Last month, top executives from Amazon, Microsoft, Cisco, FireEye and dozens of other companies worked with the Justice Department to deliver an 81-page report calling for an international coalition to fight ransomware. Heading the Justice Department is Lisa Monaco, the assistant attorney general, and John Carlin, who headed the agency’s national security division during the Obama administration.
Last month, the two ordered a four-month review of what Ms. Monaco described as “a mixed threat from nation-states and criminal corporations that sometimes work together to exploit our own infrastructure against us.” So far, the Justice Department has largely pursued a strategy of indicting hackers – including Russians, Chinese, Iranians and North Koreans – few of whom are ever tried in the US.
“We have to rethink,” said Ms. Monaco at the recent Munich cyber security conference.
Recommendations in the coalition’s report include urging ransomware-safe havens like Russia to prosecute cybercriminals with sanctions or restrictions on travel visas. It is also recommended that international law enforcement agencies join forces to hold money laundering cryptocurrency exchanges accountable and to know the “know your customers” laws.
The Executive Ordinance also seeks to fill in blind spots in the country’s cyber defense mechanisms uncovered in recent cyber attacks in Russia and China carried out from domestic servers in the United States, where the National Security Agency is legally banned from operating .
“It’s not the fact that we can’t connect the dots,” General Paul M. Nakasone, who heads both the National Security Agency and the Pentagon’s Cyber Command, told Congress in March, reviving the indictment against American intelligence after 9/11 “We can’t see all the points.”
The contract will establish a real-time intelligence exchange ship that will allow the NSA to share threat intelligence with private companies and enable private companies to do the same. The concept has been debated for decades and has even found its way into earlier “feel good laws” – as Senator Ron Wyden, Democrat of Oregon, described a 2015 bill encouraging voluntary threat propagation – but never got implemented at the speed or speed Scale needed.
The idea is to create a ship that would allow government agencies to share classified cyberthreat data with businesses, and encourage businesses to share more incident data with the government. Companies are not legally required to disclose a breach unless hackers have come to terms with personal information such as social security numbers. The order wouldn’t change that, although lawmakers recently called for a stand-alone law to disclose violations.