JUST IN: U.S. Taking ‘Aggressive Whole-of-Government’ Approach to Address Ransomware
The U.S. government is broadening how it addresses ransomware attacks and other aggression from Russia, China and independent actors in the cyber domain, a Pentagon official said.
The last few years have been marked by high-profile ransomware attacks on U.S. companies and critical infrastructure — such as the Colonial Pipeline hack that caused gas shortages in the eastern United States. The Pentagon is now taking its defensive capabilities against ransomware and proliferating it government-wide to help curb any future criminal cyber threats, Mieke Eoyang, the deputy assistant secretary of defense for cyber policy, told reporters Oct. 20.
The approach is “an aggressive, whole-of-government effort aimed at trying to hold the individuals accountable, deny them access to their proceeds, working with the private sector to shore up their defenses, and much more aggressive behavior on law enforcement," she said at a Defense Writers Group event.
She noted that the government-wide approach aligns with how serious the Defense Department views ransomware activity.
"The kind of targeting that has occurred, the interference with some of the companies that play a key role in critical infrastructure — certainly the Colonial Pipeline — have emphasized to all of us that this beyond just a criminal [act]. It has a very strong national security element,” she said.
A key strategy to addressing ransomware threats is international collaboration — both with allies and adversaries. Eoyang said her office works closely with the U.S. allies to establish a global precedent and target ransomware actors.
The United States has had continuous dialogue with the Russian government regarding expectations in the cyber domain — including a conversation between President Joe Biden and Russian President Vladimir Putin in Geneva in June, she said. The United States needs to continue working with other nations in defining cyber activities that are acceptable and unacceptable.
When asked about whether an agreement akin to an arms control deal would be possible to prevent ransomware, Eoyang said the model is better suited for a physical environment where verification is easier. “In the cyber domain it is much more difficult to have that kind of a verification regime,” she said. “Because if you have two sides with cyber capabilities aimed at each other and you said, 'Let's sit down and compare target lists,' what everyone would do is take the other side's target list and go home and patch."
The United States has also handed out court indictments, sanctions and more to adversaries in attempt to curb ransomware attacks on major infrastructure and businesses to little avail, she said. Establishing universal norms around cyberspace activities is a challenge, she added.
The government ramping up security against cyber attacks is not enough, she said, and urged the private sector to do the same given the fact it is difficult to know when the next ransomware incident will occur. While the Pentagon is “disrupting and not reacting” to the next ransomware attack, responses will continue to be on a case-by-case basis, she said.
"It's a constant evolution of how we respond to the attacks, how we make it more difficult for the adversary, and then the evolution of where they go from here,” Eoyang said. “And I think that there's sort of a relationship between those things that we'll just have to see how it unfolds.”