Tough conversations on ransomware ahead

The U.S. government may have to get used to having tough conversations with other nations to curb ransomware attacks, and their potential damage, even as international cyber norms are elusive.

Mieke Eoyang, the deputy assistant secretary of defense for cyber policy, said "mature nations need to have that; they need to have very clear understandings of what their forces are doing, that they're not doing things that they don't intend...And I'm not sure that all nations have that kind of insight into what's happening at other levels."

Speaking at the Aspen Cyber Summit Sept. 29, Eoyang said the Colonial Pipeline attack showed how criminal actors from other countries can "impose consequences on the average American as they go about their lives in a way that was unimaginable 10 years ago."

"And it's now at a national security threat level. That is something that we have to take on, we cannot just sit back and protect our own networks and defend our way out of the situation."

This evolution is evidenced in Cyber Command's "persistent engagement" strategy and, as Eoyang pointed out, DOD's overall increased attention to the matter. And as the lines between nation state and criminal actors blur, the Defense Department has upped its teamwork with federal law enforcement agencies, including the Justice Department and FBI, specifically.

"This can't just be about securing our systems or going on offense, about tools, but we have to think about how we impose costs in a much more significant way," she said, noting that DOD has raised criminal, particularly ransomware attackers, as a priority.

"But the bigger issue is how do you get nation states to take responsibility for the threats that emanate from their territory? How do you say, 'look, you're either creating a permissive environment or you're directing attacks,' like we need to have a conversation about this country to country, at least from the Defense Department," while the FBI and DOJ work to prosecute individuals.

A few days after Eoyang's talk at Aspen, the Biden administration announced plans to convene a meeting of 30 countries to talk about ongoing threats posed by ransomware, according to a report in CNN.

Eoyang said establishing norms around cyberspace activities continues to be a challenge.

"We have not seen a nation state sponsor a cyberattack that's the equivalent of an armed attack," such as one that equates to severe bodily harm or loss of life, Eoyang said. "And we've been very clear about that as a red line for the United States that the equivalent of an armed attack is going to get you a response. But I think below that, I think it's very difficult to define norms." She added: "I think it's really hard to have a normative conversation with other countries, because so much of this activity is clandestine."