Ransomware, Governance, Risk and Compliance

Thirty nations, including US, agree on principles to fight ransomware

The White House, seen from atop the Washington Monument on Sept. 19, 2021, in Washington. (Photo by Al Drago/Getty Images)

The 30 nations participating in a two-day White House virtual summit on ransomware wrapped up on Thursday, producing a joint statement on cooperation moving forward. While many of the ideas are not new, the growing international consensus is.

"A nation’s ability to effectively prevent, detect, mitigate and respond to threats from ransomware will depend, in part, on the capacity, cooperation, and resilience of global partners, the private sector, civil society, and the general public," wrote the nations.

The 30 nations represent some of the most important stakeholders in combatting ransomware. While ransomware has always been a global problem, Western powers at the meeting like the U.S., E.U. and U.K. have been particularly hard hit. Ukraine was the primary target of NotPetya (which presented like a ransomware attack) and South Korean authorities announced in June attacks on local systems had tripled in 2020. But the importance of the nations involved goes beyond victimhood. India, Ukraine, Brazil, Nigeria, the U.K. and the United States represent top markets for cryptocurrency, a growing battlefront in the ransomware fight. Ukraine and Bulgaria, once relative safe-havens for cybercriminals, have each recently agreed to aid the U.S. in breaking up cybercriminal organizations.

The 30-nation statement is not an agreement to specific terms, but covers a wide variety of different ransomware choke points. One key point of agreement will be a cooperative move toward anti-money laundering laws and penalties within cryptocurrency exchanges. When the U.S. recently sanctioned the Suex exchange for its role as a key node in ransomware finance, experts agreed that, for a cryptocurrency exchange strategy to work, it needed to be a global effort with more agility than waiting for the United States to periodically sanction exchanges. The 30 nations agreed on that point.

"We acknowledge that uneven global implementation of the standards of the Financial Action Task Force (FATF) to virtual assets and virtual asset service providers (VASPs) creates an environment permissive to jurisdictional arbitrage by malicious actors seeking platforms to move illicit proceeds without being subject to appropriate anti-money laundering (AML) and other obligations," the countries wrote.

Instead, the nations agreed to "enhance the capacity of our national authorities, to include regulators, financial intelligence units, and law enforcement to regulate, supervise, investigate, and take action against virtual asset exploitation" while seeking out "ways to cooperate with the virtual asset industry to enhance ransomware-related information sharing."

The nations also agreed to broad cooperation in law enforcement and disruption efforts across boundaries, including committing to fight "cybercriminal activity" within their borders. This kind of agreement was a key component of the multistakeholder Ransomware Task Force policy suggestions. The countries also agreed to keep all "national tools" on the table to disrupt ransomware groups, which is particularly meaningful after NSA and U.S. Cyber Command director Gen. Paul Nakasone told lawmakers his charges were preparing a "surge" against ransomware groups, bringing intelligence tools to bear in the fight.

Another agreement was to present a unified front against nations that do not willingly stop international cybercriminals from operating in their borders. While not specifically mentioned, this was likely a reference to Russia, who was not invited to the summit over its reputation for harboring ransomware groups and other criminals. With an upper bound to the amount of sanctions the U.S. can independently pose on Russia, experts agree that international diplomatic coalitions are the only mechanism to force Russia in line.

The statement of principles earned high praise from Jonathan Reiber, senior director for strategy and policy at AttackIQ and a former chief strategy officer for the Department of Defense. He praised sections on increasing resilience in the international private sector through improved baseline security and the efforts to curb cryptocurrency abuse. But, he said, the most important things to come from the summit may still be yet to come.

"The really interesting things about these statements are not what's in the statements. It's the conversation strategically that happens later when leaders get together and say 'OK, how are we going to actually do this,' and they begin to do the work through the specifics," Reiber said. 

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.