Washington, D.C.—2024 Billington Cybersecurity Summit—Four years ago, representatives from 31 countries convened via video conference to declare ransomware attacks a global cybersecurity threat, warning that successful attacks could have significant economic consequences for both organizations and governments.
The insidious malware—programmed to hold organizations’ sensitive information and systems hostage in exchange for a ransom payment that must be made within days or hours—has stifled firms around the world and caused millions of dollars in losses for those affected.
Such specialized cyberattacks frequently made headlines this past year, including a ransomware assault on the United Kingdom’s British Library last October, which severely disrupted operations. Another notable incident was the Change Healthcare attack, which crippled much of the United States healthcare system.
Now, 68 nations make up the International Counter Ransomware Initiative (CRI). This month, their representatives will reconvene for their annual gathering to further discuss strategies for protecting companies and governments from ransomware attacks, as well as holding hackers accountable for deploying malicious code onto targeted networks.
The work is far from over. During a panel at the 2024 Billington Cybersecurity Summit in Washington, D.C., several countries involved in CRI advocated for greater inclusion of private sector companies in their discussions, arguing that private firms could assist nations in adopting new detection tools and shaping policies to discourage organizations from yielding to ransomware hackers.
“We need to recognize that we all need to play to our strengths,” said Sami Khoury, who leads Canada’s Centre for Cyber Security. “We need to figure out how to take the best practices of each one of us to enhance the collectiveness of the CRI,” he added, noting that Canada has chosen to include industry players in their own counter-ransomware discussions as part of this effort.
Public-private collaboration on ransomware has taken various forms around the world. In Australia, officials brought together their French counterparts and around 40 members of the insurance industry to discuss the sector’s role in ransom payments.
The group included insurance industry associations and companies from Singapore, South Africa, the UK, Canada, and Switzerland, according to Chris Gower, the Embassy of Australia’s minister counsellor for home affairs.
“If you didn’t have the CRI… if you would try to do it through a different multilateral setting, I’m not sure it would be possible,” Gower said, highlighting the CRI’s effectiveness in convening stakeholders. “There’s a great opportunity to bring industry along, and I don’t think we’ve quite nailed that yet,” he added.
Establishing a global blueprint to combat ransomware has been a challenging task for the CRI. Member representatives must convince leaders and lawmakers in their respective countries to adopt the same norms and governance structures outlined in the pact.
Certain areas remain hotly debated, including the issue of whether to pay ransoms. Experts from both government and industry have yet to agree on a unified policy. Some cyber experts argue that paying ransoms should be banned, as it emboldens cybercriminals, funds further illicit activities, and does not guarantee that compromised data will be returned.
Others argue that total bans place undue pressure on victims and that some payments are necessary to recover vital systems, such as those in hospitals and other critical infrastructure. Additionally, experts have debated whether organizations should obtain specialized insurance for paying cyber ransoms, and whether cyberattacks should be classified as terrorism for global intelligence agencies.
CRI allies have discouraged ransomware payments, yet in several of the participating nations, there are no formal laws in place that criminalize paying a ransomware hacker to recover data.
Some members including the U.K. have put out guidance on “how to think” before a ransom is paid, said Felicity Oswald, who leads the nation’s National Cybercrime Centre. But she said the government can’t front these practices alone.
Ransomware instruction and other cybersecurity education need to start in boardrooms and even business school classrooms, she said. “Cybersecurity is so fundamental,—just like health and safety in an organization, or their finances and accounts—and we need the average person running a small or large business to really get that.”
The U.K. has held listening sessions with large institutions worldwide that were hit by ransomware, Oswald later added.
“It’s ultimately about driving up the resilience of organizations,” she said. “So, they’re thinking, how do they need to prevent this? Not just respond, of course—we need to respond and recover—but we also need to drive that resilience in the first place.”
