[BreachExchange] Biden Administration announces flurry of new anti-ransomware efforts

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Fri Jul 16 11:27:30 EDT 2021


https://www.csoonline.com/article/3625672/biden-administration-announces-flurry-of-new-anti-ransomware-efforts.html

Under pressure to halt ongoing and highly damaging ransomware attacks from
Russian criminal groups, the Biden administration yesterday announced a
flurry of defensive initiatives to deal with the crisis. These
announcements come one week after President Biden issued a stark warning to
Russian President Vladimir Putin to deal with the ransomware threat groups
in his country or else the US will take action to dismantle the threat.

First, the State Department announced that its Rewards for Justice program,
which the Diplomatic Security Service administers, will give a $10 million
reward to anyone offering information that leads to identifying
state-sponsored threat actors. Specifically, rewards will be given to those
who supply information that leads to the “identification or location of any
person who, while acting at the direction or under the control of a foreign
government, participates in malicious cyber activities against US critical
infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”

The Rewards for Justice (RFJ) program has set up a Tor-based dark web
reporting site to protect the safety and security of potential sources.
Additionally, the RFJ program works with interagency partners to enable the
rapid processing of information and the possible relocation of and payment
to sources.

Second, the Treasury Department’s Financial Crimes Enforcement Network
(FinCEN) announced it would convene a FinCEN Exchange in August 2021
focused on ransomware concerns. The Exchange will be composed of financial
institutions, other key industry stakeholders, and federal government
agencies. The goal of the meeting is to inform FinCEN’s next steps in
addressing ransomware payments.

The announcement stops short of saying that the new group would examine how
to disrupt payments to ransomware actors, one widely touted solution to the
ransomware problem. FinCEN’s Acting Director Michael Mosier said that
“since this extortion threatens our collective safety, it is critical that
we collaboratively gather to confront this threat together and determine
the best way to increase our collective resilience to these malicious
attacks.”

Further, the Department of Justice and the Department of Homeland
Security’s Cybersecurity and Infrastructure Security Agency (CISA)
announced the launch of a new educational website focused on ransomware
called StopRansomware.gov. CISA’s newly installed leader Jen Easterly
called the site “a new one-stop location with tools and resources for
organizations of all sizes today.”

White House inter-agency task force will coordinate ransomware measures

The White House has formed a previously unannounced inter-agency government
task force to coordinate government measures against ransomware. According
to reports, the task force oversees efforts to create more resilient
federal networks, halt ransomware payments to threat actors, and coordinate
with US allies. The group is also tracking efforts of the anti-ransomware
initiatives.

The White House ransomware task force differs from the ransomware task
force formed by the Institute of Security and Technology (IST) earlier this
year. That task force, representing more than 60 public and private
organizations, also includes government agencies such as the FBI, CISA, and
the Secret Service.

The Administration has seemingly only just started with its multi-pronged
approach to tackling ransomware. White House officials have said they are
also exploring partnerships with cyber insurance companies and critical
infrastructure players so that the government can receive more information
about ransomware attacks.

New initiatives take place against the backdrop of ongoing US-Russia talks

These developments are taking place even as an informal US-Russian working
group meets to hammer out a solution to the problem. The latest meeting of
the working group was on Wednesday.

Those talks are “part of the ongoing engagement that has been occurring at
the expert level since the President met with [Russian] President Vladimir
Putin,” White House press spokesperson Jen Psaki said during a press
briefing Thursday. “No one meeting is necessarily decisive. It’s about
having a continued discussion about our expectations and the steps that
need to be taken to address ransomware attacks and cyberattacks.”

One missing component from the Administration’s announcements is a clear
and specific articulation of the need for the US to collaborate with other
nations in taking down ransomware actors. Earlier this week, INTERPOL’s
Secretary General Jürgen Stock said during a speech at the INTERPOL
High-Level Forum on Ransomware that although individual nations are working
to curb ransomware, effective solutions require international collaboration
on the level used to fight terrorism and human trafficking. “Despite the
severity of their crimes, ransomware criminals are continuously adapting
their tactics, operating free of borders and with near impunity,” he said.

First small steps on a long road

Reaction to the spate of initiatives seems cautiously optimistic. Senator
Angus King (I-ME), the co-chair of the congressionally chartered Cyberspace
Solarium Commission, said on Twitter he’s impressed with the
Administration’s approach, but more work is needed. “I’ve been impressed by
the Administration’s steps to address ransomware, starting with [President
Biden] confronting Putin to hammer home that attacks on US networks will
bring a response. There’s much more work to do, but we’re headed in the
right direction.”

Megan Stifel, senior policy counsel with the Global Cyber Alliance and
co-chair of IST’s ransomware task force, likewise praises the White House
efforts but thinks more action is required. “I think these are strong first
steps,” she tells CSO. “Some of the resources that were made available
today, particularly Stopransomware.gov, make more accessible the steps that
particularly vulnerable users can take.”

Matthew Rojansky, director of the Wilson Center’s Kennan Institute, concurs
with Stifel. “These are the first small steps on a long road,” he tells
CSO. “As a defensive measure, we as a country are trying to turn the tide
on this.”

Broader, global toolkit needed but is years away

Rojansky agrees with INTERPOL’s Stock that a global response to ransomware
is necessary for the long run. “We are going to need a better, broader
global tool kit for dealing with the problem of ransomware,” he says. “One
could argue that it’s not that different from any other kind of global
criminal activity. We’ve had to deal with trafficking, we’ve had to deal
with terrorism, we’ve had to deal with all kinds of global bad actors.”

However, the kind of collective, multilateral action needed to address
cybersecurity is a very long-term proposition. “These things take years and
years to come together,” Rojanksy says. “I’m not overly optimistic, that's
our go-to resource.

More emphasis on robust security practices needed

Shawn Kanady, director of threat fusion and hunt at Trustwave SpiderLabs,
wishes the White House would emphasize the need for more robust security
practices as a first-line defense against ransomware attackers. “There
isn’t anything that is terribly novel in how ransomware is deployed,” he
tells CSO. “Unfortunately, it has been too easy for attackers to infiltrate
companies. There are too many sectors that are using legacy solutions and
architecture and are not able to react quick enough, let alone be proactive
in their cybersecurity approach.”

Kanady is also skeptical of the State Department’s $10 million rewards. “I
think this is a good-faith effort in getting information, but I would be
curious to know how well this has worked historically as it relates to
cybercrime. Shadow operations and undercover cyber ops are probably the way
to get to the source of who the attackers really are and how they operate.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210716/eda55e5a/attachment.html>


More information about the BreachExchange mailing list