(October 30, 2022)
MODERATOR: Thank you. And thank you everyone for taking time out of your Sunday to join us to preview the second International Counter Ransomware Initiative Summit that will be held in D.C. over the next few days.
This call is on background, attributable to a “senior administration official,” and the content of this call is embargoed until tomorrow, Monday, October 31, at 5:00 a.m. Eastern.
For your awareness, not for your reporting, joining us on today’s call is [senior administration official], who will give brief remarks at the top before taking your questions.
Quickly, before I hand it off to [senior administration official], two housekeeping notes at the top. First, [redacted]. Second, for planning purposes, the summit will be closed press with the exception of the closing session on Tuesday, which will be livestreamed on WhiteHouse.gov from 3:00 p.m. to 5:00 p.m. Eastern. We’ll be sure to send out a note to remind folks on Tuesday afternoon to tune in.
So, with that, I will turn it over to [senior administration official].
SENIOR ADMINISTRATION OFFICIAL: Thank you so much. Good evening, everyone. And I echo [the moderator’s] thanks for joining us on a Sunday night to discuss the second Counter Ransomware Initiative Summit.
Over the next two days, we’re bringing together leaders from 36 countries and the European Union in person to build on the work of our virtual 2021 summit and all the work that has been happening in between across five different areas to shape an impactful set of discussions on how we can continue to strengthen our partnerships and more effectively counter ransomware threats.
While the United States is facilitating this meeting, we don’t view this solely as a U.S. initiative. It’s an international partnership that spans most of the world’s time zones, and it really reflects the threat that criminal and cyberattacks bring.
As we know, ransomware is an issue that knows no borders and affects each of the Counter Ransomware Initiative countries — our businesses, our critical infrastructure, and our citizens — and it’s only getting more challenging.
Just this summer, for example, in the U.S. we saw the largest unified school district in the U.S. attacked by ransomware actors the day before school began. We’ve seen hospitals and networks of hospitals attacked in France and the UK. A significant ransomware attack that occurred just recently in Australia as well.
So, to take a step back, we launched the CRI last year to build on President Biden’s leadership to rally allies and partners to counter the shared threat of ransomware.
At last year’s virtual summit, we convened ministers and senior officials from over 30 countries and the EU to accelerate cooperation to counter ransomware.
And over the course of the year, we did just that. Together, the CRI partners worked to increase the resilience of all the partners, disrupt cyber criminals, counter illicit finance, build private-sector partnerships, and strengthen global cooperation to address these challenges.
One example I’d like to highlight is that the Resilience Working Group, one of the five working groups under the Counter Ransomware Initiative, held not one but two threat exercises in 2021 to ensure that CRI members, no matter what time zone they’re in, could participate and learn from each other in implementing best practices to counter an attack.
Many governments have been indispensable to the Counter Ransomware Initiative partnership’s success, but I’d like to quickly recognize seven countries in particular who have been leading our working groups and driving work every single day: India and Lithuania for resilience, we intentionally chose those to have both a large and a small country; Australia for disruption; Singapore and the United Kingdom for virtual currency, clearly because they’re both banking centers in both the West and the East; Spain for public-private partnerships; and Germany for diplomacy.
Over the next two days, we have an action-oriented agenda, where Counter Ransomware partners will focus on the five working group themes that I just mentioned. And they will also hear from leaders across the U.S. government, including FBI director Chris Wray, who’s also hosting the first day; Deputy Secretary of the Treasury Wally Adeyemo, who will particularly be leading a discussion on countering illicit use of cryptocurrency; Deputy Secretary of State Wendy Sherman; and my boss, National Security Advisor Jake Sullivan, whose leadership and dedication to building partnerships to solve challenging problems has helped make the CRI a success.
We’ve also done something very different. We’ve invited the private sector to join us for a discussion, because as we know, they have visibility on the threats, on the actors, the networks that are used, and on the best ways to mitigate these threats.
So, Counter Ransomware Initiative partners recommended companies from around the world — we intentionally went to companies from around the world — that they believe should attend, and we narrowed it down to 13 companies that represent a diverse range of size, regional reach, and focus.
And during this discussion, each company will be asked three questions — has been asked in advance and be prepared to answer three questions. What should governments be doing? What should the private sector be doing? And what can we do together?
So, those companies are coming to share their perspective on that, and we’ll look forward to welcoming additional companies at additional such opportunities.
Lastly, our hope is that CRI partners take advantage of this opportunity to come together and stretch our work to counter ransomware beyond just the participating countries, integrating the insights from the summit into our diplomatic approach so that together we can institute a set of cyber norms and rules of the road that are recognized across the globe to counter criminal ransomware threats and hold malicious actors accountable.
So, thank you, and I look forward to your questions.
MODERATOR: Thank you, [senior administration official].
Q Thanks for doing the call and giving us an update on this. I had a quick question on just clarifying — I know you touched on that there are a few things, but what is different this summit versus last year’s summit? I know last year’s summit was virtual. This year is in person. But what substantively do you hope to accomplish at this summit in terms of tackling ransomware that you didn’t last year?
And then real quickly, obviously Russia isn’t on the participant list. I’m wondering if there’s any consideration in including them. And if not, how are you going to relay the takeaways that you all agree on from this summit to Russian representatives? Thanks.
SENIOR ADMINISTRATION OFFICIAL: Thanks so much, Sean, it’s good to hear your voice.
The first question is throughout the year, the working groups worked and accomplished a lot of things together, and now we’re coming together to discuss what’s been accomplished. The threat has clearly evolved. Ransomware attacks continue, as I mentioned, and we’re discussing what we’ve gotten done, what’s changed in the threat, and how we double down on addressing it, from countering illicit use of crypto. Fundamentally, it’s a financially driven threat.
You know, when Bitcoin became more widely used, we saw a huge jump in ransomware because it was the way to move money across borders. It’s a borderless threat, and we have to tackle it in a borderless way.
So fundamentally, we’re doubling down, building on the work done throughout the year, deepening that partnership, and discussing how to be even more effective given the threat has evolved.
And with regard to Russia, so the work that’s been done is focused on both — I’ll talk about the five working groups.
Resilience. How do we deepen our resilience against the threats? That’s an area CISA does a lot of work in.
Disruption. How do we actually disrupt these actors and their networks?
How do we counter the illicit movement of crypto?
From a diplomatic perspective, how do we bring pressure on those key actors?
And then of course, public-private partnership, right? That’s not been an area that we’ve actually solidified: how we work with the private sector more effectively across governments.
So, this is fundamentally tackling how do you both disrupt the actors and how do you both be stronger in in your resilience so we’re less vulnerable.
So less about Russia and more about how we, as a set of countries, make it harder, costlier, and riskier for ransomware actors to operate.
Q Hi, there. Thanks for doing this call on Sunday. I was also going to ask about Russia, so I think it’d probably be redundant for me to throw my question into the mix. So I’ll just say thank you.
SENIOR ADMINISTRATION OFFICIAL: Thank you, John.
Q Hey, thanks for doing the call. I wanted to drill down a little bit on the illicit finance part of this. One difference from last year is that, in March, the White House released an executive order on cryptocurrency and potential illicit uses.
I’m curious, in terms of discussions with international partners, what kind of commitments are you looking for? What exactly is the nature of discussion? What should other countries be doing to, I guess, do their part in this?
SENIOR ADMINISTRATION OFFICIAL: That’s a really great question, Tonya. So, the United States has done a lot in countering illicit use of crypto. We designated one of the largest crypto mixers that was responsible for a great deal of the money laundering, for example, of DPRK, North Korea-related funds.
What we’ve seen in the crypto realm is that many international countries — and you see the list [the moderator] sent you. There’s a whole broad range. Many lack capacity in determining blockchain analysis. How do you actually pursue laundering of funds across the blockchain, across the use of cryptocurrency, unhosted wallets, et cetera.
So one part of this — you know, during the year, Treasury hosted a couple of workshops to help countries learn how to trace illicit use of crypto. And we’re going to be continuing, frankly, building capacity teaching that to less capable countries.
The second part is Treasury leads the Financial Action Task Force that has been looking to put in place “Know Your Customer” rules, the same kind of rules we spend a lot of time putting in place for counterterrorism purposes.
In other forms of currency — folks may remember the Hawala — you know, that was another way to move funds. In this world, we’re working with other countries to teach them and to hold them accountable through stronger terms, but to encourage them closely to put in place “Know Your Customer” rules for cryptocurrency exchanges and the various parts of the crypto infrastructure so that the crypto players help us as governments enable legitimate use and make it far harder for illegitimate use.
Q Hi, thanks so much for doing this, [senior administration official]. I just wanted to ask if you could specify the 13 companies that will be joining?
SENIOR ADMINISTRATION OFFICIAL: You’re so funny. [The moderator] and I had a bet about whether that question would be asked. I’m happy to, with a couple of caveats.
I mentioned the way these companies were selected. We essentially went across the countries participating and said, “Which companies do you think have good visibility and good insight for us?” And then we picked the companies that were approved on the most — or voted on by the most companies.
We will con- — this is just a beginning. We’re continuing to reach out to additional companies to get additional perspectives. This is just a first round of getting companies’ perspectives to ensure that we’re not doing this the traditional government way, which is government-to-government only, but we’re pulling in the private sector because of their unique visibility, capability, and insights into it.
So I’m just looking through my notes, because I know I had the list here with me, and I intended to pull it out in advance. [Moderator], do you happen to have the list of companies on you?
MODERATOR: I do, and I could send it out after this call.
SENIOR ADMINISTRATION OFFICIAL: Super. You’ll note, folks, that it’s an international set. One of the key messages of the Counter Ransomware Initiative is really the administration’s approach to international problem solving, which is we will lead — we’ll prepare to invest the time, the energy, and the skill — to lead on hard international problems, but we’re not going to hog the floor.
You know, we’ll invite other countries to lead — that’s why other countries lead the five working groups — while the U.S., of course, participates.
And similarly, in the companies we ask perspective from, we really went to the broad set of 37 country participants in CRI and said, you know, “Give us a sense of who you most rely — you know, who you think can provide insights globally as well.”
Thank you, [moderator], for that.
Q Hi. Thanks for taking my question. I got on a bit late, so apologies if you already touched on this. But I was wondering if you could sort of summarize the trend in ransomware over the last year or two years, and especially since the war in Ukraine, and also touch on whether resilience has also gone up as well. Thank you.
SENIOR ADMINISTRATION OFFICIAL: That’s a really great question. So, the event kicks off with a detailed threat briefing that ODNI, FBI, and CISA will be providing. And they’ll really outline the origins of the problem and they’ll talk a bit about the linkage between ransomware and Bitcoin prices, the targeting of different sectors.
They’re going to show a chart that captures 4,000 cyberattacks over the last 18 months outside the United States, as well as the perspective inside the United States and show by sector — healthcare, education, transportation, government networks — all around the world.
So, to give you a picture, you know, when we look at the healthcare sector, there have been significant ransomware attacks against Irish National Health Service, New Zealand, U.S. hospitals, Barcelona hospitals, hundreds of dentistries around the world.
When you look at government networks, as we know — Costa Rica; Montenegro; Bank of Zambia; the city of Palermo, Italy, — this is really a global problem. So, we’re seeing the pace and the sophistication of the ransomware attacks increasing faster than our resilience and disruption efforts.
So we’ve made a lot of progress, you know, on disruption. You may have seen the recent arrests of an individual in Canada, for example, who was responsible for a significant ransomware strain. We’ve seen takedowns.
But we really want to redouble our work, deepen the partnership — because as I mentioned, it’s a borderless problem, so fundamentally no one country can take it on alone — and put in ways to systemize information sharing.
You know, the dream I have for this is that if one country has a significant ransomware attack, they can immediately go on to a new information-sharing platform we’re putting in place that actually Israel and the UAE have been working on — that they put in place so that they can go out and say, “Has anybody seen this strain?” Other countries respond if they have, and if they have any advice or mitigations on both disrupting and resilience. And then at the end, that one country, again, puts forward the information to say, “Here’s what we learned, here’s how we fought it,” so that all countries can benefit from that as well.
So that’s some of what we’re going to be discussing. The (inaudible) where that doesn’t exist, the (inaudible), and how do we get there across systems, partnerships, processes, and coordination.
Q Hey, [senior administration official]. Thanks for doing this. Two questions. One, can you share any information about the attack earlier this month on CommonSpirit, the healthcare network? Basically any news you can break, help us break some news on that tonight — that’d would be awesome.
And then the second question is maybe trying to push a little more on the Russia question. And not just Russia, but I think most of us know that — besides maybe Ukraine, which obviously does work with Western law enforcement — most of the ransomware actors are in Russia, Iran, North Korea, China — maybe a little bit in China. Is the long-term plan eventually to have a unified force that will put more pressure on those countries that are harboring ransomware hackers? Or is that not really in the cards for now?
SENIOR ADMINISTRATION OFFICIAL: Great question. So, I’m not going —
So, on CommonSpirit, the second-largest not-for-profit hospital chain in the country, they faced a ransomware attack. As you know, it remains an active investigation by the FBI. So I’ll refer you to the FBI.
It certainly is the reason that we’re redoubling our work. You’ve seen me talk about the need for minimum cybersecurity requirements across critical sectors that Americans rely on. That’s certainly the case for hospitals and healthcare, and it’s something that we’re actively discussing with HHS.
With regard to Russia and just more broadly countries that harbor ransomware actors, you’ll see that tomorrow we’ll be releasing a statement that’s currently (inaudible) among the 37 countries. You know, a shoutout to the individual on my team who’s been working that. As well as the factsheet, by the way, tomorrow that talks about all the new conclusions and the outcomes that the group has agreed to over the two days.
Of course, many were (inaudible), but we want at least two days to finalize it. But one of those is agreements on countries not harboring ransomware actors and agreements to work on ways to bring pressure on those countries that do.
It’s a really good question. Thank you, Kevin.
Q Thank you.
SENIOR ADMINISTRATION OFFICIAL: Hi, Jack.
Q Hey, how are you?
SENIOR ADMINISTRATION OFFICIAL: Good.
Q I just wanted to ask — you talked about the financial incentives here, but there’s certainly this trend that we have seen of ransomware gangs when they, frankly, don’t get paid, they start releasing data. You mentioned the L.A. Unified School District and kids’ information getting out there.
I’m just curious in the summit what will be discussed of what tools can be used when people leak that information. You know, what legal tools are at your disposal? What ways to prevent that? What ways to, frankly, mitigate it when it does happen? I’m just curious of that piece of the puzzle.
Q It’s such a good question, because it’s something that’s really troubling, right? And certainly, the case you cited is a good one. I just was talking to my Australian counterpart, who highlighted a ransomware attack against healthcare networks and insurance and the concerns that they are related to that information. That’s one of the problems we’re going to be discussing, and we’ve teed up some potential approaches.
I don’t want to get ahead of the two days of discussions, but more to follow as we get the readouts, because that’s certainly something —
You know, it’s a hard problem, because as you know once data is in the dark net, it’s pretty hard to get a hold of. But we do have a set of tools we’re thinking through, so more to follow on that. I just want to be respectful of the next two days of discussions.
Q I understand. Thank you.
SENIOR ADMINISTRATION OFFICIAL: Thanks.
MODERATOR: Great. Thank you, [senior administration official]. And thank you all, again, for joining us on a Sunday.
If you have any follow up questions, please don’t hesitate to reach out. And as a reminder, the content of this call is embargoed until tomorrow at 5:00 a.m. Eastern. Enjoy the rest of your weekend. Thanks.
SENIOR ADMINISTRATION OFFICIAL: Thank you, [moderator]. I just had a quick thing before we lose everyone, which is I just want to highlight and give really the partnership across the U.S. government — so you’re going to have the deputies I mentioned across all those agencies.
And a huge shoutout to FBI for hosting day one, Treasury for hosting us for lunch on day two, and the agencies who participate in each of the five working groups: CISA for public-private partnership; FBI for disruption; State for diplomacy; S- — I’m blanking on the — of course, Treasury on countering illicit finance; and CISA on resilience. So really appreciative of them.
And, you know, the White House is coordinating, because it’s whole-of-government, but they’ve been contributing throughout the year. So I didn’t want to miss the opportunity to give a shoutout and a thank you.
And on that note, have a good night.
MODERATOR: Thank you.