Secretary of Homeland Security Alejandro N. Mayorkas and EU Commissioner Johansson announced the intent to form a new U.S.-EU working group to fight ransomware.  Separately, the EU has issued the bulletin Commission proposes a Joint Cyber Unit to step up response to large-scale security incidents. In response, international cybersecurity expert Dr. Chenxi Wang offers perspective on ongoing transnational cooperation on ransomware and other major cyber threats.

Policy Insight:

Dr. Chenxi Wang, General Partner, Rain Capital  (she/her – former Forrester VP of Research and Carnegie Mellon professor):

Ransomware is now an international problem and it will require International-scale coordination and collaboration as a response. Information sharing is one area in which the EU and US can strengthen their collaboration. Ransomware gangs may target businesses in multiple regions. The ability to share attack signatures and tactics, techniques, and procedures (TTPs) in a timely manner can be an effective measure against widespread ransomware attacks. Special criminal prosecution and extradition policies for ransomware offenses are another area that the EU and US can tackle. Criminals may think twice about targeting another country’s businesses or infrastructure if they know they could be prosecuted in that country’s jurisdiction. Establishing a no-ransomware treaty could be another area for collaboration. The impact of ransomware could rival some of the most destructive weapons ever created in human history. That is why a treaty, much in the same vein as the Nuclear Arms treaty may be required to contain this problem. Traditional measures like law enforcement are difficult to work across International boundaries when sovereign countries have different views and attitudes toward the problem. Countries may have to work on special laws/policies for prosecution and extradition for ransomware offenses across the borders. Having a coalition between the EU and US on ransomware helps, but there are other countries where there are very few economic opportunities. People in those countries may turn to cybercrime as an outlet and their local law enforcement may not be incentivized to do anything, as these activities may create economic value for the country. This is an international-scale problem, and countries need to work together to create an international-scale response. EU-US coalition could be the first step, but collaboration must extend to other countries where cybercrimes are rampant.”

A bipartisan group of U.S. House of Representatives members introduced H.R. 4055 in a move to establish a cybersecurity literacy and public awareness campaign targeted to educating the American public. Representatives Adam Kinzinger (D-IL-16) said: “As technological advancements increase and become more complex, it is critical that everyone is aware of the risks posed from cyberattacks and how to mitigate those risks for personal security.” Kinzinger leads the initiative with Representatives Gus Bilirakis (R-FL), Anna Eshoo (D-CA), Marc Veasey (D-TX), and Chrissy Houlihan (D-PA) to introduce the American Cybersecurity Literacy Act.

In response, cybersecurity experts with Haystack Solutions and Veridium offer perspective.

Doug Britton, CEO, Haystack Solutions:

     “Educating and training the public and a cyber workforce should be national priorities. With an increasingly alarming and disruptive attack pattern making headlines and impacting citizens directly, the urgency on both fronts is real. The nation is underprepared to meet current and future demands for cybersecurity talent. As a nation we need to educate the public, and also be innovative and find cyber talent regardless of background or education. This is an excellent time to showcase the incredible opportunity for young people as well as career changers, who are interested in entering the cyber security industry. We have the tools to find aptitude for cyber talent wherever it lies. Bolstering this approach with public and private investment will be critical in ensuring the safety and public welfare of the nation.”

Rajiv Pimplaskar, CRO, Veridium:

     “Education is half the battle, and it’s great to see the NTIA launching a cyber literacy campaign. One of the key topics of awareness needs to be acknowledging that a chain is as strong as the weakest link and sparking a debate about balancing security with convenience and choice at the user level. Educated users will be more willing and better prepared to move away from complex, unwieldy and easily abuse passwords and choose new and better passwordless authentication methods instead. Such authenticators like phone as a token or FIDO2 security keys are more resistant to phishing attacks and help establish a trusted digital relationship between the end user and the IT service. This bill has several potential advantages in terms of advancing the public good. Beyond the urgent necessity of improving security for individuals and organizations, heightened user awareness and demand can incentivize B2C and B2B companies to offer increased choices of such authenticators, which in turn reduce customer friction and improve productivity.”

In the Brussels Summit Communiqué, Issued by the Heads of State and Government participating in the meeting of the North Atlantic Council in Brussels 14 June 2021, NATO stated that it will consider on a case by case basis treating cyberattacks similar to physical attacks against allies. The communique indicates NATO may launch a military response against perpetrators. Under Article 5 of the 1949 NATO treaty, any armed attack on a NATO ally is considered an attack on all alliance members, who may then defend the ally. At the North Atlantic Council meeting in Brussels yesterday, the alliance disclosed a Comprehensive Cyber Defence Policy in which Article 5 responses may be taken following a cyber-attack. The communique specifically calls out Russia for “attempted interference in Allied elections and democratic processes; political and economic pressure and intimidation; widespread disinformation campaigns; malicious cyber activities; and turning a blind eye to cyber criminals operating from its territory, including those who target and disrupt critical infrastructure in NATO countries.”

The move follows several recent high-profile cyberattacks on commercial/industrial sector providers of critical infrastructure and services.

Policy Insights from three commercial and national defense sector cybersecurity experts:

Elena Elkina, JD, CIPP/US, CIPP/E, CIPT, Partner, Aleada (she/her):

“We live in the world where cyber defense is imperative for companies and countries. In the light of the frequency, complexity, and destructive power of the most recent attacks, the only surprise is that it took NATO up to this point to make public this decision and take assertive action. The time for delicacy is over, and it is time for NATO to reaffirm its position and request other countries to act respectfully and responsibly.”

Doug Britton, CEO, Haystack Solutions, a former linguist and HUMINTer in US Army intelligence with US Special Forces Command (during Operation Enduring Freedom), the holder of 10 US patents for cyber defense inventions, and a former cyber-intel initiative contributor at Lockheed:

“This communique makes clear that the US and her allies must change the urgency and economics around finding the undiscovered cyber geniuses whose innate aptitudes make them among the potential best and brightest, and then train them at a new pace and price point, and getting them into the fight as soon as possible.  This is a clarion call for the best talent on defense, repelling attackers at the cyber borders, and on offense, deploying cyber weapons against adversaries.”

Garret Grajek, CEO, YouAttest:  

“The Brussels Communique is logical statement because cyber-attacks are similar to armed attacks in that they can and do indiscriminately affect both civilian and government populations. The Colonial Pipeline cyberattack was proof of how a cyberattack can affect a civilian population. Most experts agreed that because of the open nature of the democratic networks, to be effective against these attacks the West must apply pressure the points of origin of such attacks. NATO’s message is just that. It’s a strong sign to the nations that either harbor or turn a blind-eye to attackers on its soil that these malware campaigns will be taken very seriously.