Ransomware has become a lucrative money-making enterprise for criminals and a useful tool for some nations, with consequences for national security, economic prosperity, and public health and safety. Its global nature means that individual countries or organizations cannot successfully thwart this threat alone—it will require complex, sustained, joint, collaborative international action.
A U.S. politician once said, “All politics is local.” That statement once applied to crime as well – in the past, a person had to be physically present to carry out a criminal act, even if they were acting at the behest of someone far away. However, as we have learned over the last two decades, this truism does not apply to cybercrime. The Internet enables criminals to act anonymously at a distance, and it allows them to operate at high speed and enormous scale. A malicious actor can target huge numbers of connected individuals and organizations from anywhere in the world, crossing arbitrary political boundaries at will. These factors alone make cybercrime an international problem.
Yet, two additional factors reinforce cybercrime’s international nature. First, cybercriminals artfully exploit the gaps, seams, and tensions endemic to the nation-state based international system when conducting their activities, relying on the relatively slow speed of international law enforcement and the difficulty of working across borders. Second, some countries have found it in their interest to provide safe haven for cybercriminals, hindering the ability of international law enforcement efforts to address the problem. This combination of factors made cybercrime a lucrative and growing business, which in turn was driving the development of new types of international cooperation.
A turning point
However, the explosion in ransomware attacks over the past three years has transformed cybercrime. What was once an economic nuisance has suddenly become a threat to national security, economic prosperity, and public health and safety. In effect, ransomware has converted cybercrime from an international problem to an international crisis.
As a result, combatting ransomware demands more than individual country measures or bilateral diplomacy; it requires coordinated, collaborative international action. What would such actions look like? In April 2021 report, the Institute for Science and Technology’s Ransomware Task Force presented a report that identified nine potential international actions that would help combat ransomware.
Issuing declaratory policies
Major international groups and organizations (such as the G20 or Interpol) should issue joint declarations condemning ransomware as a national security concern and/or a threat to critical infrastructure and commit to pursuing ransomware actors. These declarations should outline the steps signatories will take together and commit each nation to creating a domestic counter-ransomware action plan.
Creating an international coalition
Like-minded nations should establish a standing group focused on combating ransomware. Countries should identify specific representatives to this group, which would serve as a conduit for sharing information and other resources related to the ransomware threat. This coalition could be modeled on Europol’s Joint Cybercrime Action Taskforce, and it should include representatives from law enforcement, intelligence agencies, network defenders, non-governmental organizations, and private industry. It should carry out key shared tasks, such as building a legal case against criminal actors, pursuing targets/groups through pooling resources and tools, and amplifying takedowns when they happen.
Establishing a network of investigative hubs
Governments should create a network of four to five investigative hubs, leveraging cyber assistant legal attachés (ALATs), International Computer Hacking and Intellectual Property (ICHIP) lawyers, and other associated government legal experts. These hubs should align their investigative priorities and resources to create maximum impact, foster a culture of information sharing, operate in diverse geopolitical regions to enable swift sharing of intelligence, contribute to the international coalition, and assist in international disruption activities.
Conducting an international intelligence assessment
Partner nations should develop a joint international intelligence assessment on ransomware actors to create a more complete picture of the global security threat they pose and to serve as the baseline for coordinated international efforts. An international intelligence assessment will help raise the global intelligence collection priority against ransomware actors so that nations can bring additional resources to bear to support international collaborative efforts against ransomware.
Reducing the scope and scale of cybercriminal safe havens
Nations should collectively exert pressure on other nations that refuse to act against ransomware criminals. Pressure could include economic and trade sanctions; constraints on “safe haven” country activity in international financial markets; using evidence of complicity to “name and shame” them in public forums to disrupt their freedom of activity; withholding military or foreign assistance aid; or denying visas to their citizens.
Assisting resource constrained countries
Some nations that serve as home bases for ransomware actors may not understand the gravity of this crime, or they may lack sufficient resources to prosecute ransomware criminals. Therefore, capable governments should coordinate the provision of training and capacity-building to such countries and conduct joint law enforcement operations.
Applying international financial best practices to cryptocurrencies
Nations should agree to consistent licensing and registration requirements for cryptocurrency exchanges, crypto kiosks, and OTC trading desks where criminals “cash out” their cryptocurrency from ransomware payments. Currently, many of these entities are not subject to Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws, and those that are subject to those laws do not consistently report suspicious transactions to law enforcement or other institutions. Enforcement bodies should penalize non-compliant exchanges, kiosks, and OTC desks, with a particular focus on mixing services that obfuscate criminal transactions with legal traffic. Traditional financial institutions that fund these entities should also impose stricter rules.
Developing a ransomware prevention and response framework
Although multiple organizations have published ransomware preparedness, prevention, and response guides, no single, authoritative source of best practices exists. Creating a unified, internationally accepted framework that lays out clear, actionable steps to defend against, and recover from, ransomware would fill this gap. Local efforts might be regionally effective, but a coordinated international effort will more effectively disrupt the economics of the cybercrime market. It will also drive greater adoption in organizations that operate in more than one country. The Ransomware Framework should also be consistent with existing international cybersecurity frameworks, such as International Standards Organization publications and the United States National Institute of Standards and Technology’s Cybersecurity Framework.
Supporting a Ransomware Incident Response Network
Governments need more accurate and timely information about ransomware attacks in order to combat the problem effectively. To address the information gaps, governments should support the develop of an international Ransomware Incident Response Network (RIRN) that would share such information rapidly and in standardized formats. The RIRN would serve several functions, including facilitating receipt and sharing of incident reports, directing organizations to ransomware incident response services, aggregating data, and sharing or issuing alerts about ongoing threats. RIRN entities would share the resulting information in an anonymized form with other cyber intelligence organizations and national governments in the network, including law enforcement. Other RIRN functions could include sharing or issuing alerts about ransomware threats in non-technical language. Such alerts would be designed to engage as broad an audience as possible and to prompt action to counter specific threats. The RIRN should include non-profit organizations; for-profit cybersecurity vendors, insurance providers, and incident responders; and national government agencies, including law enforcement.
Ransomware has become a lucrative money-making enterprise for criminals and a useful tool for some nations. Its global nature means that individual countries or organizations cannot successfully thwart this threat alone. Fighting it effectively will require complex, sustained, joint, collaborative international action. As a result, making ransomware less profitable and reducing its impact on societies will be challenging and take years to accomplish. The time to begin that work is now.
About the Author
Michael Daniel serves as the President & CEO of the Cyber Threat Alliance (CTA), a not-for-profit that enables high-quality cyber threat information sharing among cybersecurity organizations. Prior to CTA, Michael served for four years as US Cybersecurity Coordinator, leading US cybersecurity policy development, facilitating US government partnerships with the private sector and other nations, and coordinating significant incident response activities.