position is that it’s not illegal. What we do say, our government, national position is that we see payments of ransom for malware as highly discouraged. That’s what Jamila said. Firstly, you’re dealing with a criminal. Can you trust a criminal, et cetera? What recourse do you have? Secondly, actually, you’re fueling the ecosystem. And third, actually the data shows that if you pay ransom, then the criminals share information among themselves and you become more susceptible for subsequent attacks.
Dr. Lewis: That’s an important point that people need to maybe write down.
Not you, of course.
Mr. Koh: So we’re trying to discourage them, but ultimately, we recognize that it is a business decision and it really boils down to their own backups, their own confidence in their backups, the dependencies that they have, et cetera, and they also have accountabilities to their board, their shareholders, other public stakeholders, et cetera. So we try not to get involved directly, but we just point out to them that you need to consider all of these things.
Now, if I could segue a little bit about insurance. I would say that I think that we should deconstruct cyber insurance. There’s two types of insurance. There’s one type of insurance that is modeled after all of the types of insurance, fire insurance, et cetera, and you deal with the disruption, the cost of remediation, the loss of business, liabilities that you have with your customers. I think that type of insurance, where basically if you view cyber disruptions as not a technical issue but as a risk-management issue, then you deal with risk management. As with all other risk-management issues, you try to insure it, et cetera. I think, for want of a better term, that is good insurance.
Now, there’s a second type of insurance which deals with paying of ransom. So that’s modeled after companies who were perhaps working in countries or regions which – where rule of law was a bit challenged, and they had real concerns about kidnapping, and then ransom, et cetera. This is a totally different kind of insurance. I think that the incentive payments for those are not linked to the first part. First part is really about business cost, insuring – treating cyber as a risk-management issue, and if you can’t incentivize good behavior, in that bucket – meaning to say that if you take appropriate cyber hygiene, cyber defense measures, actually your premiums can go down because it’s a risk-management issue. For the other type of insurance, this is actually payments which go direct to the criminals, and there’s a real question as to whether this type of insurance actually incentivize good cyber hygiene, incentivize good behavior, or actually whether it incentivize the criminals inadvertently. So I think we should deconstruct insurance and not just say insurance is good. The first type of insurance is good. I’m a bit more skeptical about the value of the second type of insurance.
I’ll close with a vignette. One of our government agencies was negotiating for a renewal of their cyber insurance policy. So I was very – they told me; I said, good. And they said they’ve taken reference from our position that we should not pay ransom. So they told the insurance companies that since the advice is we should not pay insurance, we don’t want that bit of insurance; we just want the risk management type of insurance, not the rider, which allows us to pay the ransom. So the insurance company said, got it; we’ll remove this rider; consequently, your insurance premium will go up. (Laughter.) So that really got me upset. It just really forced my view that typically you remove a rider, your insurance goes down. This is a lesser – less functions of your cyber insurance. But here, clearly the insurance companies had done the actual studies and determined that it’s cheaper to pay ransom, right? So I think the whole incentive system is skewed and we really need to relook at this.
Ms. Neuberger: Thank you, David. And I think – I’ll come back to your question, Jim, but I thought David’s comments on insurance were particularly thoughtful. And to your point, skew dated in that, to the first description of insurance companies, they could be incentivizing the backups and practices that we know make it far more rapid to recover without paying a ransom payment in the first place. And for just this reason, because it is a global problem and insurance companies are global, that is a workstream within the Counter Ransomware Initiative that we’re looking at, so that gives you a sense of how we identify areas of work. So there is a workstream led by multiple countries that is focused on recommendations for governments in how they deal with insurance, and ideally, to David’s point, as an incentive to improving cybersecurity and making entities more resistant, as well as a helpful point in tackling the money that’s fueling ongoing ransomware attacks.
So back to your question, Jim: In the United States, our stated policy is that we discourage ransom payments and request that if entities do pay a ransom, they notify law enforcement and work with law enforcement so we get visibility. Right now we are looking at the broader issue because we’re seeing this increase in attacks, we’re seeing overall payments go up, and we’re seeing the disruptive nature of the ransomware attacks continuing to really disrupt critical services, disrupt local governments as well. And the efforts we’re tackling is to say, exactly to the points Jamila and David made: It’s a collective action problem, right, because for any given one entity, they may feel, particularly if not necessarily – if they aren’t – if they weren’t well prepared with backups, et cetera, they may feel it’s more rapid and less expensive for them to pay a ransom. But that fuels the broader network and ecosystem because it is an ecosystem of malware, of money movements that is driving ransomware. So what we’re looking at is to say, how do we drive down and discourage the ransom payments while leaving an approach for those critical entities – every day is a delay in recovery. And looking through that and grappling with the policy aspects of that is something we’re looking at. Within the U.S. government, I think the exciting part about this partnership we have is that we can learn from each other. As we’re looking at, for example, tackling the movements of elicit crypto which is fueling it, we can talk to the FATF members. We can press for implementation of the FATF recommendation that requires countries hosting virtual asset service providers to ensure that they put in place know-your-customer rules so that legitimate uses are enabled and illegitimate uses are riskier, costlier, and harder.
Dr. Lewis: So a quick story: In 2010, in the final negotiations for what became the U.N. norms for responsible state behavior, the South African representative said, I will – there’s a consensus at the U.N., you know – he said, I will not vote yes unless you put in capacity building, and so I went to the chair and said, I don’t think capacity building is a big deal; let’s just put it in and buy a vote, right? It’s turned in first to a cottage industry, now to a global enterprise, and so when we talk about capacity building, there’s a couple points that would be useful to have the three of you discuss. How does what CRI does fit in with the other capacity-building efforts, particularly things like GFCE and some of the other U.N. initiatives? What is capacity building in the CRI context? What is it you’re actually telling people? What are the skills you want to transfer? So maybe we can start with those two. What are the skills that you need to transfer? What are the – what is the relationship to the other?
Ms. Neuberger: So first I want to make sure we give a shoutout to Jamila because she and Ambassador Regine Grienberger lead the diplomacy working efforts within the Counter Ransomware Initiative, under which capacity building is. And as the U.S. hosts this year, we also built capacity-building into the agenda. So for example, yesterday, following the two-day gathering, there was a morning of capacity building at the Defense Cyber Crime Center for – voluntarily for countries. First a multi-hour session focused on cyber forensics and then a session focused on block chain analysis, given by – the afternoon session by private sector firms to help explain and teach how this is done. So we took the opportunity of having 50 entities come together to make and add that capacity-building piece, as well as inviting a panel, including Chris Painter, through his fantastic work for the global effort on capacity building –
Dr. Lewis: GFCE, yeah.
Ms. Neuberger: Thank you. You can exactly name out the acronym.
Dr. Lewis: Global Forum for [sic; on] Cyber Expertise.
Ms. Neuberger: Thank you, Jim – to give a presentation and to highlight those efforts.
But with that, I want to hand it over to Jamila because this is an area of love for her that she’s done, she’s really been a leader on globally.
Ms. Ade: Thank you very much, Anne. And it’s actually been a pleasure driving the work on the pillar.
Capacity building in the context of the CRI: First of all, I’d say the focus is always on the issues of how CRI member countries will prepare for and then also be able to respond to when attacks are caught. So that has been like the overall context within which efforts that have to do with capacity building are driven. And so you would find, for example, the workshop we had in Garmisch, we had technical as the operational – those who are in the operations, and we had also policy leaders. So how do you put issues of capacity building around all of this? And for example, let me use the – what David spoke about, the FATF recommendation 15. One of the things that we’ll be looking at, a deliverable for the year ahead, is actually how do countries come to that point where they’re able to implement that particular recommendation? How do countries support each other to see that this happens? And I can tell you, for example, that Nigeria is already beginning to talk with Singapore on that. (Laughs.) So when you talk about capacity building, how, basically, are you able to deal with it when it arises, or prepare for it when it comes? So I think –
Dr. Lewis: Let me do a quick follow-up, though, Jamila, which is, you’re at the Ministry of Justice.
Ms. Ade: Yes, I am.
Dr. Lewis: When you talk about capacity – when we talk about capacity building, what’s the range of ministries that are involved? Is it a Justice lead? Is it a – what we would call Treasury, a financial lead? Is it the cyber operational department? How do you balance out the different agencies?
Ms. Ade: OK, if I got you right, like, how do you focus, who are the people who will be involved in it? I think overall it’s all the actors, because if you look at the different work streams in the CRI, when you talk about the task force, the International Counter Ransomware Task Force, you have a combination of – so you would have the law enforcement, you would have the justice, you would have the financial. So let me take Nigeria for example. Back at home what we have is – we try to mirror what is existent at the international level. So we have a national team that drives counter ransomware efforts, and I tell you that this particular team is driven by the national security advisor’s office but in the team we have the financial people, we have the communications, we have the lawyers, and also we have the law enforcement.
So it’s an overall just looking at all the critical actors in this particular drive to see that their capacity has been built to be able to address it.
Dr. Lewis: Great. Thank you.
Ms. Ade: It’s holistic, basically, I could say.
Dr. Lewis: Anne? David?
Mr. Koh: I would support everything that Jamila and Anne have said. You’ve said that capacity building has become a bit of a cottage industry. We’ve got a couple of cottages over in Singapore as well.
So I fully agree. I think that the experience – I’ll just say two things. The experience that we have had it has to be multiagency, one. So one of the big things actually is precipitating, catalyzing that conversation in different countries that you have to work together.
So we have a lot of experience in ASEAN doing capacity building for cyber itself. Not counter ransomware, cyber. So as what Jamila has said, for counter ransomware it’s not just a cyber agency. It’s also justice, treasury, law enforcement. So it’s like different pillars that you have to coordinate.
In cyber itself it’s also complicated because you have the cyber agency, you have policy, you have operations, you have technical, and you have diplomacy, and our experience is sometimes when we – and we give targeted invitations to the people in other countries in ASEAN who look after these different responsibilities.
Our experience is sometimes they come to Singapore and they meet each other for the first time, right. I respect that they’re big countries but it’s still remarkable that you’re dealing in that adjacent space but actually we typically don’t coordinate domestically.
Second point I’ll make about capacity building is our experience is that it’s a two-way street. We very often think of capacity building as something for those who know to teach those who don’t know. There’s an element of this, but going back to what Anne said, it’s an opportunity for us to learn from each other as well.
A lot of what we’re doing, whether in cyber or in counter ransomware, we’re figuring it out ourselves. We haven’t solved the problem. We don’t know what the answer actually is. So different perspectives, different regional aspects of it. You have different blind spots and all the experiences that other people have are useful and our experience is that it’s a two-way street so we learn from each other.
Dr. Lewis: Great. And we’re approaching the moment where I’m going to ask you for questions so if you have a question put it on a card. If you don’t have – you have – oh, good. If you want to ask a question put it on a card.
But let me – you can’t do an event in Washington on digital topics anymore without using the letters AI. I would note that AI is the middle two letters of the word pain. But –
Ms. Neuberger: Also gain.
Dr. Lewis: Or we could have – we could have – that was good. That was –
Ms. Ade: Oh, that’s a good one.
Dr. Lewis: She is fast.
Let me think about that. I’ll get a comeback. But let’s talk about – it’s twice on my list of questions so somebody cares about it.
What’s the role of AI in all this? And we’ll leave AI as open. You know, it could be – it’s already greatly in use in the financial sector now and much of the critical infrastructure. So we won’t define AI. But where does AI fit into your CRI discussions?
Ms. Neuberger: So I’ll start. This is the nice part of being up here together. We genuinely learn from each other as we go.
So, first, we did announce a particular AI effort and I think the point – Jim, to your point is it’s true that AI is both in the middle of pain and gain and I think that’s the reality for cyber, right.
We certainly see AI already being used to accelerate the development of malware toolkits, malicious software, to accelerate the development of identification of vulnerabilities. Where we want to be as a cyber defense community is doing our best to at the – at best being a step ahead, in reality being very, very close, nipping at the heels to first do the same, right – to use AI, to test code before we deploy, to find and fix vulnerabilities.
We’re still – particularly in government and critical services we’re still deploying unsafe code. It’s what makes the cyber problem so hard. It keeps feeling like it grows every day even as we come up with different approaches and work to scale them.
That’s something. There are two items in the AI executive order that the president launched earlier this week that both launch projects at DOD and DHS for national security and overall systems to use AI to find and fix vulnerabilities and then we will work then to scale that.
The second be similarly is the gift of AI is amalgamating data to come up with new insights. One of the hardest problems we have in cybersecurity is the issue of false positives, right. So learning – establishing a baseline of what is a safe network and then being able to determine what is anomalous, what is likely to be malicious.
So using AI at scale to do that is something that we as government – the private sector is already starting with various co-pilot tools and we in government want very much to be doing the same. So in the context of the international Counter Ransomware Initiative meeting this week we did launch one AI effort, which is the blockchain.
The blockchain is public information – it’s all out there – using AI to work off the blockchain and try to identify illicit money laundering across – particularly across multiple coins, across multiple exchanges, to help us be more effective at tackling the financial aspect of this.
Mr. Koh: If I could just add to what Anne just said.
Agree totally. Yeah, and I agree, it’s the middle two letters of both pain and gain. I guess I look after the pain part of it. So I think from that perspective the use of AI for cybersecurity I think that there are a lot of things that can and should be done Anne has elaborated. For the CRI, if I could just add, we need to track the criminals. We need to detect the money flows. These are things that potentially the application of AI can help us in our work.
Then the second dimension of it is actually the security of AI. So we also need to work on that – data poisoning, bias, hallucination. So those are some elements which back in Singapore where I’m working on this. My minister is in London right now. She was part of the AI summit which Prime Minister Rishi Sunak has called and I think we are proud to be part of that and we see AI both as of great potential. The gain opportunities of AI are there but we can only achieve those if we can manage the pain elements of it.
So I think it – as with all of digital, all of cyber, there are two sides to the coin. We want to achieve all the good things that the digital transformation, educational, economic, can provide but we can only do this if we can mitigate the pain that comes along with it and that includes cyber ransomware, the concerns about AI that we’ve discussed.
Dr. Lewis: Remind me not to ask this audience for questions again because we got a multitude and we’ll see how many we can get through. So if we don’t get to yours you can kick me after the event.
But let me start by going over – because I think that was a pretty good discussion of AI. It’s a complex topic because it’s ill-defined and people tend to overstate the risk. And so one of the things I like about both the EO and the work of the CRI is it’s not overly sensitive to risk. That sounds terrible. But getting the right handle on how this can be a useful tool is more important probably than worrying about “Terminator 4.”
How robust is the educational processes of getting businesses, et cetera, to be prepared so they can more easily say, we won’t pay? How do insurance companies cover the cost – if possible, loss – if we don’t pay?
So I think a lot of the questions are clearly about this pay/don’t pay thing. But here’s a good one. How do you – what should companies be doing? What do you educate them to make the risk of ransomware even smaller?
Go ahead. Don’t all speak at once.
Mr. Koh: Let me start for the second one. This is very much part of the advisories that we put out.
So, first of all, prevention is better than cure. That’s obvious, right. Then the second is, like, you need backups. The key issue – you need to map your systems, understand whether you have connections and dependencies. Then you need to have offline backups, right. I am stating the obvious. You can have backups but if the backups are connected then they’ll get ransomwared as well. So you need offline backups, et cetera.
And, most important, you need to actually practice it. What we find is that a lot of companies have all these things but they’ve never tested it. Then when something happens then we’re meeting for the first time. We’re having to make the decisions. No one is in the position to make their decisions. So the analogy I use back home is that it’s like a fire drill. We all have plans if the building gets a fire, et cetera. Statistically ransomware is now more common than fires. So all right. Do you have a fire plan and do you actually practice the plan? Do the people who are supposed to make the decisions – i.e., not the CIO and the CISO, but the COO, the CEO, legal counsel, public affairs – have they actually come together to play through this? So those are the kinds of advice which we tell companies to get used – to practice, to put their plans in place, and then practice. And I think that there’s another cottage industry preparing companies to do this as well.
Dr. Lewis: We had – we had Moody’s and BitSight, which are companies that collect on financial, come and do a briefing. And the overall conclusion – they said now there’s been progress, because about a third of boards get a briefing on cybersecurity every month. And that seemed a bit short to me, but it’s better than what it was. But, Anne, why don’t you talk about –
Ms. Neuberger: We have to celebrate every win. (Laughter.)
Dr. Lewis: No matter how small.
Ms. Neuberger: The wins sometimes feel few, so we must celebrate each one. So first, I’ll note and lift up CISA’s StopRansomware.gov. That has a lot of different resources for private sector entities, for entities who are targeted, and specifically the points David made about backups, offline backups. That matters a great deal. If a network is encrypted, then you have a way to recover quickly. I think beyond that, there was – one of the other workstreams within the International Counter Ransomware Initiative was some really great work the United Kingdom did on victims behavior. What leads countries – what leads private sector entities to pay a ransom? What leads them to take the necessary steps on cybersecurity. And a really excellent study done by a think tank called RUSI, I do not remember the – it’s an acronym, RUSI – that we will be actually using in the United States as we grapple with these issues.
So, you know, those kinds of questions of – with all the calls that we’ve made over the last two years to improve resilience, we still see entities that haven’t. What more could we do to incentivize them? Insurance can be one way to do that. What more can we do to disincentivize paying ransoms – paying ransoms? Policies like – policy statements like the first one is a step towards that. So we’re grappling and sharing that information together on those issues.
Dr. Lewis: Royal United Services Institute. They’ve just started a big cyber project. So they’re doing some interesting work.
Ms. Ade: Yeah. So just to echo what they’ve said, I think the issue of planning ahead is very key. You know, and then to have a plan in place such that operations will be able to still continue in the situation that an attack arises, and then also identify vulnerabilities and work on addressing them. Don’t just wait till when the situation arises, just like David had mentioned earlier. And of course, also make intelligence informed decision. Because, yes, they may be the same group with different styles. So that should actually drive the decision that has been taken at the organizational level to help improve the posture to address ransomware issues when they arise.
Ms. Lewis: Great, thank you.
Ms. Ade: Yeah.
Dr. Lewis: I should note, we got 14 questions. Eight of them were on the no payment thing. But so I might group them all if that’s OK. But I’ll go through a few of the others first. What additional mechanisms would help deter, prevent ransom attacks, in addition to the money laundering and these things? And that was something I’d actually written down as a question too, which is we’ve talked about disrupting the ransomware ecosystem. Sorry for the word. We’ve talked about disrupting it. What are the other steps that you’re thinking of as a group to make ransomware harder to carry out? David, do you want to go first?
Mr. Koh: Sure. I think that the key thing is, in my view, what’s fueling the entire ecosystem is the money, right? It’s an ecosystem. It started off as a cottage industry, where you have small businesses trying to do ransom. And you needed people who were technically capable to access the company, then be able to lock up the systems, and then finally negotiate and receive payment. All of these have now been disaggregated into different sub-business units. Some of them are separate companies.
And it’s now, like, someone specializes in initial access, someone specializes in actually mapping out the internal systems and accessing the data, another one actually specializes in stealing the data so that it can be used as a second extortion, others specialize in negotiation, because most engineers are not people persons and have difficulty with it. Some of them are actually doing customer support because after you’ve paid the ransom, you know, if you don’t get the key, it doesn’t work. It’s amazing. And there’s a whole separate group which do R&D. So when you pay the money, it’s not just that the criminals go off and buy fast cars or whatever. (Laughter.) But it actually fills the economy because they are actually investing in R&D. So it’s like a business. It’s exactly like a business.
So the key thing, in my opinion, is we have to stop the money flows. Make it more difficult. We won’t be able to stop it 100 percent. Make it more difficult. Make the ability to move the money around more difficult, traceable. Make the ability for them to cash out into fiat and use the cash more difficult. Once it becomes harder, it becomes – you won’t stop it, but the space they have to move actually gets constrained. I put it that we need to starve them off the oxygen which is fueling this entire ecosystem. So money, I think, is the key thing that we need to do.
Second is actually action, collective action, against criminal gangs. Many of them are operating in plain sight. Part of the infrastructure is in countries who are members of the CRI. Sometimes it’s because we lack coordination, we lack intelligence, or we lack the capability. Sometimes it’s because our legal systems don’t give us the powers. But actually, to our surprise, the law enforcement of a neighboring country has those powers which can be used against these criminals. So if we can take the best practices, take the best capabilities from across our coalition, our ecosystem, and then deal with the criminal ecosystem, then I think that will be also effective. It takes a coalition. It takes an ecosystem to deal with an ecosystem.
Dr. Lewis: I’ve looked at some of the high-end ransomware groups, and their analytical capabilities are Wall Street quality. So you’re facing some very tough opponents.
Let me – we had two questions that are on a very touchy issue, but one that we need to talk about. I’ll read them both, and then you can think about how you want to answer them. We’ve discussed the threat by criminal groups. How about the threat by state actors, or the connection between civilian criminal groups and state actors? And the related question is: What is CRI doing to bring pressure on states that either directly support, inspire, or just turn a blind eye to criminal ransomware efforts? So you knew this was coming, at least I hope you knew it was coming. We’ve talked – one of the strengths of CRI is it is – it is focusing on criminal activity. But unfortunately, there are some states that not only endorse, but enjoy criminal activity. So where do they fit in? What’s the position of the states in this?
Ms. Neuberger: So on late night calls for me, early morning calls for David, we’ve talked about this issue at length. And I think first it starts with there are countries, to your point, who host criminals, or the infrastructure, or the virtual assets service providers who are enabling the ransomware activity. So, first, the question for us is, you know, what accountability is there for CRI member governments? And capacity building, as Jamila talked about, is a key part of that.
Do countries know how to do blockchain analysis so that they can freeze transactions that are moving across virtual asset service providers under their jurisdiction? Do countries know how to do the forensics to identify the infrastructure supporting it? And/or if another government asks that they take down the infrastructure or asks that that government have permission to take it down remotely, the country says: Go ahead. You know, we’re in this alliance together to tackle this threat. So I think that’s the way we’re looking to approach it.
There is, you know – fundamentally, there is, of course, a tension between setting a threshold for entry, to say there is accountability rules if you become a member, to building the kind of broad alliance that we felt was foundational to yet another part of tackling the threat, which is building the capacity, building the international partnership, sharing that affirmative vision of what a secure and safe cyberspace can be. I think we’ve now taken good steps to build that affirmative picture of what it can be, to include the carrots of the partnership, the significant capacity building efforts. Jamila mentioned the at Garmisch, which was an effort over the last year focused on – particularly a regional one, focused on countries in Africa.
So with that, those carrots in there, we can then start to build the second piece of the capacity building for accountability. Firstly among members, and then grappling on that more globally, David’s answer a moment ago, by the way, was so perfect on some of the ways to deter and tackle ransomware. I just wanted to add one quick p.s., to link a recent effort that folks may have seen to that. Which is, the Treasury Department did a very novel approach of a 311 noting that mixers are entities of money laundering concern. That’s been an effort that’s been underway for two years.
Dr. Lewis: Cryptocurrency mixers.
Ms. Neuberger: Yes, thank you – thank you, Jim. I should have said that. A lot of focused effort to see what are the tools. Because we recognize the role mixers play, whether it’s money laundering for the North Koreans, hacks of crypto entities and funding their missile program, whether it’s money laundering for criminals, whether it’s money laundering for terrorist entities like Hamas, funding their terror activities. But that 311 is saying: Mixers who mix illicit and valid transactions enable that money laundering and are an entity of concern for us. That’s an example of the kinds of creative legal approaches underpinning the deterrence and the disruption efforts that David talked about.
Dr. Lewis: We got a couple of questions on law enforcement. And so we’ll start with Jamila on these. Sorry. But the questions are: What are we doing to increase law enforcement funding so it’s competitive with criminals? And a related question that’s a good one, what are the law enforcement levers for attacking –
Ms. Ade: Sorry, didn’t get that.
Dr. Lewis: What are the tools that law enforcement has to go after cybercrime? What can we do and where does transparency and other things fit into that? I can read the question if it’s easier. How do we mitigate discouraging the ransomware? What is law enforcement doing to mitigate it? How feasible is law enforcement without transparency or visibility into action? So these are along how do we improve the capability of law enforcement to counter ransomware?
Ms. Ade: I have three key words, actually: Capacity building, accountability, partnership. And I think at the CRI that is what really matters as well. So and when you have to deal with the law enforcement, that’s actually a role that the taskforce has to do – has to deal with. And information sharing is what is key. So, and, of course, even without the CRI to tackle cybercrimes as a whole, there’s got to be that cooperation. For example, whether it’s under the Budapest, you have the 2-4-7 countries communicating with each other, trying to reduce the back and forth, the response time, and all of that.
And I think the CRI is doing quite good on ensuring that this information is being shared. And then even when it has to do with the tools that are being used, that is – so, if I would say, on the three pillars, they all have some components that may have to do with capacity building. So at the capacity building, pillar, what we are trying to do is to see that all of these efforts are synced together such that all that law enforcement needs, at least they’re able to get it. So whether it’s at the ICRTF level or at the policy level, there’s some form of coordination at that level. So I think – yeah.
Dr. Lewis: Great. Good. Anne or David, anything on law enforcement?
Ms. Neuberger: Those are some of the toughest questions. You know, financially, this is so remunerative. Those are hard questions to tackle. I think what we’ve seen in CRI, as Jamila noted, is the partnership among law enforcement entities so that both they become force multipliers and, in different countries where laws and authorities are different, countries can leverage each other to get the most effective job done.
Mr. Koh: I want to jump in not so much on law enforcement, but the previous question about countries versus criminals. Like what Anne said, there is a tension. I think the focus now is to build that broad coalition, get more people on board, build that capability among the different entities domestically, and build the instincts for us to work internationally. And if we can do this, I would dare say that we can achieve progress without bringing in that more difficult element of it, which is what do you do with the countries?
We won’t achieve 100 percent, but I would hope that we can build that coalition to a much larger group, build the momentum of the CRI up significantly. We started with 20-plus countries. We’re up to 50-51 members now. I can see us continuing to do this. And if we can continue to do this, then that space for criminals to operate will shrink. And the space for countries who harbor, and refuse to take action, or take a blind eye to criminals, will also shrink.
Dr. Lewis: We’ve got – I can’t count that fast – six more questions. And some of them related, but I thought this one was really interesting so I’ll read it: CRI urges national governments to stop paying ransom, though it recognizes there are circumstances in which payment is necessary. What are those circumstances? And how do we account for them, to prevent ransomware payments in the future? So that’s an interesting one. Where – it’s a little different from what we’ve been talking about. Where is it OK to pay ransom, particularly if you’re a state?
Mr. Koh: I think that what comes to mind immediately is – I won’t hypothesize. There are all kinds of potential areas where it might happen. But one simple example is, like, if you’re running a hospital, for example, and the systems are locked up, lives are at stake, you’re in the middle of operations. And would that constitute extenuating circumstances? I think it depends. And the hospital administrators, the board, would be in the best position to make that judgment. From a national authority perspective, our job is to try to highlight to them that we strongly discourage this, right? So that there’s a barrier. But ultimately, they’re accountable for the lives which they’re responsible for, and they are best positioned to make that. So that’s one example of the kinds of situations that we think might warrant an exception.
Dr. Lewis: Jamila, Anne?
Ms. Ade: Yeah, I think – I think that’s quite a very key point. Right to life is very, very key. So that may just be one of such circumstances.
Ms. Neuberger: The complexity we had – though very much agree – the complexity we have is that the hospital sector is heavily targeted today and ranks consistently in industry assessments as the bottom of the list in terms of effective cybersecurity in place. And that’s what makes this such a fascinating policy issue, right? Because in some ways, that’s exactly the sector that you want to incentivize to spend the money on improving cybersecurity versus paying a ransom. And I’ll note, very effective action on the Hill in the last few months on the new medical devices cybersecurity act, requiring that new devices meet cybersecurity standards before the FDA approves them.
Because that’s a great example of when we really need, you know, to ensure that new devices being added not only have good cybersecurity practices but are maintained. Which is another key issue we deal with, right? That when there are vulnerabilities, companies are accountable for the lifecycle of the product to keep it secure. So how we grapple with the incentives to lift up a sector, and I can say that within the White House we’ve had a very close partnership between the National Security Council, the Domestic Policy Council, Office of Management and Budget, and HHS, grappling with this very issue.
How do we use Medicare and Medicaid authorities, given that, to that point, if a hospital network is disrupted, safety standards should apply to that as well. So how do we do so in a way that gives the time for hospitals to lift up and improve their cybersecurity, while also not creating a disincentive to tackle it by perhaps putting in an exception. And that’s why I think a good part of any ransom regime will likely include reporting to government, so that there is some – that there is visibility into that, that our law enforcement community can get the visibility needed to pursue those actors, and we get a sense of what risks that such an important sector is facing.
Dr. Lewis: Another related – we have a few more related questions. And one of them is, what do you say to small countries when you tell them not to pay and there’s a damaging effect? What’s the – is it take one for the team? What is it you say?
Ms. Neuberger: So as the largest – representing the largest country on the stage, I think I’ll defer to my two partners here.
Dr. Lewis: Good idea. (Laughter.)
Ms. Ade: David should go ahead. (Laughs.)
Mr. Koh: No, so I think it goes back to the – so, the starting point is no country wants to pay ransom. I think that’s the reality. No company wants to pay ransom. It’s not something that you’re proud of doing. Not something that you want everyone to know. So actually, the starting point is, like, you have to build up your capacities, firstly, in terms of defense, cyber hygiene, et cetera, so that it doesn’t happen. And then, second, you build – have backups, so –and practice them – so that if it does happen, you have an alternative to pay the ransom.
A lot of the reasons why people don’t pay the ransom is because they feel that they have no alternative, right? My business is disrupted, et cetera. But if you actually have the backups, then you have an alternative. And the alternative is to recover from your backups. Obviously, this requires technical capability, operational trust that your operations can function with the backups, and that procedural things in place so that it can be done. It’s not straightforward, but I think that that’s just the approach to take.
Let me build on what Anne said earlier. The need for us to report to law enforcement or to the federal authorities is important, because I think it is not just about having the information, having the data. But it also serves a little bit of a deterrence. If you think about it, companies pay ransom today. Part of the reason that they pay is that they don’t have to tell people about it. And it’s sort of, like, happening. And you can get away – you do the cost-benefit analysis, and you may think this is the easier path.
But if you then have to report and you become accountable to your shareholders, to your customers, to the public at large, then you’ll change the dynamic a little bit because some of your shareholders, some of your stakeholders, will know that, oh, so you, your board, decided that it’s OK to deal with criminals. May or may not be the kind of company that I want to deal with, right? So this may help to change the dynamic a little bit. It’s soft nudging, not something definitive. But I think that it may help to shift the conversation a bit.
Dr. Lewis: And the final set of questions on this topic that relate in are, what can we do to bolster the resolve of companies? Are any of the governments in the CRI thinking of how we incentivize companies not to pay and to cover the costs of when they are damaged? So incentives, bolstering. What do you do in – what do you do in Nigeria, the U.S., Singapore? What are you doing?
Ms. Ade: About having –
Dr. Lewis: So how do – there’s been this discussion in cybersecurity for a while. Is that if you don’t regulate, then how do you create positive incentives for companies to change their behavior? How do you create the insurance incentives, or tax incentives, or some other kind of incentive that makes them do the right thing?
Ms. Ade: Yeah. So I think, as David was speaking one of the things that came to my mind is the issue of reputations of companies. Why that may be at the core of their non-reporting. They are, so, OK, let’s quickly deal with this, quietly, so it doesn’t affect our reputation outside, and all of that. So I think it’s important that governments think about how to incentivize reporting, because that would go a long way to helping. Because, in fact, it’s the reporting that will also help you have an understanding of the threat landscape. This is what’s happening. This is what’s – this is how it’s been evolving. So without that reporting, it could be a big challenge even understanding what thrives in a particular ecosystem, in a particular situation. So I think that’s something – that’s some discussion that should be looked into further, to see how that happens. It’s a capacity-building issue. (Laughter.)
Dr. Lewis: Anne, David?
Ms. Neuberger: I think, building on Jamila’s points, one message we heard, from a number of the private sector representatives who joined us, was this sense of duplicative and overlapping reporting requirements within countries and between countries? It’s such a complex issue, right, because they’re often required by law and policy. I know within the United States, it’s an issue we hear a lot about from companies and entities, calling on us to streamline reporting. And it’s something that we need – we know we need to tackle and take on. It’s a difficult issue.
So I think how we do that – and, frankly, improving the underpinning information sharing is a key way to solve it, because sometimes the reason there is duplicative or overlapping information – reporting requirements, is because there are various purposes that agencies serve. And if they don’t feel they’re necessarily getting access to the information, there’s another requirement, right? You know, we have a – you know, in the government – there’s particular examples I’ve come across in my time at the White House, where you’re always surprised, X information would be really helpful to Y entity, and there’s sometimes policy barriers, there’s sometimes legal barriers. But when it happens, we achieve one plus one is three. It’s remarkable, right?
So if we know about the wallets, for example, that illicit crypto payments are made to, that could help law enforcement pursue those wallets. That could help virtual asset service providers freeze that money. And sometimes, you know, particularly as David put it, there are silos of excellence. Agencies are so focused on doing the best they can at their role, sometimes we don’t necessarily take the time to look left and look right and say, well, who could use this information I have? And if they’re doing their role best, we will be even more effective. So I think certainly the reporting, but recognizing the role that information and improving that can do, and then helping us tackle that issue of reporting.
I think the second thing I would say, and I believe there are different views of this, is that, you know, in the context of another area a wise person once shared with me, there’s an expression, sunshine is the best disinfectant. And I think we still see companies sweeping incidents under the rug. And if we want companies to make the cybersecurity investments, if we want, frankly, entities using a given supplier to understand the risk that supplier’s inadequate cybersecurity practices bring to their operations, requiring – particularly for public companies – a disclosure of incidents and ransom payments.
You know, frankly, as the SEC has done recently, we saw with the recent incidents where there were 8-Ks done. That brings visibility, it helps boards to ask questions of were we prepared? Was there more we could do to prepare? Did we inform our customers and suppliers in a way that helps them prepare for the risk to them as well?
Dr. Lewis: I’m tempted to pose this as a yes or no question, but maybe we can expand a little if you want. Does the no payment – this is the penultimate question, by the way. Does the no payment commitment apply to data extortion attacks, i.e., where data is exfiltrated and then people threatened to release it unless paid? What do you think? Is that sort of a bridge too far right now for CRI, or is it something in your sights? What about data extortion?
Mr. Koh: It’s a good question. I think when we formulated the policy statement, it was just that governments should not pay for ransom. I think it’s a – we didn’t go down to the specificity of whether it includes the data extortion or even the third level where you’re going down further into the third extortion. But I think that conceptually the idea should be no. I think following from that same line of policy thinking, if you should not pay, you should not pay, unless there are extenuating circumstances.
So I think you asked previously, what are the kinds of extenuating circumstances? I think we are looking at things which actually have debilitating impact or lives are at stake, not just because it’s inconvenient.
Dr. Lewis: So last question. And there’s two of them, but they fit together. The first is: What are the key deliverables for CRI next year? And the second is: What are the key deliverables for the CIA over the next – CRI over the next five years? (Laughter.) So, ambitious. Ambitious, and the implication of a permanence that I hope will come true. But I want all three of you to talk about: What are you going to do next? What’s the next steps in CRI?
Ms. Neuberger: So it’s been a – this has been a really good policy discussion, but a long one. So I’ll answer briefly, which is we’re now capturing the action plans from the last two excellent days of discussion. Each action plan has usually a set of countries who bring something specific to it, either because of the country’s position, for example, as a financial leader or as hosting companies, for example, insurance – global insurance firms, with a key role. So each of the policy – each of the pillars that we have – diplomacy and capacity building, policy, International Counter Ransomware Task Force, as well as our overall coordination – is writing and capturing those action plans. We’ll be recruiting countries to lead because, as we said, we really aim for that diversity – a big country and a small one, countries from different regions working together on these problem sets. So more to follow on the next year.
And I think certainly the question of over the next five years, we’ve all seen that efforts that achieve outcomes for its members have longer-term viability. We are hopeful that we can tackle the ransomware problem so we – the International Counter Ransomware Initiative doesn’t need to exist in five years. Absent that, real outcomes and deliverables that move us forward in our pursuit will be what matters.
You know, the attorney general opened. Day one was hosted at the Department of Justice, day two at the Department of State, with shout-outs to those agencies and the amazing people who made it work. The attorney general opened day one, and his call to action was that the work we accomplish has criminals fleeing as fast as they can. And I think that’s one call to action. On day two, Acting Deputy Secretary of State Richard Verma kicked off with an affirmative vision of make cyberspace as secure and safe as it needs to be. So the combination of that and the deliverables towards those two goals are really our measure of success.
Mr. Koh: We have nothing to add. We vote for Anne.
Ms. Neuberger: Yeah, exactly. (Laughter.)
Dr. Lewis: Well, we didn’t touch on what being a member means. I think that came out in the conversation. We didn’t touch on governance moving forward, and I hope that’s part of the work plans, certainly, with these three for the next year. But we did cover a lot of ground.
And part of the reason I wanted to do this event was that CRI is a building block for a more stable and secure cyberspace, and it actually does deliver concrete results. Some of us have seen in the past it is possible to extinguish certain criminal behaviors in cyberspace. So five years isn’t impossible. Maybe, you know? Let’s give it a try.
But thank you very much for coming out. Please join me in thanking the panel. (Applause.)