Ransomware Task Force priorities see progress in first year

Ransomware Task Force priorities see progress in first year

This blog is part of our live coverage from RSA Conference 2022:

US President Joseph R. Biden Jr., The White House, and law enforcement agencies across the world paid close attention last year when a group of more than 60 cybersecurity experts launched the Ransomware Task Force, heeding the group’s advice on how to defend against ransomware attacks and deny cybercriminals their ill-gotten riches.

Of the Ransomware Task Force’s initial 48 recommendations—published in their report last year—12 have resulted in tangible action, while 29 have resulted in preliminary action, said Philip Reiner, chief executive officer for the Institute for Security and Technology and member of the Ransomware Task Force.

The progress, while encouraging, is not the end, Reiner said.

“Not enough has been done,” Reiner said. “There is still a great deal of work that remains to be done on this front to blunt the trajectory of this threat.”

At RSA Conference 2022, Reiner moderated a panel of other Ransomware Task Force members which included Cyber Threat Alliance President and CEO Michael Daniels, Institute for Security and Technology Chief Strategy Officer Megan Stiflel, and Resilience Chief Claims Officer Michael Phillips. The four discussed how separate levels of the government responded and acted on the five priority recommendations made by the Ransomware Task Force last year.

In short, many promising first steps have been made, the panelists said.

“Look at what the US government has done in the past year—the impressive speed at which [they’ve] organized and focused on the ransomware threat,” Daniels said. “Everything from presidential statements, to work in the international area, to convening a ransomware task force inside the government to start working on this issue.”

He continued: “I think it’s clear that governments are really engaged in this issue in a way that they weren’t just a couple of years ago.”

Last year, governments across the world collaborated together in taking down ransomware threat actors. In June 2021, Ukrainian law enforcement worked with investigators from South Korea to arrest members affiliated with the Clop ransomware gang, and months later, members of the FBI, the French National Gendarmerie, and the Ukrainian National Police arrested two individuals—and seized about $2 million—from an unnamed ransomware group.

Around the same time as the undisclosed arrests, President Biden traveled to Switzerland to speak at a cybersecurity summit that was also attended by Russia President Vladimir Putin. When the two met, Biden reportedly told Putin that the United States was willing to take “any necessary action” to defend US infrastructure. The US President’s statement came shortly after the ransomware attack on Colonial Pipeline, which was attributed to the cybercriminal group Darkside, which is believed to be located in Russia.

“I’m gonna be meeting with President Putin and so far there is no evidence, based on our intelligence people, that Russia is involved,” President Biden said of the attack at the time, according to reporting from the BBC. But, Biden added, “there’s evidence that the actors’ ransomware is in Russia—they have some responsibility to deal with this.”

Separately, Stifel from the Institute for Security and Technology welcomed recent developments—which may take many more years to solidify—to create a standardized format and timeline for companies and organizations to report ransomware attacks.

“It will be some time, and some of you may be retired by the time it’s in place,” Stifel said, “but it’s there. You have to start somewhere.”

The panelists also acknowledged recent government efforts to appropriate cybersecurity recovery and response funds in the latest infrastructure bill. While the Ransomware Task Force specifically asked for funds for ransomware recovery and response, a broad package of millions of dollars for overall cybersecurity events is still considered a win.

One underdeveloped priority area that every panelist stressed was the need for faster, more accurate data on ransomware attacks and recovery costs. Without a centralized database—and without a requirement to report both attacks and ransom payments—the government and cybersecurity companies are working with limited information.

The panelists also lamented the difficulties posed in trying to remove safe havens for ransomware actors. As the governments that already provide cover for ransomware groups have little to no impetus to change their positions, it’s up to global governments to start working together.

“I can see the US government trying to, internationally, build a collation of countries—not just US agencies, but multiple agencies across multiple jurisdictions at the same time,” Daniels said.

He continued: “This threat has become so large that no government can really just ignore it.”