CRI members convene for third meeting, set to enhance cybersecurity and combat ransomware
Fifty member countries from the International Counter Ransomware Initiative (CRI) convened for their third meeting in Washington this week. The primary focus of the CRI members at this year’s gathering was to enhance capabilities in disrupting attackers and their infrastructure, fostering improved cybersecurity through information sharing, and taking action against ransomware actors.
During the meeting, the members reaffirmed their commitment to collectively building resilience against ransomware. They also emphasized the importance of cooperation in undermining the viability of ransomware, pursuing those responsible for the attacks, combating illicit finance that supports the ransomware ecosystem, collaborating with the private sector to defend against ransomware attacks, and maintaining international cooperation across all aspects of the ransomware threat.
In the past year, the group of nations and organizations has expanded and strengthened the commitments made at the second convening of the CRI in 2022. Existing participating states have welcomed Albania, Colombia, Costa Rica, Egypt, Greece, INTERPOL, Jordan, Papua New Guinea, Portugal, Rwanda, Sierra Leone, Slovakia, and Uruguay as new CRI members.
Existing members include Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Croatia, the Czech Republic, the Dominican Republic, Estonia, the European Union, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Norway, Poland, the Republic of Korea, Romania, Singapore, South Africa, Spain, Sweden, Switzerland, Ukraine, the United Arab Emirates, the U.K., and the U.S.
The third convening of the CRI leveraged the expertise of like-minded partners, private sector participants, and capacity building experts to further reshape the cyber environment so members are better equipped to combat ransomware, according to a Joint Statement released by the U.S. White House.
“Members from around the world reaffirmed our joint commitment to building out our toolkit for collective resilience to ransomware, cooperating to disrupt ransomware, and working together to curb the illicit money flow that ransomware actors rely upon,” the statement added. “We are building capacity through long-term cooperative approaches and refining our understanding of accountability in cyberspace, bringing us one step closer to rooting out criminal actors and responding with collective resolve.”
2023 key CRI deliverables include developing capabilities by leading a mentorship and tactical training program for new CRI members to build their cyber capacity, including Israel mentoring Jordan, and launching a project to leverage artificial intelligence to counter ransomware.
The members will also share information by launching information sharing platforms enabling CRI member countries to rapidly share threat indicators, including Lithuania’s Malware Information Sharing Project (MISP) and Israel and the UAE’s Crystal Ball platforms. They will also build the CRI website, maintained by Australia, which includes a forum for members to request assistance from CRI members; encourage reporting of ransomware incidents to relevant government authorities; and share actionable information with CRI members.
When it comes to fighting back, the member countries said that they will develop the first-ever joint CRI policy statement declaring that member governments should not pay ransoms; create a shared blacklist of wallets through the U.S. Department of the Treasury’s pledge to share data on illicit wallets used by ransomware actors with all CRI members; and commit to assist any CRI member with incident response if their government or lifeline sectors are hit with a ransomware attack.
Through unveiling operational tools, the International Counter Ransomware Task Force (ICRTF)—established at last year’s meeting—began developing platforms for coordinating and disrupting ransomware at an operational level, the Joint Statement identified. “By adding thirteen new members to the coalition, the Diplomacy and Capacity Building Pillar expanded the CRI’s like-minded umbrella and incorporated capacity building efforts throughout all pillars and working groups of the CRI.”
It added that the ‘Policy Pillar’ led efforts to counter the business model that underpins the ransomware ecosystem. This included research on cyber insurance, victim behavior, seizure and confiscation of virtual assets, ransom payments, and best practices in incident reporting and information sharing. Throughout the year, the coalition sought to incorporate the private sector and integrate capacity building at every opportunity.
Through the Policy Pillar, CRI members affirmed the importance of strong and aligned messaging discouraging paying ransomware demands and leading by example. CRI members endorsed a statement that relevant institutions under the national government authority should not pay ransomware extortion demands.
CRI members intend to implement the Financial Action Task Force (FATF)’s Recommendation 15 on the regulation of virtual assets and related service providers, which would help stem the illicit flow of funds and disrupt the ransomware payment ecosystem. CRI members also affirmed the importance of encouraging ransomware incident reporting within their own jurisdiction, and sharing meaningful information to strengthen our collective efforts to disrupt ransomware actors.
The Policy Pillar also examined the centrality of the cyber insurance industry in tackling ransomware, and committed to enhancing engagement with industry, as well as undertaking research into the importance of developing effective crypto asset seizure regimes.
Over the next year, the Diplomacy and Capacity Building Pillar will continue to expand the CRI’s mentorship program and onboarding program. The Pillar will prioritize opportunities to inform potential new members about the Initiative, and it will develop tailored capacity building opportunities to match members’ and potential new members’ needs and requests.
Going forward, the ICRTF will build upon the successes of its inaugural year by operationalizing the tools and platforms developed by its members. Members will work toward attaining a comprehensive understanding of the ransomware threat by sharing information and exchanging knowledge through virtual seminars and labs.
Members plan to create and share resources to build their national counter-ransomware capacity, working closely with the other pillars to develop practical tools for governments to prevent, respond to, and recover from ransomware attacks, uplift cyber capabilities across the existing CRI membership, and advocate new membership to those countries who will most benefit from what the CRI has to offer.
Additionally, the ICRTF will also continue to support transnational operations conducted by its members and collaborate with industry to target disruptive activities at key components of ransomware ecosystem, in recognition that ransomware is a cross-border and cross-sectoral threat that necessitates close collaboration across governments and sectors to be combatted.
Related
