Ransomware threats calls for tough conversations
- By Lauren Williams
- Oct 04, 2021
As ransomware attacks on U.S. public and private organizations increase, the federal government may have to have tough conversations with other nations, especially as the lines between nation-state and criminal actors blur.
"Mature nations need to have … very clear understandings of what their forces are doing, that they're not doing things that they don't intend,” said Mieke Eoyang, the deputy assistant secretary of defense for cyber policy. “I'm not sure that all nations have that kind of insight into what's happening at other levels."
Speaking at the Aspen Cyber Summit Sept. 29, Eoyang said the Colonial Pipeline attack showed how criminal actors from other countries can "impose consequences on the average American as they go about their lives in a way that was unimaginable 10 years ago."
"And it's now at a national security threat level,” she said. “That is something that we have to take on. We cannot just sit back and protect our own networks and defend our way out of the situation."
Already Cyber Command has developed its "persistent engagement" strategy and, as Eoyang pointed out, the Defense Department overall attention to the matter has increased. DOD has upped its teamwork with federal law enforcement agencies, including the Justice Department and FBI, specifically.
"This can't just be about securing our systems or going on offense,” she said. “We have to think about how we impose costs in a much more significant way,” noting that DOD has raised the priority of criminal, particularly ransomware, attackers.
"The bigger issue is how do you get nation-states to take responsibility for the threats that emanate from their territory? How do you say, 'Look, you're either creating a permissive environment or you're directing attacks,'” she said. “We need to have a conversation about this country to country, at least from the Defense Department," while the FBI and DOJ work to prosecute individuals.
A few days after Eoyang's talk at Aspen, the Biden administration announced plans to convene a meeting of 30 countries to talk about ongoing threats posed by ransomware, according to a report in CNN.
Eoyang said establishing norms around cyberspace activities continues to be a challenge.
"We have not seen a nation-state sponsor a cyberattack that's the equivalent of an armed attack," such as one that equates to severe bodily harm or loss of life, Eoyang said. "And we've been very clear about that as a red line for the United States -- that the equivalent of an armed attack is going to get you a response. But I think below that, I think it's very difficult to define norms." She added: "I think it's really hard to have a normative conversation with other countries, because so much of this activity is clandestine."
This article was first posted to FCW.
Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.
Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.
Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.