Last month, top executives from Amazon, Microsoft, Cisco, FireEye, and dozens of other companies joined forces with the Justice Department 81-page report Call for an international coalition to fight ransomware. Heading the Justice Department is Lisa Monaco, Assistant Attorney General, and John Carlin, who headed the agency’s national security department during the Obama administration.
Last month, the two ordered a four-month review of what Ms. Monaco described as “a mixed threat from nation-states and criminal corporations that sometimes work together to exploit our own infrastructure against us.” So far, the Justice Department has largely followed a strategy of indicting hackers – including Russians, Chinese, Iranians and North Koreans – few of whom are ever tried in the US.
“We have to rethink,” said Ms. Monaco at the recent Munich cyber security conference.
Recommendations in the coalition’s report include getting ransomware-safe havens like Russia to prosecute cybercriminals with sanctions or restrictions on travel visas. It is also recommended that international law enforcement agencies join forces to hold money laundering cryptocurrency exchanges accountable and to know the “know your customers” laws.
The Executive Ordinance also seeks to fill in blind spots in the country’s cyber defense mechanisms uncovered in recent cyberattacks in Russia and China carried out from domestic servers in the US that are legally banned from operating the National Security Agency .
“It’s not the fact that we can’t connect the dots,” General Paul M. Nakasone, who heads both the National Security Agency and the Pentagon’s Cyber Command, told Congress in March, reviving the indictment against American intelligence services after 9/11 “We can’t see all the points.”
With the order, a ship is set up for the exchange of information in real time, which the N.S.A. Share threat information with private companies and enable private companies to do the same. The concept has been debated for decades and has even found its way into earlier “feel good laws” – as Senator Ron Wyden, Democrat of Oregon, described a 2015 bill promoting voluntary threat sharing – but was never implemented at the speed or speed Scale needed.
The idea is to create a ship that would allow government agencies to share classified cyberthreat data with businesses, and encourage businesses to share more incident data with the government. Companies are not legally required to disclose a breach unless hackers have come to terms with personal information such as social security numbers. The order wouldn’t change that, although lawmakers recently called for one separate law on the disclosure of violations.