In the first year of his presidency, Joe Biden has made strong efforts to fulfill his campaign promise to get tough on national cybersecurity. This pledge came both as a natural accompaniment to his campaign agenda of renewing American infrastructure as well as a way to differentiate himself from the former administration. To those in the cybersecurity field, President-Elect Biden’s messaging on cybersecurity was encouragingly robust following his election. Looking back on almost a year of the Biden administration, those encouraging pre-inauguration overtures have begun to bear real fruit. Importantly, the president has pushed for an effective means to improve the nation’s cyber fortitude to combat one of today’s most onerous and widespread cyber threats: ransomware.
The Biden administration hit the ground running and quickly began working to combat ransomware. Department of Homeland Security (DHS) Secretary Alejandro Mayorkas issued a call for action to tackle ransomware more effectively in February, setting off a cascading series of initiatives in the following months. In March, DHS launched a series of sixty-day sprints to streamline and standardize the federal response to ransomware and cyber criminality. The U.S. Secret Service held a virtual cyber incident response simulation with state and local governments, and the Cybersecurity and Infrastructure Security Agency, along with the Treasury Department, engaged the cyber insurance industry on the future of their collaborative response to the ransomware threat. The U.S. Coast Guard trained to synchronize its own incident response plans with that of individual states, and many Immigration and Customs Enforcement (ICE) symposia were held on cybercrime and ransomware.
In collaboration with European partners, the Treasury Department has sought to streamline information sharing dedicated to disrupting and deterring ransomware ecosystems that are often used to launder and hide illicitly obtained funds. The Treasury Department has also targeted the safe harbors ransomware criminals and syndicates rely on. Ransomware payments, denominated in cryptocurrencies, topped $400 million globally in 2020, to say nothing of the downstream economic losses from downtime, data-loss, and rebuilding efforts. The Treasury’s offensive includes more aggressively monitoring cryptocurrency exchanges such as the Russian SUEX-OTC, a broker said to have facilitated transactions for at least eight ransomware variants. The Treasury sanctioned SUEX-OTC in September in an international effort to go after the financial enablers of ransomware gangs, according to Deputy Treasury Secretary Wally Adeyemo.
The cryptocurrency-tracking firm Chainalysis said in a blog post that SUEX is among the most active of a small group of illicit services that handle most money laundering for cybercriminals.
Chainalysis said SUEX has been laundering money from another shady cryptocurrency exchange, BTC-e, which U.S. authorities had previously shut down. BTC-e's operator was extradited to France and sentenced to five years in prison in December for financial crimes. This was the first time such actions were taken against a cryptocurrency exchange. With expanding international campaigns targeting cybercrime, it is not likely to be the last time.
In October, the Biden administration again stepped up its international efforts to fight ransomware. The White House led an international counter-ransomware event with over thirty partners meant to accelerate cooperation in addressing ransomware’s impact on the financial and critical infrastructure sectors. Specific efforts included campaigns to encourage network resilience, including voluntary cyber performance goals, classified briefings for critical infrastructure executives, and collaboration on international industrial control systems cybersecurity. Industrial control systems, being the breed of computerized infrastructure that controls power grids, manufacturing plants, and nuclear centrifuges, play an enormous role in both civilian and military cybersecurity. A well-timed ransomware attack on such systems could bring industrial states to their knees in moments.
An October 13 fact sheet produced by the White House put it bluntly:
Responsible states do not permit criminals to operate with impunity from within their borders. We are working with international partners to disrupt ransomware networks and improve partner capacity for detecting and responding to such activity within their own borders, including imposing consequences and holding accountable those states that allow criminals to operate from within their jurisdictions.
This strong statement, in the context of renewed international collaboration in cyberspace between the United States and its partners, was likely meant to serve as a warning to Russia and other adversarial cyber actors that there will be material consequences for facilitating international cybercrime syndicates, including those focused on perpetrating ransomware attacks on the West.
Following these efforts, in April the White House launched a follow-on industrial control system cybersecurity initiative linking the federal government and the private critical infrastructure community. This initiative has led to over 150 privately owned electricity utilities initiating plans to upgrade cybersecurity technologies. Additionally, this effort is being expanded into the natural gas and water utility sectors.
In early November, the Department of Justice issued a statement regarding an indictment against Russian and Ukrainian nationals on ransomware-related charges. Yaroslav Vasinskyi and Yevgeniy Polyanin were both indicted for perpetrating a series of ransomware attacks using the REvil software against a Miami-based IT management company, Kaseya, and JBS Foods, a global agriculture and meat processing company. The indictment, arrest, and extradition of these criminals were made possible in large part due to international collaboration and intelligence sharing with European partners. When Vasinskyi attempted to cross into Poland from Ukraine, he was arrested. Polish authorities are currently holding Vasinskyi pending extradition to the United States. Attorney General Merrick Garland also announced that the Justice Department had seized $6.1 million of ransom payments that the REvil group had obtained through its exploits.
Biden’s headlining legislative achievement thus far has been the Infrastructure Investment and Jobs Act (IIJA). The landmark bipartisan law devotes about $2 billion to cybersecurity infrastructure. Half of this grant is to go to state and local level government entities in order to improve and harden their cyberinfrastructure and capabilities. This alone is poised to make dramatic improvements in how the ransomware threat is addressed. Any security system, cyber or otherwise, is only as strong as its weakest link. This billion-dollar grant is aimed at forging stronger links at all levels of government, especially the thus-far overlooked state and local offices. Ransomware attacks are often tailored to hit an organization at a choke point so as to inflict maximum damage and increase the likelihood that the organization will pay the ransom. This provision of the IIJA may become a direly needed deterrent in the federal government’s ransomware prevention strategy.
Biden’s IIJA also devotes $100 million over four years to a DHS rainy day fund to be used when the agency declares a “significant incident.” A ransomware attack on a critical government infrastructure node would certainly qualify, giving the government a new and versatile tool in combating the threat. This would allow the Cybersecurity and Infrastructure Security Agency (CISA) to allocate aid to the public and private sectors and facilitate collaboration between them. Biden’s White House likely learned this bridge would be critical to the cybersecurity challenge after the 2014 Sony Hack, which occurred while Biden was vice president. At the time, then-President Barack Obama publicly gave little aid to the private company, citing a reluctance to use government power to come to the aid of private firms. This public-private collaboration funding comes on the heels of CISA’s August formation of The Joint Cyber Defense Collaborative (JCDC). The JCDC is the first and only federal cyber entity that proactively scopes out the threat environment through partnership with the private sector and federal cyber capabilities.
Another $500 million is reserved for the Energy Department and the Environmental Protection Agency for two programs, one for rural and municipal utilities security and another for power grid security improvements.
The Biden administration’s overall strategy against ransomware and international hackers relies on international collaboration with partners and allies. European and Israeli counterparts have already begun to play important roles in data sharing and criminal apprehension methods. The Biden administration is overseeing and guiding an expedited development of agreements concerning how the rules-based-order coalition will define acceptable practices in the financial and cybersecurity sectors. The next steps, should American leadership persist, must not be to assume progress made will keep the coalition ahead of its adversaries. The coalition must continue to apply pressure and challenge itself to maintain a constant, if not accelerating, pace of progression. Agreements should continue to be made, evolve, and become more strongly codified. Additional measures will need to be taken domestically as well. DHS representatives, speaking on November 17 to Congress’ Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation and the Subcommittee on Intelligence & Counterterrorism said: “Additional legislative steps and new authorities are necessary to understanding the full scope of the ransomware problem [...] Together we must stand united to support the adoption of, and adhere to, international cyber norms and condemn countries who violate these norms or harbor cyber criminals, or support their criminal activities.” The nature of cyber threats is to evolve constantly. To effectively combat them, we must as well.
Aaron Crimmins, Esq. is a cyber strategy and governance consultant and writer based in San Diego, California. He tweets @00crims.