Fraud Management & Cybercrime , Government , Industry Specific
US Cybersecurity Strategy Doubles Down on Hitting RansomwarePolicy Shift Unlocks Resources to Battle Ransomware as National Security Threat
The Biden administration is doubling down on efforts to combat, disrupt and deter ransomware.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The national cybersecurity strategy unveiled Thursday by the White House classifies ransomware as not just a criminal problem but a risk to public safety, economic stability and national security.
"We're elevating our work on ransomware, declaring ransomware a threat to national security, rather than just a criminal challenge," Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said during a Wednesday media briefing. The strategy also aims to "disrupt and dismantle threat actors by using all instruments of national power to … make it harder for them to threaten the national security or public safety of the United States."
Discussing the new strategy, a senior administration official said it represents "essentially a new policy that ransomware constitutes a national security threat," and adds that "traditionally, cybercrime issues would be handled within the criminal justice system, and responsible countries would investigate crime."
But make no mistake: Ransomware remains both a criminal and national security problem, says retired Air Force Gen. Gregory Touhill, who served as America's first federal CISO, under President Barack Obama.
"They're not mutually exclusive," said Touhill, who's now director of the CERT Division at Carnegie Mellon University's Software Engineering Institute. "If it's just a criminal activity, then we have a structure in place for the courts to address criminal activity. But if it's having a national security impact, then all instruments of national power can be applied to address the threat," including political, diplomatic, economic and military instruments.
Collaboration, Crackdowns, Virtual Currencies
The national cybersecurity strategy promises to combat ransomware in four principal ways: international cooperation, using law enforcement to investigate and disrupt ransomware groups, improving business resilience to make organizations tougher to hack, and targeting illicit cryptocurrency exchanges and the illicit use of virtual currencies for laundering ransom payments.
Such efforts are backed by the Counter Ransomware Initiative the White House unveiled in 2021, which includes the participation of over 30 countries and supports disruption activities, plus policy and diplomatic efforts. In January, Australia launched an international counter-ransomware task force that supports these efforts.
The White House will also give the multi-agency National Cyber Investigative Joint Task Force greater power "to coordinate takedown and disruption campaigns with greater speed, scale, and frequency." The task force is co-chaired by the FBI and the Cybersecurity Infrastructure and Security Agency, and it includes the participation of military and intelligence agencies.
The strategy says that U.S. Cyber Command, the National Security Agency and other military and intelligence agencies "are committed to bringing to bear their full range of complementary authorities to disruption campaigns," as well as countering both government-sponsored groups and cybercrime syndicates that pose a national security risk.
Hive Takedown Demonstrates Strategies
The cybersecurity strategy benefits from the fact that President Joe Biden has already appointed a number of cybersecurity experts to senior positions and issued multiple executive orders aimed at bolstering security and international law enforcement coordination and intelligence sharing to combat ransomware. These efforts are already bearing fruit.
One notable recent example is the takedown in late January of the Hive ransomware group's infrastructure. The effort involved numerous countries, including the United Kingdom, Germany and the Netherlands, and had the backing of Europol and help from others.
Hive's operations were infiltrated by law enforcement for seven months, and decryption keys were passed to all victims that officials could identify. The FBI says this prevented over 1,300 victims from collectively paying up to $130 million in ransoms. Hive, meanwhile, has yet to reboot.
"Our combined success with Hive is only the beginning," said David Scott, deputy assistant director of the FBI's Cyber Division, speaking earlier this week at a Scottish cybersecurity conference (see: Healthcare Most Hit by Ransomware Last Year, FBI Finds).
"I went to a location just two weeks ago, and witnessed about 50 personnel, including from 11 countries outside of the U.S., all sitting together at one location working on the next phase of this ransomware disruption," he said. That such resources are being brought to bear against attackers "should be concerning to them; I think they were already surprised by the fact that we were able to do this."
Such efforts extend beyond disrupting infrastructure or arresting perpetrators, said CMU's Touhill. Working with allies, the U.S. has "levied economic sanctions, including going and hunting down the money and retrieving it from the cybercriminals," he said. "I think you're going to see that increase, if not accelerate."
White House Willing to 'Play Offense'
Cybersecurity experts say the new national strategy will allow the White House to more forcefully take the fight to criminals. "We can now play offense. The U.S. government is willing to go on the offensive against organized cybercrime, cartels and spies who have been targeting us for years and we've always been dealing with them with one hand tied behind our backs," said Tom Kellermann, who leads cyber strategy at Contrast Security.
Such an approach reflects how the ransomware problem can never be solved solely by arresting suspects or seizing infrastructure, observed Chris Rohlf, a nonresident research fellow at Georgetown's Center for Security and Emerging Technology.
"Changing the economics is how we beat ransomware, not throwing 'cyber operators' at the problem," Rohlf wrote on Twitter.
Touhill said the strategy should send a clear warning to criminals. "You're opening up a can of worms that includes all instruments of national power to be applied to stop this."