Three weeks ago, the U.S. Chamber of Commerce — the most powerful business lobby in the country — called on the federal government to take several steps to combat ransomware.
This week, the White House’s deputy national security adviser penned a letter to industry … urging them to take several steps to combat ransomware.
Those are two of the latest moves in a long dance between the feds and private sector over cybersecurity, with a tempo that has hastened considerably since the Colonial Pipeline ransomware attack. Even as both sides say the respective calls for action on ransomware in the oft-hailed “public-private partnership” are well-received, they’re redoubling their messages to each other. As the ransomware challenge looms increasingly large and has proven difficult to wrestle, two of the largest players are trying to find their footing.
“While businesses need to do what they can to enhance their security, the government needs to act decisively against these criminal cyber attackers and stop them from operating with impunity,” said Christopher Roberti, senior vice president for cyber, intelligence, and supply chain security policy at the U.S. Chamber.
Roberti’s organization issued a call on May 21 for the Biden administration and Congress to enhance diplomatic communication over ransomware attacks, disrupt global ransomware payment systems and bolster international law enforcement resources and coalitions.
Deputy National Security Adviser Anne Neuberger wrote on Wednesday, after touting the Biden administration’s action on ransomware, that “the private sector also has a critical responsibility to protect against these threats.” In the missive titled “What We Urge You To Do To Protect Against The Threat of Ransomware,” she suggested businesses use multi-factor authentication, backup their systems and more.
The ransomware incidents ensnaring Colonial and meat supplier JBS has thrust the hacking technique— in which perpetrators encrypt victims’ system and demand payment to release them — to a regular topic of discussion at the White House podium. Fallout from the breaches have also spurred previously unprecedented measures.
Most recently, the Justice Department this week issued guidance requiring closer tracking and notifying on ransomware cases, with a top DOJ official saying the department was elevating ransomware incidents to a similar level of priority the department gives terror attacks.
Larry Clinton, president of the non-profit Internet Security Alliance, said Neuberger’s letter was “terrific” as an indicator of high-level government focus on ransomware and praised its recommendations. Despite the elevation of attention, however, Clinton said the feds may still be failing to adequately prioritize ransomware and cybercrime, more generally.
And the words need to match action, Clinton said. In written testimony before the House Appropriations Committee last month on the DOJ budget, Attorney General Merrick Garland made terrorism the first subject of discussion, while cybersecurity and ransomware received none.
But DOJ’s declaration of prioritizing was important, said Michael Daniel, co-chair of the Ransomware Task Force made up of industry, government, non-profit and academic cyber experts that released recommendations in April. “The first step to getting the budget aligned with that is declaring it to be a priority, right?” said Daniel, a former White House cybersecurity coordinator who now serves as president of the Cyber Threat Alliance.
“I am never going to tell anybody not to look at the budget as an indication of where the real priorities are because absolutely, that is true,” said Daniel, a long-time former Office of Management and Budget official. “That said, we do spend a considerable amount already on cybersecurity and cyber actions and that can be refocused on this ransomware problem.”
The role of cryptocurrency
Ransomware has existed for decades, but only in recent years has it risen to such prominence within the cybersecurity field. If the body of policy, norms and law on cybersecurity is still somewhat small, ransomware’s is yet smaller.
One problem is that there are elements of ransomware that make it hard for policymakers to tackle it directly. It’s part of the reason why Congress hasn’t passed any real ransomware-specific legislation.
Even in policy areas that are ransomware-specific, thoughts are only now beginning to take form. Take cryptocurrency rules and regulation. (Ransomware criminals usually demand payment in that format.)
The Treasury Department recently indicated that it would require reporting on cryptocurrency transfers of $10,000 or more to the IRS, which in theory could offer insights into the infrastructure ransomware gangs employ. The idea appears more aimed at tackling issues like money laundering, said Annie Fixler, deputy director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies think tank.
“To the extent that the IRS’s efforts will strengthen overall financial transparency and integrity of the cryptocurrency marketplace, this may make it harder for hackers to move money and finance their operations,” she said. “This would be a welcome development.”
When asked for details on how such reporting might work, a Treasury Department official instead offered an example in which someone buys a car with cryptocurrency and the seller has to report the transaction. That would seem to suggest that the administration’s proposal, which would require congressional action, wouldn’t give much insight into ransomware operations unless criminals usually residing outside the U.S. receiving payments comply with the reporting rules.
The task force on which Daniels is a co-chair called for stricter cryptocurrency regulation, similar to rules to which banks must adhere.
There’s more to come from the administration. White House press secretary Jen Psaki on Friday hailed a “rapid ransomware review” that will include “expanding cryptocurrency analysis, which we know is a factor” in ransomware attacks.
Where there’s harmony
Whatever’s still unsettled, both feds and industry see alignment between their mutual calls for action to one another.
“We welcome the recent letter from the White House as it reiterates that both the government and private sector need to come to the table in order to protect against cyber threats, which the Chamber has long called for,” Roberti said. “In addition, the letter aligns with actions the Chamber called for in a recent statement, including acknowledging the U.S. government’s role in working with allied nations to disrupt and deter ransomware groups and impose consequences if needed.”
The National Association of Manufacturers offered a similar message to the one from the Chamber about Neuberger’s letter, via email: “We appreciate the information shared by the administration, and also encourage the government to take active steps to counter the threat and increase the costs for these increasingly brazen bad actors.”
A White House official touted existing work the Biden administration has conducted that answers the Chamber’s call, with more to come — although it would need Congress to help on taking some other steps.
“We have already taken aggressive, proactive steps to pursue the maximum cybersecurity advancements for critical sectors possible under current statutory authority,” the official said, citing the ransomware elements of a sweeping Biden administration executive order.
The ransomware review Psaki mentioned on Friday also includes, the White House official highlighted, “disruption of ransomware infrastructure and actors working closely with the private sector” and “building an international coalition to hold countries who harbor ransom actors accountable.”