The Administration’s Strategy to Beat Back Ransomware

Following months of criticism for not responding aggressively enough to a barrage of ransomware attacks, the administration seemed to shake off any hint of lethargy and declare itself fed up. The U.S. Department of Justice has created a crypto currency enforcement team to pursue both criminals who use these exchanges to profit, and the platforms that enable them. The department also intends to use civil enforcement tools, like the False Claims Act, to sue government contractors that suffer data breaches and choose to remain silent rather than report them to the government.

That was the message that Deputy Attorney General Lisa Monaco announced on Oct. 6. The occasion wasn’t a press conference. She was interviewed at the annual Aspen Cyber Summit, and she had plenty of company reinforcing her talking points. The topic for the two-day event was “Exploring Collective Defense in a Digital World,” and the presentations amounted to a full court press on the need for public–private collaboration.

Among the speakers were the administration’s cyber security triumvirate: Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA); Rob Joyce, director of the NSA’s Cybersecurity Directorate; and Chris Inglis, the White House’s national cyber director. (Only Anne Neuberger, deputy national security advisor for cyber and emerging technology, was missing.) There were also two leaders from the trenches: David Turk, deputy secretary of the Department of Energy, and Mieke Eoyang, deputy assistant secretary of defense for cyber policy. U.S. Rep. Yvette Clarke (D-N.Y.) and Rep. John Katko (R-N.Y.), who are working on a bill in the House that would require companies to report cyber attacks, were joined by Senator Angus King (I-Maine), co-chair of the Cyberspace Solarium Commission. The other speakers were researchers, academics, CISOs, and about a dozen CEOs. In their own ways they all emphasized the importance of working together.

Monaco hammered home the theme. Asked how she feels about “name and shame indictments,” she said the department will continue to use them “as one tool.” But they are not only about naming and shaming, she insisted. Individuals have been tried as a result of these indictments, she said. More broadly, she continued: “We are building coalitions with partner nations” to prosecute criminals and attack “the ecosystem that supports the malicious cyber activity.” She cited the recent takedown of the Emotet botnet as an example.

Asked how the government plans to counter ransomware, she described a two-prong defense. First, they want to strip anonymity from payments. And then they want to claw back the illegal profits, as they were able to do after the Colonial Pipeline attack, she said.

On the day Monaco spoke, CNBC published an opinion piece she wrote that expounded on her remarks. She called on Congress to enact legislation creating “a national standard for reporting cyber incidents that pose significant risk, including ransomware and incidents that affect critical infrastructure and their supply chains.” She went on to say: “In the case of ransomware, such reporting should also include details about any ransom demand or payment.” Then she added a sentence that a lot of companies have been waiting to hear: “And victims should not be worse off for helping the government.”

What It Means on the Ground

During the conference, amid the embrace of partnership, there were probing conversations in which participants tried to articulate what cooperation means on the ground. For example, during a discussion that focused on nation–states, Sean Joyce, global cyber and privacy leader at PwC, called out the FBI, where he was once deputy director. Channeling his previous role, he said: “I think we could do a better job, as we did recently, tracking the crypto currency [stolen from Colonial Pipeline] and recovering that. And I think we can also accentuate cooperation with the private sector. And we can be more transparent doing that.”

Kevin Mandia followed by focusing on the challenge for companies. “We can’t just always play defense,” said FireEye’s CEO. “On offense, even the crappiest hockey players, if they get 1000 shots on goal, will put the puck in the net.” And often the private sector is not in a position to respond. “Nations need to hold nations accountable,” he went on, “however they’ve got to do that. If you can’t get to the person, and you may not be able to do, you have to hold the nations accountable.” And that makes attribution essential, Mandia added.

Mieke Eoyang, the deputy assistant secretary of defense, chimed in. “It’s really important, for those of us who are on offense, that people report those incidents.” If victimized companies say nothing and secretly pay a ransom, the government learns nothing about the threat, she said. And the government can’t help those companies and others that may be at risk.

Earlier, Eoyang had described the circumstance most likely to provoke U.S. retaliation. “We have not seen a nation–state sponsor an attack that is the equivalent of an armed attack,” she said. “We’ve been very clear about that as a red line for the United States. The equivalent of an armed attack is going to get you a response.”

“Can you define an ‘armed attack’?” asked Joyce.

Eoyang acknowledged that it’s tricky. “It’s a little bit in the eye of the beholder,” she said. “We’re talking about destructive, loss of life, serious injury, those sorts of things.”

In practice, attacks are not always under control, Mandia noted. “On offense, you can’t always predict the consequences,” he said. Which makes it trickier.

Eoyang agreed. It can be hard to know what was intended, and what was not, she said. An attacker may not understand the interdependencies of systems, and the way those could lead to unintended consequences.

‘That’s the Future’

Another session offered signs of progress. The moderator was Chris Krebs, Easterly’s predecessor as director of CISA. The panelists were all from the tech side of their companies. At one point Krebs asked them to talk about risk strategy. Marene Allison, CISO at Johnson & Johnson, said, “Sometimes as security professionals, we really like the idea of perfect security. Patch everything, know everything that’s everywhere all the time. But the reality is: Will you ever?” For her, that approach doesn’t make sense. “My big pivot was into cyber resiliency and business risk.”

Mastercard also aims for realistic security rather than perfection. But Ron Green added that part of its focus is on its ecosystem. If his company is secure, said Green, Mastercard’s chief security officer, but the merchants they work with are being compromised, consumers may lose confidence. And that’s a threat for Mastercard. The solution is to work with others in their ecosystem to help them “raise their security game by not just telling them what the good thing is,” Green said, “but to actually give them things that they can implement in their environment today for free. Just to raise the level of security.”

Krebs jumped in. “This dynamic that you’re talking about, where the products and services are pushing solutions out further to the edge to protect the user—I think that’s the future,” Krebs declared. “Whether you’re in the software products and services space or in the internet infrastructure space, you’re seeing more solutions pushed down to the consumer.”

Noopur Davis, CISO at Comcast, quickly agreed. “Anyone who buys a gateway from us, anything that they connect through that gateway—whether it’s a wired or wireless connection—is protected,” she said. “We look for malware, we look for network traffic, we look for bad sites. It’s embedded and it’s there by default.” It makes sense for companies to boost customer security if they can. “It’s mutually beneficial,” she said.

Allison said that the focus on resilience has her company’s full attention. “It’s almost like what we did in those Y2K days,” when business continuity planning was so important. J.&J. is trying to prepare in some of the same ways it did back in the late 1990s, but in this case it’s to ensure cyber resilience, she said.

Mastercard has seen the same thing. The company’s executives and even board members “want to actually review how we respond to a cyber incident—and participate in our cyber exercises,” Green said. They want to know because they see how often it’s happening, he added.

To Krebs, these attitudes seemed to announce the arrival of a long-held hope. “That’s the shift that we’ve been praying for the last couple of years,” he said. “The shift from technical risk to business risk.” Green’s comments also connected with Krebs’s earlier observation about cyber security’s most important rule. “It starts at the top,” he’d said. “If the leader is not on board, your jobs as CISOs are incredibly difficult.”

Who Is Accountable?

Not long after Monaco’s session, there was a lively discussion about the electric grid featuring three leaders who have skin in the game. Moderator Patrick O’Neill from MIT Technology Review asked whether the United States is holding people accountable for attacks like the Dragonfly assault on the U.S. electric grid, which has been attributed to Russia.

But it turned out that the panelists were more interested in another question involving accountability—one that was closer to home. Who is accountable for defending the electric grid? That was the one they mostly answered.

Defense requires an active offense, said Connie Lau, who heads Hawaiian Electric. The government is the power the companies depend on to protect the grid, she continued, and has recently demonstrated a greater willingness to use its offensive capabilities to disrupt threats before systems are harmed.

She then asked a question that undoubtedly reflected the concerns of many companies worried about growing security costs. “We all are patriots,” she said, “we all want the national security. But at the end of the day, who ends up paying for that?” State ratepayers obviously shoulder some of the costs, she said, and the government has contributed. But it requires a partnership, she emphasized.

Joy Ditto, who heads the American Public Power Association, cited the U.S. attack on the Iranian centrifuges at Natanz as the first example of the country flexing its muscles and demonstrating its offensive capabilities. That prowess is important in defending the grid, she agreed. But then she indirectly raised another question: How reliable is the country’s commitment in a hyper-partisan political environment? The industry has to keep talking to the government on these issues, and the good news is that “it’s a bipartisan conversation,” she said. “We almost don’t miss a beat when there’s a new administration that comes in.”

Pedro Pizarro, CEO of Edison International, concurred. “I watched this during the Obama administration. I watched this during the Trump administration. Now I’m watching it in the Biden administration. The arc has continued.”

As for O’Neill’s original question, Monaco had earlier said that individuals have been indicted and held accountable, but the victories have been small and have not stanched the attacks. The importance of the question was underscored by Senator Angus King later in the day. In a session on cyber security legislation, he was asked what bills he would favor. King used the opportunity to address the issue he is most concerned about, which turned out to be the one O’Neill had raised. “I think the most important thing is for the administration and the president to develop a clearly articulated deterrent doctrine,” he said, “to put our adversaries on notice that they will pay a price for attacking us in cyber space.

"Our adversaries,” he concluded, “don’t fear consequences.”