IGF 2024-Day 1 -Workshop Room 3 -OF 48 The International Counter Ransomware Initiative-- RAW

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> JENNIFER BACHUS: Hello.  We're going to go ahead and get   ...   this system is quite challenging.  For those joining us online remotely who have not experienced the fun of IGF, we do have technical difficulties on a somewhat regular basis.

I'm really sorry.  But I'm just going to warn you in advance.  With that I just want to say hello.  Introduce myself.  My name is Jennifer Bachus.  I'm the number 2 in the state department cybersecurity and digital policy bureau.  And I am the moderator today.  At least I will be when my mic is not cutting out.

I want to thank you for joining us in this session.  The open forum.  On ransomware.  I think everybody in this room is here because you recognise the incredible threat that ransomware poses to the entire world.  That it is a global share threat that we need to address it's impacted schools, hospitals.  Pretty much impacts everybody around the world.  More our citizens, our government and everything we're trying to do in a digitally connected world.

For those not familiar with the counter ransomware initiative or CRI as we call it.  As focus on cooperating internationally to address the threat and develop policies and mechanisms that reduce the intentions of ransomware.  CRI is a multi stakeholder model.  And it has a private sector component and a large and diverse group of countries involved.

And so I hope that today's discussion will be an interest to many of IGF's participants.  I'm so happy to have with us today three great panelists.  First of all, Daniel ONU NAI.  I'm really going kill your name.  I might    he currently serves in office of national security advisor as head of incident handling department and niej Reese computer incident response team.  In this role he oversees aspectses of   .  Risk mitigation.  He also to today's discussion serves as coordinator of the diplomacy and capacity building track of the counter ransomware initiative.

Niles, who is online, is cyber foreign policy.  He supports the German cyber ambassador.  Who together with Nigeria is leading the diplomas and capacity building track of the counter ransomware initiative.  Welcome.

And also online is Elizabeth Beth Vist.  Elizabeth leads IST's work on the future of digital security and ransomware task force.  Works on cybersecurity best practises, including   .  And how the (Too fast) cyber capacity building for developing countries.  I also have to say.  Liberty is a veteran of the state department and worked in our bureau.  So is an embodiment of the multi stakeholder approach to these issues.  Is so great to have all of you here.

So I have questions which is what I think I'm supposed to next.  But if anyone has a different approach, let me know.

We're going to start with Niles.

And so can you help us define ransomware a little bit more precisely?  Can you give us an overview of the ransomware state of play.  Over to you Niles.

>> Hello and good afternoon from Berlin Germany.

>> NILS STEINHOFF: Thank you for organising this very important and timely session at the IGF in Riyadh.  I've been asked to talk a little about defining ransomware and giving you a little bit of state of play.  And I would start with a very brief definition and then get into the details about actors, numbers, international peace and security and also actions taken so far.

Ransomware in generally is an act of decrypting a victim's data and holding them for ransom to unlock the data.  This is nothing new and has been around for quite a while.  Most these attacks are financially motivated by cyber criminals who follow opportunities to ransom entities mostly in commercial sector.  And have less of a strategic outlook on who they ransom.

What we see globally is that this very profitable business has specialized to become a service industry.  So when you speak of cyber crime as a service.  Along the criminal supply chain observe specialized vendors such as initial access brokers, the ransomware groups themselves then ransom the victims for money.  But also afterwards, money laundering experts in illegal sector to so say.

We le less encryption of data on system.  But more distortion to not publish the exfiltrated data which we would call a double extortion.  So instead of regaining access to your own system which might not be super needed anymore.  If businesses have good business continuity plans and backups.  The sensitive data within the commercial data that a company has is usually published on the internet on so called "leak sites" to increase the pressure on stakeholders.

So what we also observe, at least in Germany, we have a growing concern not only about financially motivated actors but more so about strategyically motivated actors or advanced persistent threat groups who within the context of geopolitical tension may disguise as ransomware actors in order to conduct cyber sabotage.  Operations that would then not be distinguishable from regular ransomware groups who may also wipe data.  But this is something we have not observed yet in Germany.

So this is a bit what we have.  You know we have we started with the simple "I look you out of your system, pay me" type of ransomware.  And now we're in a highly specialized ecosystem that extorts companies for not publishing the data or information in the data on the third parties.

If you go by the numbers, ransomware is a hugely profitable economic business for these malicious actors.  Last year in 2023, according to chain analysis, a block chain analysis company, the obtained crypto assets surpassed 1.1 billion U.S. dollars in assets.  The average ransom played was around $620,000 U.S.  But victims also at least in Germany we observed this, pay less ransom because the business continuity plans are becoming better and better.  So from 2021, where about half of the companies paid ransom.  Now we have about a third.  Or last year we observed about a third of companies paying ransom.

The majority of victims is in the commercial sector.  And of course, you know, as I said, mostly these criminals are motivated by financial motives.  So they go for the weakest link in the chain, so to say.

But we would also say that the, of course, commercial impact of the ransom paid is not the actual impact when we talk about let's say later on the effects of international peace and security.  When, for example public utilities become victims of ransomware groups.

Maybe on the groups we, roughly speaking, Germany tracks 100 ransomware groups.  But 5%    five of these groups are responsible for around 50% of all the acts.  So it is a pretty e, if you want to say, if you speak in industry, it is a very concentrated industry overall with the biggest players in the game currently being still.  Or last year before they were taken down.  Lock bit, black buster and eight base.

I want to also touch a bit on the broader international landscape since this is a meeting conveyed under the auspices so to say or the logo of the CRI.

As I said, economic damages are just one element.  You know the damage of the ransom paid to a company.  But the problem with the ransomware ecosystem is that it is attacks those that are mostly more vulnerable in terms of cybersecurity.  And that is often are public service providers.

For example, in the health care sector and energy sector, just provide you an example from Germany from last year.  We had a ransomware attack on a regional communal I.T. service provider that were ransomed.  And their services are still in recovery mode 15 months afterward and affects the life of 17 million citizens and 20,000 workers who cannot use their computers to provide basic services such as child support and unemployment benefits.  In Germany paid at the communal level.

And shows the societal impact and destabilising effect of ransomware that it has on communities.  And this has been recognised at the level of the United Nations both within the briefing that the United Kingdom hosted at the security council but also within the open ended working group under the auspices of the first committee where we just passed a resolution recognising the fate of ransomware to international peace and security.

I just want to close by saying, you know, it is not obviously only terrible    well it is pretty bad.  But at the same time, it is not such that governments aren't doing anything against it.

So the problem of course with cyber crime is often you have actors who are not within your own jurisdiction.  And you need cooperation between governments.  And if that voluntarily will to cooperate is not there, what do you do?

So Germany and I think lot of other jurisdictions like the United States moved from prosecuting individuals and malicious actors to disrupting ransomware groups.  And not only the operational sites.  But also encryption.  Getting the encryption and decryption keys.  Seizing crypto wallets.  And also seizing crypto asset mixers which would launder illicitly obtained funds into legitimate looking crypto assets.

I think one of the good examples was the operation Kronos earlier in February this year.  Where multiple law enforcement agencies around the world cooperated to seize assets and subinfrastructure of the biggest ransomware group lock bit.  And also I think led to a few arrests if I remember correctly in more than one country.

And some people say it is playing a game a whack a mole.  But in the end that is not true.  The as persistent process by which, you know, those that want to address these ransomware threats slowly but steadily take up both the operational infrastructure but also the criminal ecosystem that underpins its profitability.

So I will leave it at that.  Back over Toreyiad.  I hope I stayed roughly within my time limit.  And I look forward to the rest of the discussion.

>> JENNIFER BACHUS: Thank you so much for that.  So Elizabeth.  Building on that.Al recognising that ransomware is of course an evolving threat.  What do you foresee as the possible evolutions of the threat in the coming years.

>> ELIZABETH VISH: Thank you so much.  First thing, we're seeing really substantial growth in ransomware attacks in emerging markets.  You know, it used to be that originally a lot of these criminals were attacking mostly companies in the western Europe, United States, Australia, et cetera.

And now over the last two years we've really seen a dramatic expansion of attacks against entities and companies and non profits in the developing world.  In economies where there aren't enough cybersecurity professionals.  There aren't enough resources to defend effectively.

At the same time the criminals are also continuing to attack entities in the developed world.  So it is really a problem now for everyone in the globe.

The other thing I would say is that we have also seen that that defend against ransomware.  Building backups and having a reconstitution plan.  The things that companies and entities can do to prepare for a cyber attack work for both ransomware and for other types of attacks.

So we would really encourage the use of cyber defences.  Things like using multi factor authentication, et cetera.  In order to reduce the threat that ransomware poses.

And then the other thing I would say is that over the next few years, we really anticipate that artificial intelligence may play a role in changing the balance between the attackers and the defenders.

Tools that will be readily available to attackers would not just enhance operations but also give them the ability to move at speeds that make it hard for defenders.

So while we haven't seen really substantial adoption of artificial intelligence by ransomware threat actors yet.  We would highlight that that could certainly come.

The other thing I'd say is that for all of the threat evolving, a lot of what we see is the same old stuff.  Where, attackers get in through unpatched systems and vulnerabilities that have the no been fixed and will both encrept the data and steal data.  So there are a lot of basic things people can do to e defend that are still very effective.

IST Polish, the blueprint for ransomware defence we published in Portuguese, Spanish and English and highlights things small and medium sized enterprises can do to make themselves less vulnerable to ransomware attacks.

And we found if those had been implemented in a few case studies they would have prevented 80% of ransomware attackers from succeeding.

So we'd highlight that.  And also say that the reality is that a lot of these criminals won't necessarily face prosecution because they are resident in jurisdictions that don't choose to president cyber criminals.

And so it is really important that we take a proactive self defence posture.  I'll stop there.

Thank you.Ality.

>> JENNIFER BACHUS: Thanks Elizabeth.  To Daniel, can you tell us what    more from your point of view about the CRI, what it is, why it was started.  From your perspective.

>> DAN HANEY: Okay.  Thank you very much.  CRI.  I want to appreciate Nils and Vish.  The CRI is a global coalition of government organisations that are coming together to collective resilience against these threat actors.

You know, attackers in a way hold systems, lock systems.  And then still critical the task and then request for ransom before they can release it.  So it has become a global pandemic.  And that is what necessitated the establishment of the CRI.

And the CRI aims to build, you know, a global resilience.  Bringing together countries to build global resilience.  And also to offer support to member countries in case they are hit by ransomware.

Of course you know you cannot fight these criminals in isolation.  Because they also have networks.  Like, you know, now the ransomware ecosystem has become, have been formed in a way that you see we have the ransomware operators on one hand.  Then we have the ransomware affiliates on the other hand.  And then we now have the access brokers on another hand.  Each of them with different responsibilities but working together and then sharing the ransom based on percentage.

So it is a big organised crime.  So the CRI was formed so that countries can be well prepared.  Build collective resilience.  Assist one another.  And then target these threat actors and hold them responsible for their actions.

And also, to cutoff their illicit, you know, finances.  You know, how they launder money through these cryptocurrencies.  So we want to be able to cutoff that incentive.  Because the goal is just money.  So if you can cut it off, you will be able to reduce their activities to the minimum.

And of course also, bring in the private companies so that we can improve on protections also.  Because the government alone cannot fight these criminals.  We need the private sectors who can also.  Because they develop the software.  They develop the systems.  Most of these attack.  They see more than we can see them from the government perspective.

So the CRI wants to make sure that the private sectors are also involved.

And then the other aspect is that we need to collaborate with one another to also build this resilience.

Then when was this CRI launched?  How did it start?

Now, after the covid, we discovered cyber crime, you know, continued to increase.  Cyber attacks continues to increase.  Now you can see that because of the escalating impact of ransomware, today ransomware has increased in frequency.  Ransomware has increased in scope.  And ransomware has also increased in severity.  Before we used to have, this started with just a single method.  Lock your system or data.  Then request for ransom.  You pay ransom.  Of course there is no guarantee whether you will get your information back.

But that is just how it was.

And then it moved to double extortion.  Where by they look up your and data.  And also exfiltrate those data.  And then, you know, threatening that if you don't pay the ransom, they will release the data to the public.  Thereby making the victims, you know, to take immediate action.  But currently, it has now moved to multiple extortion method.  Which even if after targeting the victim, they also moved to the client or customers of the victim, you know, to also, you know, pressure them.

So that the access is to make them take action and get those things.  Because of this escalating impact, that is why the CRI was formed.  And also you know that    another reason is the cross button nature of cyber crime.  Ransomware actors can be in any jurisdiction and be be committing these crimes.  So we need international cooperation for us to be able to bring them to justice.  We need international cooperation for us to cutoff their source of finance.

And so that is one other reason.

The other reason is that government have come to realise that there is this urgent need, you know, for practical solutions.  You can't just sit back.  You need to be proactive.  Before they attack.  So countries need to put in place measures in order to keep themselves safe and put in place mechanisms.  Could be in form of policy, in form of guidelines.  But the end goal is that everybody must put in place structures to be able to withstand these people.  And also to support one another.

Then CRI started specifically in 2021.

It was it was launched and initiated by the United States government in 2021.  If you cheque, you will see the number of attacks in most country, for example, in the United States as of 2020, 2021, the Number of ransomware attacks that was recorded was over 2,000.  As of that point.

So if you look across different country, you will see so many countries recording thousands of attacks within a year.  So there was this urgent need to, you know, bring countries together so they can discuss the impact of ransomware.  And so in 2021, over 32 governments and organisations came together.  Even though it was a virtual gathering.  To discuss, to align their strategies.  Their policies and their concerns.  So that they would be able to fight, to build collective resilience against these ransomware actors.

So that was how it began in 2021.

Thank you.

>> JENNIFER BACHUS: Thanks for that.

And Nils, can you share what the CRI is doing to tackle ransomware now?

>> NILS STEINHOFF: Absolutely.  Currently after the last summit which the United States hosted in Washington in early October.  CRI's members are broadly, let's say, organizing around the idea that to address ransomware.  We as the states, the members of the CRI, need to tackle the problem in a holistic way by disrupting the criminal ecosystem that really underpins the profitability of ransomware attacks.

So not only address ransomware actors but address the profitability to reduce the incentives.  Right now the CRI is organised along four work streams.  We could say that focus on building resilience, cooperation, on policies and, you know, as much as possible disrupting ransomware attacks.

I want to give you a rundown of the four pillars which are called the "international counter ransomware task force."  The so called policy pillar.  The diplomacy and capacity building track.  And new edition on public, private partnership that Daniel just mentioned and I think Elizabeth too.

To start with, Jennifer, as you said, the CRI is a multi stakeholder but also multi agency model of an organisation.  That means if we want to address the ecosystem, we need to bring everybody in on the government side and on the company side who has the right tools to address the system, cyber attack agencies, police forces.  It is those that deal with crypt asset laundering.  And those that deal with diplomacy and capacity building.

To give you an idea about the different work streams, maybe need to start with the international counter ransomware task force, where mostly police agencies and federal certs or cyber emergency response teams come together under the leadership of Australia and Lithuania.  Over the three years of its existence, the so called ICRTF, I'm not going repeat that name all the time.  Has developed information sharing platforms.  Where members can share tactics, techniques and procedures.  But also indicators of compromise on ransomware cheques.

And Australia has developed a website where Daniel has said one important element is also solidarity.  So members can ask for support in the event of ongoing ransomware attack.

Secondly we have the policy pillar under the leadership of the United Kingdom.  And Singapore.  That have really worked around common challenges outside of just law enforcement.  That helped tackle the ransomware ecosystem.  Because they have been so active I'm going to give you three examples I think that really highlight the variety of and the width, so to say, of the work of the counterransomware initiative.

France and Netherlands worked on cyber insurance.  Because cyber insurance is really both a tool to diversify and spread risks across the economy.  But also to incentivise good behaviour for companies in order to become more cyber secure and comply with, you know, basic cyber hygiene that Elizabeth outlined.

Secondly, Australia released a playbook for businesses that helps them prepare for and react to, and recover from ransomware attacks.  That addresses small and medium sized businesses that usually don't have their own I.T. department to deal with cyber attack.

And then thirdly, Albania led a project on the implementation of rule 15 of the international Financial Action Task Force that deals with the regulation of crypto assets.

So this policy pillar sews you the width of the ecosystem the criminals use but we also address within the CRI.

And last or second to last and then I'll stop.  Diplomacy and capacity building pillar in Nigeria.  So Daniel and Germany.  So me and my cyber ambassador Maria are chairing.  Where we tried to, you know, connect or help people find more resources on capacity building.  Because as you can see from the variety of topics, capacity building is not only about technical capacities for emergency responders.  But it really requires a lot of entities in your government to be up to date and to be able to work together with their counterparts in different agencies.

And to close, I want to highlight Canada's work on public/private partnership.  As Daniel said, right, the software we use, the infrastructures that even our government systems run on are often maintained and updated and held cyber secure by private companies.

They see something in the networks sometimes even before we do.  And therefore, having a solid foundation for public/private partnership.  And IST has done some great work on that.  And key toe have a holistic view on the profitability of the cyber crime ecosystem that is ransomware today.

And we hope that over the next year we will find predict u productive ways to to advance on this public/private cooperation.  And maybe one last fact.  We're closing in on 70 members.  And underlines how big an issue ransomware has become all over the world for any country.  And the need for further action along the different lines of work.

>> JENNIFER BACHUS: Thanks.  Appreciate that.

And for you Daniel, what do you see as the benefits of CRI to member countries.

>> DAN HANEY: Okay.  So there are a lot of benefits.  For members.  Just like Nils mentioned.

The first is capabilities development.  So the CRI is really consigned because you need to build capacities, you know, for member countries.  So they can be able to respond, maybe identify a ransomware attack.  They will be able to have the capabilities to detect, to respond and to also disrupt the activities of these criminals.

So provide capacity building through different collaborations with organisations that offer this training.  Most of them are already members of the CRI.  We have the council of Europe.  We are the Interpol.  We have so many of them who are also willing to join the CRI.

And another benefit is that we have an enhancing information sharing platforms within the CRI.  We have developed platforms.  Platforms like the information sharing platforms, which was developed by the Lithuania.  And then we have another platform we call the crystal ball.  Which was developed together between UAE and Israel.

And then Australia also developed the CRI portal.

These platforms will help member countries to report incidents, seek assistance.  We have had instances, for example like in Nigeria, when we the private organisation reported an incident, a ransomware attack to us.  So immediately we escalated.  And it didn't take up to some hours.  Few minutes, few hours.  We started getting response support from other countries.

So the platform is there.  So immediately you go into the platform for urgent assistance.  Every country on that platform will be notified.  Immediately.  And then you will begin to see support from other countries.

So there is nothing more reassuring that knowing that when as a country you are under attack, you have other backups.  You know, from other member countries who are willing to support you in conducting your investigation and ensuring you recover.  And also under the platforms.  You receive threat intelligence that will enable countries to stay proactive.  And to glean on their experience of other countries who are going to ransomware attacks.

So you also find indicators of compromise in that place for you to enrich your platforms, to be able to deter to the activities of these criminals.

So we also provide on those platform.  You will have access to resources.  So you have access, countries share resources on that platform.  That is a valuable only to member countries.  And also what CRI, and other benefits you can enjoy is CRI is committed to strengthening the capacities of the computer emergency response teams of member countries.  So as to, you know, make them to have that capacity to be able to deter these activities, conduct investigations.  You know, of ransomware activities.

So there are quite a whole lot of benefit that you can enjoy by joining the CRI.  This is just to mention few of them.  Thank you.

>> JENNIFER BACHUS: Thank you for that.  So Elizabeth, as was noted, the public/private cooperation with CRI, or the pillar.  What are you thoughts and expectations for this sort of enhanced role in CRI?

>> ELIZABETH VISH: Really great question.  And thank you.  First thank you to the United States and Canada for the work Canada has done to launch the public    private sector advisory panel.  And the team at public safety Canada has been working hard to get everyone who can be part of it engaged in the rowing in the same direction.

I'll start by saying my thoughts.  My thoughts are that the private sector really does want to collaborate with mutual respect with the public sector.  And I IST runs the ransomware task force which is a group of more than 60 experts that come together to combat ransomware.

It is a coalition led by the institute for security and technology.  We're a non profit think tank.  So we can bring people together in sort of a neutral third space to talk about the ransomware threat.

And we've heard a lot from our members.  The members of the RTF that they want to work with governments and they specifically want to work with the CRI.  They really think they have a lot to offer to help combat this threat.  And that includes things like threat intelligence.  That also includes things like examples of successes and examples of failures from which you can learn.

I always really love to highlight that there are lessons learned from failures.  And if we learn those lessons then we can avoid the failures in the future.

There are lots of things that the private sector could do.  They have the capacity to help governments recognise threat.  They have the capacity to build and improve resilience and preparation.  And there are also private sector entities that are really capable of handling response when an incident or an attack occurs.

Also I'll highlight that the private sector owns and operates a significant portion of critical infrastructure.  And critical infrastructure are frequent targets of ransomware incidents.  So it is really important the private sector be part of the conversation when it comes to addressing threats of ransomware.  36 so my expectations for the advisory panel or the advisory group, it is intended to bring together experts from both the public and private sectors to collaborate on cybersecurity issues related to ransomware.  Its primary goal is to provide insights recommendations and strategies to address ransomware threats.  Enhance cybersecurity measures, and strengthen national and international cyber resilience.

We're working on a work plan right now that will outline how the group is going to collaborate over the next year.  When it comes to building that.  Collaboration between CRI members and the private sector.

Our focus is really on providing advice and support to CRI members and to support the various CRI initiates.

Efforts to related to insurance and how insurance can play a role in enhancing cybersecurity preparedness.  That is an area where most insurance companies are private companies.  And so exchange of information and advice regarding that could be an opportunity for the CRI members to better target their engagement with insurance companies and better improve sort of the collaboration.  So that the insurance companies can actually play that role.

There is some work that we're doing at IST which was again, we're sort of a non profit think tank that relates to the role that insurance can play in improving resilience.

So that is just one of very many examples of the ways that the private sector can contribute.  And we hope that CRI members will engage in a really robust conversation with the six members of the private sector advisory group.  So that question help address this threat which all of us face.

Thank you.

>> JENNIFER BACHUS: Thanks Elizabeth.  And I know if you are involved in this, there will be robust engagement.  So I have no worries on that front.

So I know we have comments online.  But also I want to start by first of all acknowledging the very full room here, which I'm very pleased to see.  And to see if any of you here in the room have questions that you want to pose.

I see one over there.

And then I see one over there.  Understood.  We'll start with yours and see whether we take more than one at once.  Go ahead please.

>> Good afternoon.  I'm from the Cambodia.  First, thank you for the (?).  And I would like to ask if Cambodia is member of the CRI.  If not what is the criteria to join the CRI.  Thank you.

>> JENNIFER BACHUS: I think I can answer that question but maybe someone else wants to instead.  My understanding is Cambodia is not yet a member of CRI.  There as process by which you put in a application and the CRI members consider it.  But there is probably actually more too it.  I don't know Nils or one of the people want to elaborate a little more specifically on that.

>> NILS STEINHOFF: I could.  Or Daniel if you want to take it from the floor.

>> DAN HANEY: Okay.  Continue.

>> NILS STEINHOFF: All right.  Thank you for the question.  The application process is relatively simple.  The interest of governments would write a letter of intent.  Addressed to the cochairs of the diplomacy and capacity building pillar.  Which would be Nigeria and Germany.  Daniel in the room maybe could give you the contact information afterwards.

And then there is 14 day silence procedure.  Under which members can object to the membership request.  And if no objection is incurred.  The country that applied for membership would become a member of the CRI.  Relatively straightforward.

Write a letter.

Wait around 14 dayses.

And if no action is signalled, then you would become a member.

>> DAN HANEY: Let me add this.  We have never seen countries objecting other countries from not joining.  So you don't have to be afraid of that.

All right.  Thank you.

>> JENNIFER BACHUS: Yeah.  I think we tried to recognise that this is a shared communal threat.  And that the more countries that come together to battle the threat T stronger we'll all be.

With that, sir, I think you had a question over there.  Yes.

>> Hi.  This is from Paxton.  Thank you for the insightful discussion.  But I'm still having a hard time navigating, you know, the support points.  How do you provide support to the member state entities.

For example if I have to give you for instance    Kasper sky.  They have this initiative no ransom.  They normally provide the decryption keys.  Have a list of your   .  (?) if you got attacked by any particular ransomware.  They provide with a decryption key.  Very huge platform and good threat intelligence teams so I'm still trying to navigate the support.  How that goes.  How that works.  Are you guys involved in your technical teams?  Or is it a consultantsy only?

Second point.  Is there a directory where we can find, you know, the number of companies who are already part of the CRI?  I would also love to see if my count by were there.  Thank you.

>> DAN HANEY: Okay.  So you can find information.  We have the website.  Counter ransomware.org.

And then for the other first question, the support we offer comes from the technical teams of the member countries.

For example.  If you request for support, the U.S. side may decide to offer that support.  The Australian side.  And that is one of our goal is to strengthen the capabilities of the computer emergency response teams.  E CERT.  Who are directly involved in instance like that.

In terms of the decryption key.  When you report.  If it is a known cyber crime group.  And decryption keys are available to any of the countries offering support, they would be able to release it to you.

But there are other things, you know, for example, you have faced with a new ransomware group.  Maybe there have been in assistance in another country.  So they will have more experience.  So and if they have none, they can request for the indicators of compromise and some activate.  To also you send it to them.  The one that happened in Nigeria.  What we did was that we instructed those indicators of compromise, those activates and then forwarded it to those countries or organisations offering support.

For example like the Interpol.  We offered to them because none of them had the key to decrypt it.  But they also have to also assist in the investigation process.  So dependanten how well you want their support.  Whether you want to provide it to them or you want to give them a channel to provide support for you.

But in any case, it is the technical agency or team of member countries that usually offer those investigative support.

Thank you.

I don't know if I answered the question correct.

>> JENNIFER BACHUS: Do either of the people online have anything they want to add?

  Elizabeth?  Nils?

...

Okay.

>> NILS STEINHOFF: Nothing to add.

>> JENNIFER BACHUS: Great.  Do we have another question from the room?

I saw there were comments online.  But acknowledge that my ability to read the questions or comments is limited here in the room.  But I think we might have somebody...   no.  It just seemed    maybe that was just participants.  That was exciting.

Uhm...   any other    okay.  I think we have like maybe 5 more minutes.  Oh there is a question.  Great.

>> Am I audible?

Yes.

Can you tell us a little bit more about how effective cyber insurance is in countering ransomware attacks?  Thank you very much.

>> DAN HANEY: Okay.  How effective?

Okay.  What we did is cyber insurance is actually what the CRI has been pushing.  We have also made, involved the insurance companies of members' countries.  We had sessions with them.  And we have also come up with guidelines on how insurance company can come in to assist countries.

When it comes to ransomware attack so that they will be able to cover up for so many things.  So we have done a lot to bring them on board.

So but it depends on how the countries, you know.  Because they are also subject to your country's law.  It is not like the CRI is overriding the countries.  What we have done is to always, is to bring up those guidelines, these guidance and also involve them.

And before the last summit we had sessions    we had a session with them.  And then after there was a guideline produced of which countries in collaboration with their insurance sector.  Or what would I call it now?  The responsible agency, the responsible insurance agency of the country or regulator in the country.

For example, in Nigeria, we had to for us to endorse that guidance or that statement.  We have to involve them.  So it means that for us in Nigeria, we're going to take up that guidelines.  Or guidance.  In order to release by the CRI.

>>     anything    to pay?

>> DAN HANEY: Okay to.  Pay the ransom.  It is not for us in the CRI.  No pay.  We have statement to that.  That we don't encourage.  And member countries should not pay ransom.  And many member countries endorse that statement.

But as to whether your country will allow payment in some ways is dependant on your country.  Even though most country endorse that statement of no pay.  Some countries did not.

So it is not a binding statement.  It is non binding but most countries endorse.  But countries decide to leave it open as to whether to pay or not to pay.  But for us in Nigeria, we don't pay ransom.  We don't encourage.

So even though at the back people may decide to pay for them but for as a nation it is no pay.

>> JENNIFER BACHUS: You wanted to add something Elizabeth?

>> ELIZABETH VISH: Yeah.  Absolutely.  I think more broadly the insurance market has the potential to play a role in increasing resilience.  I would say that there is some great research that Thal Royal United Services Institute in the UK has done related to the role that insurance can play in reducing ransomware attacks.

One role that insurance can play is helping the companies that they insure to improve their cybersecurity resilience and reduce their vulnerability to ransomware attacks.  And that is not something that all insurance companies do.  But it can certainly play a role.

The other thing insurance companies can do is to help companies that they insure that get attacked.  They can help those companies to reconstitute their networks and get back up and running.  More quickly.

Some insurances companies when an attack occurs bring on specific incident responders to help the company that was insured, that purchased the insurance, to respond for quickly.  But I would just refer to you that research by RU SSY.  It is a reel good paper.  I think the UK perspective can be valuable for many different global operating contexts.

Thanks.

And oh the other thing I'll highlight which I think just Daniel did highlight as well.  Is the statement that was produced at the end of the last CRI summit in October.  That does sort of mention the best practises for response.  And includes that as part of the sort of overall approach to responding to an incident.

It was endorsed, as mentioned, by many members.  And by some insurance consortiums.  So I would just highlight that as a place that people can get an understanding of how to approach a response to an incident.  And it offers the perspective that some insurance companies have endorsed.

So those are both really good resources to go to when it comes to insurance and ransomware.

>> JENNIFER BACHUS: Thank you very much.  There are two questions in the chat which I will launch.  And I think that we are coming to the end.

One is how do you authenticate if a private organisation who is developing software is legitimate?

And the second question, which might be slightly easier is, how well is third world countries prepared to deal with this situation like this on their own?

So I will see who wants to take one or both of those questions.

Would you like to start with the second question?

(Scheduled captioning ends in three minutes)

 

>> ELIZABETH VISH: Ky jump in on the second question.  IST was a annual report on the ransomware threat.  Mostly looking at data from leak sites.  So it is not perfect data.  But I would say that overall we've really seen the number of attacks against emerging markets in    in emerging markets against emerging economies and developing third world companies go up.

We've seen them go occupy over the last two years that we've done this report.  We've really seen the increase in attacks against, especially critical infrastructure.  In many places.  And also, sort of to be Frank, like the place where money is.  So things like banking and financial institutions.  We've seen attacks against government actors and government entities.  Like pension funds.  So there was a case where cyber criminals attacked the pension fund of a small Caribbean island nation.  That made it hard for retirees to get their money.  Which is obviously a real threat to human health and well being.

And we don't see that going away any time soon.  So that is really why we are underscoring the value of collaborating between government and private sector and also why we're underscoring the importance of preparation.

We have a joke prepared.  Don't pay.  And we don't mean that in the you shouldn't    you can't pay.  But rather avoid paying by preparing.  You won't get attacked, therefore you won't even have to think about the payment conversation.  If you can be well prepared.

So I'll sort of highlight that as the best way.

I would also highlight that, you know, when it comes to the question of "on your own."  I don't think that anyone should be dealing with this on their on their own.  I think the collaboration CERT to CERT, which has been highlighted here already.  Collaboration between national cybersecurity authorities.

In the U.S. we have the cybersecurity and critical infrastructure authority.  The Spanish government has its.  There are many sort of national authorities that would like to collaborate with one another.

I'll highlight that the State Department actually has done a fair amount of collaboration when it comes to building national C CERT capacity.  And also in collaboration with Nigeria.  And I think that's really the future of defending against this threat.  Is improving partnerships and improving collaboration.

The private sector really does want to contribute, want to play a role both in investigating and disrupting these criminals.  And also in preparing for and recovering from this threat.

So I would also encourage national authorities and civil society in developing countries to think about how they can get collaboration to improve collaboration with the private sector.  So that no one is alone.  But rather we're all addressing this threat together.

>> DAN HANEY: Okay.  So just to add.  When you join the CRI, you are no longer alone.  And to do    deal with some of these issues.  You know what CRI has done is to provide a kind of mentorship with another country.  We mentor.  Maybe a country who is less advanced when it comes to handling these kind of threats.