Last month, top executives from Amazon, Microsoft, Cisco, FireEye and dozens of other firms joined the Justice Department in delivering an 81-page report calling for an international coalition to combat ransomware. Leading the effort inside the Justice Department are Lisa Monaco, the deputy attorney general, and John Carlin, who led the agency’s national security division during the Obama administration.
Last month the two ordered a four-month review of what Ms. Monaco called the “blended threat of nation-states and criminal enterprises, sometimes working together, to exploit our own infrastructure against us.” Until now the Justice Department has largely pursued a strategy of indicting hackers — including Russians, Chinese, Iranians and North Koreans — few of whom ever stand trial in the United States.
“We need to rethink,” Ms. Monaco said at the recent Munich Cyber Security Conference.
Among the recommendations in the report by the coalition of companies is to press ransomware safe havens, like Russia, into prosecuting cybercriminals using sanctions or travel visa restrictions. It also recommends that international law enforcement team up to hold cryptocurrency exchanges liable under money-laundering and “know thy customer” laws.
The executive order also seeks to fill in blind spots in the nation’s cyberdefenses that were exposed in the recent Russian and Chinese cyberattacks, which were staged from domestic servers inside the United States, where the National Security Agency is legally barred from operating.
“It’s not the fact we can’t connect the dots,” Gen. Paul M. Nakasone, who heads both the National Security Agency and the Pentagon’s Cyber Command, told Congress in March, reviving the indictment of American intelligence agencies after Sept. 11. “We can’t see all the dots.”
The order will set up a real-time information sharing vessel that would allow the N.S.A. to share intelligence about threats with private companies, and allow private companies to do the same. The concept has been discussed for decades and even made its way into previous “feel-good legislation” — as Senator Ron Wyden, Democrat of Oregon, described a 2015 bill that pushed voluntary threat sharing — but it has never been implemented at the speed or scale needed.
The idea is to create a vessel to allow government agencies to share classified cyberthreat data with companies, and push companies to share more data about incidents with the government. Companies have no legal obligation to disclose a breach unless hackers made off with personal information, like Social Security numbers. The order would not change that, though legislators have recently called for a stand-alone breach disclosure law.