U.S. Holds Global Meeting to Fight Ransomware, Minus the World’s No. 1 Culprit
WASHINGTON — When the White House convened 30 nations this week to formulate strategies for combating ransomware, one country was intentionally omitted: Russia, the single biggest source of the problem.
It is not that President Biden is freezing the country out of the discussion. Ever since Mr. Biden’s summit with President Vladimir V. Putin in Geneva in June, White House officials have been testing Moscow’s willingness to crack down on the ransomware gangs that wreaked havoc in the United States last spring, shuttering a crucial gasoline and jet fuel pipeline and crippling a major producer of meat. In recent weeks, American officials said they had begun passing intelligence to the Russians about specific hackers who the United States believes are behind the threats to companies, cities and infrastructure. Officials say the Russians have sounded cooperative, but have not yet made arrests.
There is some evidence the pressure applied by Mr. Biden in Geneva has made modest progress: Spectacular attacks on critical infrastructure have abated, though there is a steady drumbeat of continuing ransomware demands. Still, when asked how often he thought the United States would be facing such attacks five years from now, Gen. Paul M. Nakasone, the director of the National Security Agency and the commander of United States Cyber Command, said, “Every single day.”
The purpose of the meeting, said Jake Sullivan, Mr. Biden’s national security adviser, was to try to alter that future by engaging allies to join the United States in what he called “an integrated effort to disrupt the ransomware ecosystem.” So for two days, in groups led by Australia, Britain, Germany and India, government experts sought agreement on how they could keep the groups from using anonymous cryptocurrency, which facilitates ransom payments, or harden infrastructure to make it less likely that a ransomware attack would freeze critical operations, as one did in May with Colonial Pipeline, a fuel distributor to the Northeast.
The conference was convened by Anne Neuberger, a longtime National Security Agency official who is now Mr. Sullivan’s deputy for cyber and emerging technologies. Ms. Neuberger has also led the quiet interchange with Russia, which officials will not discuss in any detail. She described the meeting as a “counter-ransomware initiative” that would focus on “cryptocurrency, resilience, disruption and diplomacy.”
One foreign diplomat who participated in the closed two-day meeting said it reminded him of “the early days of counterterrorism,” when the White House was trying to engage key players to join in the effort to deny terrorist groups space to operate. “But in that case, we let the Pakistanis in the room, and treated them like they would be part of the solution,” he said. “No one was willing to do that with Russia.”
White House officials said there was little debate on the question of whether to exclude Russia, though publicly they said Moscow might be invited to future sessions. The administration decided that it was better, for the first session, to try to demonstrate to Moscow that tolerance of the ransomware groups operating on Russian territory — some of which are suspected to be occasionally doing the bidding of Russian intelligence agencies — would poison any real discussion of common initiatives, and that Moscow would do everything it could to sabotage modest steps the 30 countries could agree on.
Yet even the Biden administration has discovered limits in how hard it can push for major changes. While it has mandated cybersecurity standards for government contractors and created a series of “sprints” for government agencies to harden their systems, its effort to crack down on the use of cybercurrencies has run into some objections among major investors and users of those currencies.
While Ms. Neuberger has argued for “know your customer” rules similar to those that govern banks to combat money laundering, important investors in cryptocurrencies have argued against requirements that they disclose transactions, saying anonymity is crucial to the growing market.
Some of the nation’s largest companies are fighting legislation in Congress that would require them to report when they are attacked — a corporate embarrassment that could drive away investors or customers. The companies frequently try to obscure how much ransom they are paying, as Colonial Pipeline did this year. (Some of the millions it paid were later recovered.)
“Most breaches are not reported to law enforcement,” Lisa O. Monaco, the deputy attorney general, who dealt extensively with cybersecurity issues as former President Barack Obama’s homeland security adviser, wrote recently. “The current gap in reporting hinders the government’s ability to combat not just the ransomware threat, but all cybercriminal activity.”
The final communiqué avoided mention of mandatory reporting. It called for “enhanced cooperation to inhibit, trace and indict ransomware payment flows, consistent with national laws and regulations,” the last phrase a recognition that many countries — not just tax havens — would resist efforts to make it easy to identify who is using cryptocurrencies.
Mr. Sullivan acknowledged the differences at the opening of the virtual meeting, the only part that was conducted in public. “Our governments may have different approaches with respect to the tools we believe are best to counter ransomware,” he said, “everything from how to secure our networks, to leverage diplomatic tools, and even the most effective ways to counter illicit finance.” But he insisted they were unified in the goal of stopping attacks that can lock up a company’s data, or make it impossible for nations to distribute water or keep bridges open.
“This is not a U.S. meeting,” Mr. Sullivan insisted, noting how widespread ransomware attacks have disrupted critical infrastructure worldwide. An attack on a water distribution system in Israel, for example, shook executives at American utilities, and one on a petrochemical plant in Saudi Arabia revealed the vulnerability of its oil production.
But at the meeting, the United States noted several of its latest moves, including using a Civil War-era law — the False Claims Act — to allow whistle-blowers to reveal when government contractors failed to meet basic cybersecurity standards. (The law was enacted in March 1863 to crack down on companies selling faulty arms and supplies to the Union Army.)
“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and report it,” Ms. Monaco said last week. “Well, that changes today.”
But there were no such similar international initiatives announced by the end of the conference. Ms. Neuberger said the meeting was “a start,” and that the key was that the United States was building a loose alliance of like-minded nations to take on ransomware attacks. “This won’t be the last meeting,” she said.