The United States is urging a group of governments to publicly commit not to pay ransom to hackers ahead of an annual meeting of more than 45 countries in Washington later this month.
Anne Neuberger, deputy national security adviser, said in an interview with Bloomberg News that she was “incredibly hopeful” for support of such a statement, but acknowledged it is a “difficult political decision.” She added that if members of the alliance cannot agree on the statement before the meeting begins, it will be included on the agenda as a discussion item.
Ransomware is a type of malicious code that encrypts victims’ computer files, effectively making them unusable. Hackers then demand payment in exchange for a key to unlock them. Another common type of ransomware attack involves stealing sensitive documents and demanding payment to prevent their publication online.
Such ransomware attacks have grown in popularity in recent years, partly because they are highly profitable for hackers. Victims often conclude that paying the ransom and restoring operations is easier than resisting the attackers’ demands.
According to Neuberger, the goal of the statement is to change that calculation. “Ransom payments are what fuel ransomware,” she said. “That’s why we believe this is so necessary.”
“You have to address the root cause,” Neuberger said. “The root cause is money.” The statement is expected to apply to governments rather than companies, which are regular victims of ransomware attacks. Neuberger noted it would be a first step toward broader efforts aimed at stopping ransom payments to hackers.
In 2021, the Biden administration launched an annual international ransomware summit, bringing together cybersecurity leaders from various countries to discuss ways to combat such attacks. The first summit took place months after the Colonial Pipeline Co. cyberattack disrupted fuel supply on the US East Coast and served as a wake-up call about ransomware risks. Since then, participation has grown from 31 countries to more than 45.
Neuberger said that more than two years after the Colonial Pipeline breach, a series of disruptive ransomware attacks on hospitals, manufacturing plants, and casinos in recent months shows that more must be done. “We are going to eradicate the ghost of Colonial Pipeline,” she said, describing the goal of the October 31 meeting.
Charles Carmakal, chief technology officer at Mandiant Consulting, is among those who argue that a full ban is still far from reality.
“A lot more needs to be done before ransomware payments can be banned,” he told Bloomberg in September. “Law enforcement needs to be more aggressive against threat actors and make it painful for them.”
However, Neuberger argues that progress in cybersecurity standards, better preparedness, and stronger law enforcement intervention make it more realistic now to stop paying ransoms. She said more companies are creating backups to restore systems after breaches, and insurance policies are encouraging higher cybersecurity standards.
The United Kingdom, which co-leads anti-illicit-finance efforts with Singapore under the ransomware initiative, did not respond to a request for comment. The Record, a cybersecurity publication from Recorded Future Inc., previously reported that the US is pushing governments not to pay ransoms.
Neuberger, who is attending International Cyber Week in Singapore this week, is also pushing for greater disclosure of cryptocurrency transactions to help limit money laundering. She wants more countries to adopt “Know Your Customer” rules for crypto firms, at least on a voluntary basis.
In addition, the US wants governments worldwide to establish cybersecurity labeling standards so consumers can assess—before purchasing internet-connected devices—how secure they a