Ransomware payment bans are on hold for now, says top US cybersecurity advisor

Ransomware gangs scored $1.3 billion in 2023, although the US government has ceased efforts to outlaw such payments for now, per Deputy National Security Advisor Anne Neuberger.

“From an infrastructure perspective, we’ve done takedowns of infrastructure, often with partners around the world—they’re temporary,” Neuberger told attendees at DEF CON 32 in Las Vegas. “There’s so much vulnerable infrastructure that attackers can use in the second round.

“And what’s driving it? It’s often cryptocurrency, and getting paid. 2023 alone is $1.3 billion paid in ransoms,” she added.

Neuberger, one of the top US cybersecurity experts, said the federal government had decided to “take a pause” on criminalizing payments to cybercriminals in part due to concerns it could hamstring critical institutions.

“Folks argue, what are you going to do when a hospital gets hit?” Neuberger asked. “And they say, ‘Well, I pay this $5 million answer, I can recover faster.’”

The US government still wants companies to take seriously the idea that certain “controls” on payments could be instituted in the future, Neuberger added.

DEF CON co-founder Jeff Moss, who appeared alongside Neuberger, suggested a ban would be more palatable in intermittent “chunks.”

“You don’t have to do the whole country or nothing,” Moss said. “Federal government can just say, ‘Hey, the federal agencies can’t pay ransom’...Now these other critical industries can’t pay ransom.”

Other factors constraining US ransomware efforts include difficulties in reaching international agreements, according to Neuberger. Even when attack attribution is possible, she said, countries like Russia don’t cooperate, and authoritarian governments could abuse cybercrime treaties.

Neuberger said US officials are approaching the problem in three ways: encouraging companies to back up their own data and secure networks; naming and putting bounties on threat actors; and “things we can do to take the fight to them” that “I can’t talk about here.” Some 70 countries will be meeting in September for an anti-ransomware program with classes on blockchain analysis and regulatory approaches, as well as discussions about a global fund, she added.

The Biden administration has largely relied on executive orders, existing rules, and contract requirements to push cybersecurity initiatives, given an uncooperative Congress. Cybersecurity and Infrastructure Security Agency Chief Jen Easterly, who spoke separately at DEF CON, emphasized her agency’s approach to fixing a software market that has historically neglected cybersecurity relies more on voluntary initiatives and changing incentives than new regulations.

Neuberger struck a similar line promoting the Cyber Trust Mark program, a federal initiative for manufacturers to certify consumer devices comply with minimal cybersecurity standards established by the National Institutes of Standard and Technology (NIST). Modeled after the successful Energy Star certification program for energy-efficient electronics, it’s still in the rulemaking phase.

“That’s a great example of where we in government are not saying, ‘Oh, we’re mandating this,’” Neuberger said. “We’re saying, ‘You know what? There’s an ecosystem. People want to bring in more secure tech to their homes, their schools, their offices. Companies who say, ‘Look, we get it. We’d rather build a more secure product.’”

“Then government, which is saying, ‘OK, where we’re trusted is, we have a standard and we do the testing…We try to create the ecosystem,” she added.

According to Politico Pro, Neuberger separately told press at DEF CON that the White House is collaborating with legislators on a bill designed to prevent theft of AI models by foreign adversaries. On Aug. 13, Neuberger also helped announce NIST’s release of the world’s first three post-quantum algorithms, which are designed to resist quantum computer-powered codebreaking that might one day break previous encryption algorithms like RSA.