THE WASHINGTON FOREIGN PRESS CENTER, WASHINGTON, D.C. (Virtual)
MODERATOR: Okay. Good afternoon, and thank you so much for your patience today, and welcome to the Washington Forum Press Center’s virtual briefing. I am Jean Foschetti, and I am pleased to welcome our briefer, Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, who will provide an update on the International Counter-Ransomware Initiative.
On October 13th and 14th, the White House National Security Council facilitated an international counter-ransomware virtual event with over 30 countries and the European Union, with the goal of accelerating cooperation to counter ransomware. The meetings addressed improving network resilience, addressing the financial systems that make ransomware profitable, disrupting the ransomware ecosystem via law enforcement collaboration, and leveraging the tools of diplomacy to address safe harbors and improve partner capacity. Deputy National Security Advisor Neuberger will discuss the results of this week’s events and how the administration is working closely with international partners to address the shared threat of ransomware and galvanize global political will to counter ransomware activities. 1
A quick review of the ground rules for today. This briefing is on the record, and we will post the video and transcript of this briefing on our website, fpc.state.gov, as soon as it is available. If you do publish a story as a result of this briefing, we kindly ask that you share a link to your story by emailing us at dcfpc@state.gov. During the question-and-answer session, if you have a question, please go to the participant field and virtually raise your hand. If you are called on to ask your question, we will unmute you and request you turn on your camera. If you wish to be on camera for the entire briefing, please go ahead and do so now. And lastly, if you’ve not already done so, please rename your Zoom profile with your full name and name of your outlet so we know who’s asking questions.
And with that, I will turn it over to Ms. Neuberger.
MS NEUBERGER: Jean, thank you so much for the introduction. Good afternoon and good evening. Thank you so much for joining us from different outlets around the world.
So I wanted to share reflections from the Virtual Counter-Ransomware Coalition Initiative Meeting we hosted at the White House earlier this week with ministers and senior officials from over 30 countries and the European Union to accelerate our joint cooperation to fight ransomware.
Participants covered everything, as you noted, from efforts to improve national resilience to experiences addressing the misuse of virtual currency to launder ransom payments, our respective efforts to investigate and prosecute cyber criminals as a tool to address, and diplomacy to counter ransom.
While the United States facilitated the meeting, it was not solely a U.S. initiative. Indeed, every (inaudible) of the focus panels were chaired by other countries. India chaired the Resilience Panel. The United Kingdom chaired the Countering Illicit Use of Cryptocurrency Panel. Australia chaired the Panel on disrupting Ransomware Infrastructure and Actors. And finally, Germany chaired the Diplomacy Panel.
Delegations recognized the importance of international cooperation to address the transnational threat from ransomware. This truly wasn’t just another meeting. The meeting is noteworthy in that it was the first time that delegations brought together experts that usually operate in parallel channels, like law enforcement, cyber resilience, diplomacy, financial regulators. All of these channels are relevant to disrupting ransomware, and the global community really brought them together for the first time to consider how we better connect and integrate those efforts to see where cooperation is working and where it isn’t so we can improve and counter ransomware more effectively.
Let me talk for a moment about why international cooperation to counter ransomware is important. It is an incredibly complex ecosystem. In fact, during the opening plenary, for example, the Israeli representative noted that an Israeli hospital was under attack by a ransomware attack at that moment.
And to demonstrate the complexity of the ecosystem, one can imagine, for example, that the ransomware actors, the actual individuals who had launched that attack, could be in one country; the countries where they were laundering the ransom payment, perhaps if it was paid illicitly, would be to another country; the exchange could be registered in a third country and operating in fourth, fifth, and sixth countries. So that kind of a transnational threat truly requires international cooperation to mitigate that threat.
Another example, as Sweden (inaudible) the Kaseya example that shut down in Sweden a set of cooperative stores this past summer. In the opening plenary, Germany noted this was the first time ever that an administrative district declared a state of emergency purely from a cyber attack.
Of note, over 30 countries acknowledged that uneven implementation of Financial Action Task Force rules around virtual currency enabled criminals to take advantage of that uneven implementation to use virtual currency for laundry of the proceeds of their crime. Countries repeatedly noted the value of cooperation among international partners to enhance the exchange of information and pointed to opportunities to automate certain information exchange so it was as rapid as the (inaudible).
Because ransomware criminals often repeat their activities, repeat their tactics and techniques, more robust and real-time communication across governments can not only enhance national capabilities to address a ransomware attack while it’s happening, but can also potentially prevent an attack.
So the big takeaway: It takes a network to fight a network. It takes a network of countries connecting the individual elements within the country across diplomacy, law enforcement, financial regulators, and resilient (inaudible), connecting that, and then connecting globally to fight the network of ransomware actors’ infrastructure and illicit use of virtual currency. And indeed, the mix of experts that were in the room from areas that traditionally operate in parallel channels will be core to disrupting that ecosystem.
So this meeting was really about a global community bringing together government experts for a frank exchange of where counter-ransomware cooperation is working, where it can be improved, and what tools and best practices exist to achieve that shared goal. A recurrent theme throughout the discussion was the need to integrate these expert communities going forward and facilitate the cooperation to counter ransoms, and a number of the countries have committed to work together to carry (inaudible) moving forward.
So with that, I look forward to your questions. Jean, back to you.
MODERATOR: Thank you so much. So again, just a reminder to virtually raise your hand if you have a question. And for our first question, we’ll go to Alex Raufoglu from Turan News Agency of Azerbaijan. Alex, please unmute yourself and ask your question. Thank you.
QUESTION: Thank you so much, and I hope you can see me and hear me.
MS NEUBERGER: I could. Good evening to you. Thank you for being here when it’s so late.
QUESTION: Thank you. And thank you for making yourself available for us despite I know it has been a very long week for you.
Countries in the South Caucasus – Azerbaijan, Armenia, Georgia – they haven’t been part of this first event, but they are surrounded by some malign actors in the region such as Russia, Iran. And given what you just said that you would talk about, worldwide threat to global infrastructure and no country can fight this alone, as you mentioned, do you think the participating countries will have enough tools at their disposal to counter-defense of the (inaudible) nations, the South Caucasus, who might be subject to the escalating threats of ransomware by Russia and Iran? Thank you so much.
MS NEUBERGER: Alex, it’s a really good question. So first, I would say we mark this as the first of what may be numerous meetings to bring countries together. And as you know, at some point there’s just always an inverse relationship between the number of countries, the number of anything you bring together, and achieving practical outcomes.
So we focused on, for the beginning, those countries who either, for example, have virtual currency exchanges in their countries, have leading (inaudible), or who can really bring things to the fight in the first (inaudible), come together, determine where cooperation is working, where additional cooperation is needed, put together an effort.
And clearly, we will reach out to additional countries to join us in this effort because, as you said, global – ransomware is a global problem. But this is not the last meeting, clearly, to counter ransomware from a global perspective.
QUESTION: Thank you.
MODERATOR: Thank you. For our next question, we’ll go to Lalit Jha of Press Trust of India. Lalit, please, go ahead.
QUESTION: Hi, thank you. Thank you for doing this on a Friday late afternoon. It’s really appreciative of briefing us on this ransomware important initiative led by U.S. I wanted to get your thought about the role that India played during this conference, the lead that it took on resilience, and also what was discussed about the nonstate actors, looking particularly in the terrorism field, how the terrorists are using this for ransom.
MS NEUBERGER: Well, Lalit, thank you for the question. It was terrific to have India lead one of the panels and really focus an excellent discussion around resilience, around the need for speed in sharing, and around the fact that many of the techniques that are used are used again and again. So information that is shared will not only potentially help a country that is fighting a ransomware attack, but also prevent one. And, of course, the Indian chair and many of the delegates pressed for practical outcomes and for the need to really have practical things coming out of it.
We didn’t specifically discuss terror groups’ use of ransomware, although we know that while moving money in an anonymous way around the world and in a way that is hard to trace is certainly used by a number of illicit actors. So we’re well aware that by bringing together this cooperation, particularly as I noted, by working to help country build the capacity to fully implement financial action task force rules will help against multiple types of actors who use cryptocurrency to finance their illicit operation.
MODERATOR: Thank you. For our next question, we’ll go to Dmitry Kirsanov of TASS. Dmitry, please go ahead unmute yourself and ask your question.
QUESTION: Can you hear me?
MODERATOR: Yep, we hear you good.
QUESTION: Excellent. Thank you so very much for doing the briefing. I have a couple of Russia-related questions, not surprisingly, and I wanted to ask you if you perhaps might have some additional details on the bilateral engagement on cyber security. A senior administration official briefing reporters before the ransomware summit said that Russia has taken initial steps to fight ransomware attacks targeted at the United States, and that the United States is looking forward to see quote/unquote “follow-on.” So I was hoping you might explain what this follow-on is. That’s part one.
And the second part: It’s obviously – is a two-way street. Is the United States doing anything to combat this threat vis-a-vis Russia? Thank you so much.
MS NEUBERGER: Dmitry, thank you so much for the question. So, first, I think the – as was noted, the U.S. has shared specific information regarding ransomware criminals operating from within Russia and is looking to see follow-on action to address that threat.
And from the perspective of the second question, absolutely. We believe that responsible countries address ransomware activity coming within their borders. And one of the reasons indeed that we facilitated and brought together this coalition of so many countries was to hear how cooperation is working, to ensure countries are sharing information about criminal activity happening in different countries, and how we fight that together – and recognizing the fact that truly fighting ransomware requires improved resilience; requires addressing the movement of funds and the many ways it’s funding criminal actors; requires diplomacy to move from norms that, for example, say responsible actors fight criminals operating within their borders, moving from norms to implementation; as well as, of course, the role of law enforcement was really one of the things we’re doing here in the U.S. to ensure that not only are we addressing it within our own borders, but we’re working to bring countries together to ensure that we’re cooperating fully to assist and contribute to the global effort (inaudible).
QUESTION: May I ask a brief follow-up? Will you be ready and willing to prosecute cyber criminals within the United States if Russia sends – shares information to that effect with you?
MS NEUBERGER: As you know, the United States has a – law enforcement is always committed when we have – when we have countries who share with us mutual legal assistance information, we look into that, we investigate that subject to the laws and regulations of the country in meeting the standard of proof. We absolutely pursue criminal activity operating from within the U.S. when and where it occurs.
MODERATOR: Thank you. For our next question, we’ll go to Pearl Matibe. Pearl, please go ahead, unmute yourself, and ask your question.
QUESTION: Thank you so much, DAS Neuberger. It was great talking – hearing you in the briefing earlier this week, and I’m glad there is an additional opportunity to ask you some questions around Sub-Saharan Africa.
So what I’d like to kind of understand is how you intend to operationalize and support countries like South Africa, Kenya, Ghana, and even smaller countries like Zimbabwe. Because as we know, they are going to need some capacity upscaling to help them in detecting and responding to cyber attacks and hacker activity. Inside, for example, South Africa’s own borders, the country did already have this year two major attacks, one on its department of justice and the other on a state-owned port and rail company, Transnet SOC Limited. So I’m wondering: What will your support look like in helping them? And in addition to that, are you tracking – I’d like to understand some data in terms of – Africa right now, I think, probably still has the lowest global internet penetration rate – I’m not sure what that accounts to in terms of global users – and yet still seems so vulnerable to these global – to this, in fact, even mobile malware infection rates. So maybe you can speak to that. Thanks.
MS NEUBERGER: Well, thank you so much for the questions. And as you noted, it was really exciting for us that in a group of countries we had Nigeria, Kenya, South Africa participating and really contributing insights and thoughtful – thoughtful just experiences from their fight against ransomware. So to your point, a number of the participants talked about the need for capacity building that is around resilience – (inaudible) exchanges, exchanging information rapidly about tactics and techniques and how to fight them as well – capacity building around tracing of virtual currencies, analysis of the blockchain and how to work through that, as well as the routine capacity building around law enforcement.
There were certainly discussions around that, and I think one of the core takeaways, which is to say, let’s analyze what’s working and where the gaps are – and we invited all the countries to really submit their perspectives on that – was to get a good understanding of what the different countries in the coalition felt they needed to be a full member of countering that ransomware. So that’s the first thing I would say.
The second thing I would say, as I mentioned on the Israeli hospital example, is that some part of the fight is really a global fight. So where, for example – when the United States designated the first ever cryptocurrency exchange a couple of weeks ago, CX, that exchange, while headquartered in – while registered in one country, headquartered in other countries, was facilitating movement of cryptocurrency all around the world. So in some ways, the work that we’re doing a lot lifts all boats in terms of benefiting all countries as well. So we will have that balance in the capacity building that comes out of this meeting.
QUESTION: May I ask a follow-up question? So for my audiences to understand, might there be any help in terms of working with local law enforcement companies to help them in the arrest and prosecutions of those, and are you looking to prosecute in the U.S. or does it matter what jurisdiction? And how would that operationalize? I’m trying to understand – yes, I understand this – the overview of the initiative. How can my beneficiary sitting in Johannesburg understand what that impact is to them?
MS NEUBERGER: It’s a really good question. So one of the panels was disruption, and we had a good group of local police, national police, law enforcement, and they were discussing the different regulatory and legal models around the world and how to better connect them so that information is flowing in a rapid way. So I think, Pearl, one key area is going to be these questions that will – now will go out to the group to learn from the models in different countries, which will then help us do the step two, which is to say, how do we better connect the information and the capacity building to the right entity in each country?
QUESTION: Thank you so much.
MS NEUBERGER: You’re welcome.
MODERATOR: Thank you, Pearl. I think we have time for one or two more questions. I’m going to go to one that was submitted in advance from Hye Jun Seo from Radio Free Asia, who asks: “During the meeting, was the effort to mitigate North Korea’s cyber threat discussed? There have been reports that North Korea is targeting several media corporations, using COVID-19 as a theme. How should this problem be tackled when North Korea is such a difficult actor to control?
MS NEUBERGER: So this particular meeting focused on ransomware and it focused on the four elements of the fight rather than any particular country. It focused on uniting law enforcement efforts, uniting efforts to trace illicit use of cryptocurrency, and it focused on building resilience, and deepening diplomatic partnership to ensure that norms around addressing ransomware activity from within borders are fully implemented.
There was not a discussion about broader cyber activity or any particular country (inaudible).
MODERATOR: Great. I think we have time for one more. We’ll go to Sergei Popov from Ria Novosti. Sergei, go ahead and unmute yourself and ask your question.
(No response.)
Sergei, can you hear me? Let’s see if I can just unmute. Okay. Go ahead, you’re unmuted. Oh, he says, “Sorry, I guess my mic is off.” All right, well, if you – anyone would like to submit a question in writing, we can certainly get those back to the briefer for – oh, he wrote his question in the thing. I’ll read it.
He says: “As you said, the number of countries who take part in the meeting may be expanded, but why Russia wasn’t part of the first one (inaudible)?”
MS NEUBERGER: So as we’ve noted, the U.S. has a candid, professional, and very direct set of conversations with Russia about criminal activity, ransomware activity coming from within Russia. So we felt that we had good, honest, and candid discussion and information sharing between the two. We focused this discussion on bringing together a broader coalition of countries we were not talking with regularly in that integrated way to discuss how we deepen our cooperation, how we identify the gaps in our cooperation to more effectively fight ransomware.
MODERATOR: Okay, great. Thank you. And with that, I want to thank our briefer for her time today and to discuss this important event. And thank you to our journalists for their participation. This briefing is now concluded. Thank you so much.
MS NEUBERGER: Thank you, all. Best wishes for a good weekend.