Ransomware Task Force priorities see progress in first year
This blog is part of our live coverage from RSA Conference 2022:
US President Joseph R. Biden Jr., The White House, and law enforcement agencies across the world paid close attention last year when a group of more than 60 cybersecurity experts launched the Ransomware Task Force, heeding the groupâs advice on how to defend against ransomware attacks and deny cybercriminals their ill-gotten riches.
Of the Ransomware Task Forceâs initial 48 recommendationsâpublished in their report last yearâ12 have resulted in tangible action, while 29 have resulted in preliminary action, said Philip Reiner, chief executive officer for the Institute for Security and Technology and member of the Ransomware Task Force.
The progress, while encouraging, is not the end, Reiner said.
âNot enough has been done,â Reiner said. âThere is still a great deal of work that remains to be done on this front to blunt the trajectory of this threat.â
At RSA Conference 2022, Reiner moderated a panel of other Ransomware Task Force members which included Cyber Threat Alliance President and CEO Michael Daniels, Institute for Security and Technology Chief Strategy Officer Megan Stiflel, and Resilience Chief Claims Officer Michael Phillips. The four discussed how separate levels of the government responded and acted on the five priority recommendations made by the Ransomware Task Force last year.
In short, many promising first steps have been made, the panelists said.
âLook at what the US government has done in the past yearâthe impressive speed at which [theyâve] organized and focused on the ransomware threat,â Daniels said. âEverything from presidential statements, to work in the international area, to convening a ransomware task force inside the government to start working on this issue.â
He continued: âI think itâs clear that governments are really engaged in this issue in a way that they werenât just a couple of years ago.â
Last year, governments across the world collaborated together in taking down ransomware threat actors. In June 2021, Ukrainian law enforcement worked with investigators from South Korea to arrest members affiliated with the Clop ransomware gang, and months later, members of the FBI, the French National Gendarmerie, and the Ukrainian National Police arrested two individualsâand seized about $2 millionâfrom an unnamed ransomware group.
Around the same time as the undisclosed arrests, President Biden traveled to Switzerland to speak at a cybersecurity summit that was also attended by Russia President Vladimir Putin. When the two met, Biden reportedly told Putin that the United States was willing to take âany necessary actionâ to defend US infrastructure. The US Presidentâs statement came shortly after the ransomware attack on Colonial Pipeline, which was attributed to the cybercriminal group Darkside, which is believed to be located in Russia.
âI’m gonna be meeting with President Putin and so far there is no evidence, based on our intelligence people, that Russia is involved,” President Biden said of the attack at the time, according to reporting from the BBC. But, Biden added, âthere’s evidence that the actors’ ransomware is in Russiaâthey have some responsibility to deal with this.â
Separately, Stifel from the Institute for Security and Technology welcomed recent developmentsâwhich may take many more years to solidifyâto create a standardized format and timeline for companies and organizations to report ransomware attacks.
âIt will be some time, and some of you may be retired by the time itâs in place,â Stifel said, âbut itâs there. You have to start somewhere.â
The panelists also acknowledged recent government efforts to appropriate cybersecurity recovery and response funds in the latest infrastructure bill. While the Ransomware Task Force specifically asked for funds for ransomware recovery and response, a broad package of millions of dollars for overall cybersecurity events is still considered a win.
One underdeveloped priority area that every panelist stressed was the need for faster, more accurate data on ransomware attacks and recovery costs. Without a centralized databaseâand without a requirement to report both attacks and ransom paymentsâthe government and cybersecurity companies are working with limited information.
The panelists also lamented the difficulties posed in trying to remove safe havens for ransomware actors. As the governments that already provide cover for ransomware groups have little to no impetus to change their positions, itâs up to global governments to start working together.
âI can see the US government trying to, internationally, build a collation of countriesânot just US agencies, but multiple agencies across multiple jurisdictions at the same time,â Daniels said.
He continued: âThis threat has become so large that no government can really just ignore it.â