Closing Remarks by National Security Advisor Jake Sullivan at the Counter Ransomware Initiative Summit
Eisenhower Executive Office Building Room 350
AS DELIVERED
I know you guys have talked a lot, listed a lot, worked through a lot, and I want to come on to some of the specifics that are at the heart of the Counter Ransomware Initiative.
But I actually wanted to close this out by taking a little bit of a step back and sharing the thinking of the Biden Administration for why this initiative and this issue is not just confined to cyberspace. It’s not just confined to a particular challenge within cyber space, but really is a hallmark of our national security approach as a whole.
We released our National Security Strategy just a couple of weeks ago. And it was a product that really drew from consultations with a lot of countries seated around this table.
And at its core, what the National Security Strategy reflects and represents is that you cannot neatly divide between foreign policy and domestic policy any longer in the approach to national security. That’s just not the world that we live in anymore.
So, we have built our national security approach on the foundational integration of foreign policy and domestic policy. And that means elevating our focus on the issues that spill out of those two silos—whether it’s supply chains, or the energy transition, or tax policy, or especially cybersecurity.
From Day One, the Biden Administration has really put cybersecurity at the top of our list—and Anne was kind enough to take the first-ever role as Deputy National Security Advisor for cyber in a National Security Council, in a White House, in history—because we wanted to build and integrate an entire cyber component at a very senior level at the heart of the National Security Council.
And so this connects across everything that we do.
And we’ve tried to drive a range of different lines of effort in the cyber domain.
First, focusing on cybersecurity and safety here at home.
Last year, President Biden signed an Executive Order that requires new baseline standards for software sold to the U.S. government. A lot of it that is also used and bought by countries around the world. It’s an effort that we hope will raise the game for software not just for our country, but for all of your countries as well.
And it was interesting when we came in and found that this simply was absent—there was no standard upon which this software was built.
Now we came to office of course just a couple of months after the Solar Winds hack was brought to public attention and of course Solar Winds was shot through every corner of the U.S. Government, as well as many of your governments. And it was very bracing lesson for us to learn.
We’ve also worked across our government to create landmark cybersecurity standards in critical infrastructure sectors—from airports, to water systems, to pipelines, to railroads.
And, in fact, it was a ransomware incident last year—the Colonial Pipeline attack—that really drove home the need for these standards.
And as many of you know working it in your own systems, there’s a lot of gnashing of teeth and a lot of blood on the floor working with critical infrastructure sectors to get these standards not just written, but actually implemented in a full way. And it requires a genuine level of public-private partnership that is almost unique across the national security enterprise to protect our countries from all manner of cyber attacks, including ransomware attacks.
And our work is by no means done, but we are going to go sector by sector to ensure that we have standard cybersecurity practices for the critical infrastructure owners in every domain of critical infrastructure.
Second, working with our partners—we focused on securing new technologies.
I know you all have talked about digital assets, addressing the way that crypto crosses borders and fuels cyber actors, criminal cyber actors.
We’re also in the final stages in consultation with some of you around this table of creating a labeling program for the internet of things, and particularly for IOT devices so that consumers that bring home those devices know that their bringing home a secure device.
This is something that some of you have pioneered, and we’re learning lessons from that ourselves in trying to develop a similar, almost Energy Star-like program for cybersecurity in the Internet of Things.
And we want to make sure that what we put in place is compatible those of you who will follow suit.
Third, of course, and the last two days have been a good indication of this, we’ve been focused on really strengthening collaboration with our partners—doing this in partnership with other countries, because any one country solving their cyber problem is not really getting after the root of this problem, which is a network problem that affects all of us.
So, we’ve been trying to build diverse and flexible coalitions that tackle a transnational threat like cyber. And that too is a hallmark of President Biden’s foreign policy across the board.
We’ve shared information regarding cyber threats to protect critical infrastructure across the entire globe on every continent with dozens of countries.
We’ve worked with countries to implement the norms of the UN-endorsed framework for responsible behaviors in cyberspace.
We’ve created the Virtual Cyber Incident Support Capability with our NATO Allies to more effectively lend cyber resources and support in moments of need.
We’re driving the development of new cyber tools with our Quad partners.
And as, sort of the flagship in collaboration, we were very proud to help along with the rest of you launch this Counter-Ransomware Initiative last year, and to see how far it’s come in one year, and to see the path ahead and how promising it looks.
***
As everyone here knows and as you all have reinforced in your comments over the last couple of days, ransomware is a global challenge that requires global cooperation to produce global solutions.
And that’s why in fact this coalition is the largest in the world in terms of a cybersecurity coalition. And the most comprehensive—bringing together countries and companies from all regions of the globe to deter and disrupt these ransomware attacks.
I want to particularly thank Australia, Singapore, the United Kingdom, India, Lithuania, Spain, and Germany, the CRI Working Group leads who have made sure that this collaboration is broadly shared, brings diverse perspectives, and really creates a platform upon which the collaboration of all of us going forward can be built.
Having already had two exercises, with respect to building our resilience, so CRI members across the world can bolster their ability to coordinate during a potential cyber attack.
You’ve also strengthened our defense—developing ways to disrupt ransomware actors and countering their illicit financing, particularly in the crypto-currency ecosystem.
And collectively, you’ve deepened our collaboration— creating a new platform to facilitate information sharing and build enduring partnerships with the private sector.
And as Anne has just described over the last two days you’ve done more. Whether it is about combating the ability of ransomware actors to use virtual assets, including through an investigators’ toolkit.
Delivering justice ransomware actors and their enablers by standing up a joint task force in the first quarter of next year as a due out from this meeting.
Ensuring our national cyber infrastructure is not being used in ransomware attacks by sharing information regarding malware and techniques so that we can all collectively defend better.
And, of course, strengthening our diplomatic cooperation to deny safe haven to ransomware actors. And I want to especially thank Nigeria’s agreement to co-lead this stream of work with our German colleagues for the coming year.
I was also pleased to see that you’ve integrated for the first time the private sector and private companies from across the world into these CRI conversations, because you know as well all know—sometimes to our benefit, sometimes to our detriment, hopefully more and more to our benefit—private firms and companies often have the key information before we have it as governments—so we need to work together.
And then finally, you all know even better than I do—and it’s obviously not limited to ransomware or two cyber—but it is I think especially acute in this area, we to continue to work overtime to break barriers within each of our own governments—bringing together policy, intelligence, finance, legal, law enforcement, and every other conceivable kind of tool to combat ransomware.
So let me just close by saying that over the last few days, we’ve seen how this international, integrated, innovative approach can really drive results. And I really just want to express the gratitude of President Biden, my personal gratitude, our entire team here at the White House between the National Security Council, the Office of the National Cyber Director, our colleagues at the State Department and other agencies.
We have a long way to go, but we’ve already come a long way and the momentum we’ve built, you know to pick up where Nate left off—objects in motion can stay in motion if we keep pushing them forward, and that’s what I think collectively we should all do.
So, thank you for giving me the opportunity to address you today. But more importantly, thank you for bringing a spirit of collaboration and deep substance, expertise, and wisdom to our collective effort. And I think let’s just keep making the kind of progress we’ve made over the course of the past year, and we will really get after this problem. Thank you.
END