[0:24] Navigating the Ransomware Evolution: Insights from Megan Stifel

Audra: Hello and welcome to the Point Cybersecurity with my guest, Megan Stifel. Megan is the Chief Strategy Officer for the Institute for Security and Technology. She's also the founder of Silicon Harbor Consultants, which provides strategic cybersecurity operations and policy counsel. Prior to founding Silicon Harbor Consultants. She was an attorney in the National Security Division at the US Department of Justice, and she most recently served as Global policy officer and Capacity and Resilience program director at the Global Cyber Alliance. So welcome, Megan.

Megan: Thanks for having me.

Audra: I would love to jump in on talking about nation-state ransomware attacks. So the Department of Justice recently announced that NatSec Cyber, a new section within the National Security Division, was created to take action against nation-state groups. How is this section addressing the global ransomware environment?

Megan: So to back up a minute, the National Security Division is the division where I was a full-time employee for eight-plus years in the Department of Justice. And I'm very pleased to see the development and establishment of this section. I it think is formalizing work that has been underway since the time I was there. Among the reasons that this section needs to be formalized is that it conveys within the department, as well as external stakeholders. 

Whether that's companies but also our allies and partners as well as other countries with whom we don't see eye to eye on most of the issues thinking about in particular Russia and China. It sends a signal that this is an issue that the government in particular continues to take seriously in terms of how it's combating ransomware. 

 

Government Action and Tools for National Security Threats in the Ransomware Evolution

Megan: We know we sort of collectively, but we as an organization, as the Institute for Securities and Technology issued a report in April of 2021 where we made some specific recommendations on how to combat ransomware. And one of the top recommendations was that governments in particular be more outspoken about the fact that they recognize and treat ransomware as a threat to national security. 

So it's not just a business nuisance as it was in the 20 teens, but it has risen to the level of a risk to threat to national security. By making this recognition, the governments then, particularly in the United States, are able to avail themselves of additional tools to combat national security threats that may not be available if something is considered a sort of pure crime. 

Audra: Can you talk about some of the tools that are being used to combat the threat itself?

Megan: Sure. So probably the most visible one for some is this idea of the sanctions list. The Department of the Treasury, the Office of Foreign Asset Control, has continued to use sanctions to identify members of the ransomware threat ecosystem who have been sanctioned and thereby limited their ability to travel, worked to seize funds and the like or freeze funds rather, excuse me, freeze funds. 

So I would say sanctions is one example, but in thinking about the Department of Justice in particular. Leveraging the law enforcement and national security capabilities that the government has at its disposal. One that I think listeners may not have been as attuned to in the past is that the government has been transparent in saying that it uses Section 702 of the FISA, Foreign Intelligence Surveillance Act, amendments Act to combat ransomware. 

 

Tools for the Future

Megan: And I think that's one of the tools that the government is using. So thinking about its ability to collect information from service providers in the United States under lawful authorities that are subject to reporting and privacy and civil liberties protections. So looking at financial tools, looking at law enforcement and intelligence collection tools are kind of the top three that we've seen. And there are of course others that the government might choose to use. 

So in the future and thinking about there's the International Emergency Economic Power, IEEPA, to which some of these sanctions are tied. But there could be other tools that the government could use. The last one I would point to is something that also came out of one of our recommendations. Well, it aligns with one of our recommendations, which is this idea that we as the government, need the government to better support organizations so that they can better prepare themselves against a range of cybersecurity threats, including ransomware evolution, and that they can better recover from those. 

So the money the government is making available through a grant program administered by the Department of Homeland Security Funds that were appropriated. I believe, under the infrastructure bill from the last the fall of 2021, November, they are now making funds available to the states to help also better prepare. So we need to think about how do we better prepare and then how do we better respond. And across that spectrum, are these range of tools from law enforcement capabilities, treasury, so financial tools, and then monetary assistance.

 

 

Addressing Vulnerabilities Across the Ransomware Evolution

Audra: Are we doing anything around the area of actually going to the technology providers, so the service providers in terms of trying to combat these kinds of attacks before they actually get to the end users? Is that anywhere within the manifesto?

Megan: So the government's manifesto, I think I don't have perfect insights on that piece, but we know that the vulnerabilities that can be leveraged to launch ransomware attacks are vulnerabilities that can be leveraged to conduct a range of cyber actions or attacks if some people want to go that far. Things like the inconsistent use of multi-factor authentication, the failure to patch vulnerabilities, the failure to have a vulnerability notification process in the first place. 

How do bugs get reported to organizations? So there are a number of steps that organizations both developers and vendors can take. But then there is the flip side of that, which is to say, well, who's going to buy these products and whose buying power can help these developers vendors ensure that their products are brought to market in a more secure manner? And I think there is increasingly more reporting about the fact that the government is intending and trying to use its procurement power to raise all ships. 

So if the government is procuring services from Microsoft, do logs have to be paid for in addition to the securities, in addition to the software that Microsoft licenses have been granted to the government. And so I think we're getting there, but there's certainly room for improvement in thinking about working our way back. The vulnerability chain, to where a product service, capability, a software comes to market and it doesn't come to market with, for example, known vulnerabilities.

 

 

[8:22]Understanding Motivations in the Ransomware Evolution

Audra: And that seems very reusable to me. So in terms of global ransomware, international ransomware. And that sort of thing recently the United Kingdom and Japan were victims of global ransomware attacks. What is the motivation for international ransomware attacks? What are the motivations for the different groups we know and how does it differ? Differ? So groups that are targeting, say UK and Japan versus the United States different, is it all for the money or are there other motives that you're seeing?

Megan: I would say it's mostly for the money. And one of the concerns that we've had since the time that we issued this report now almost two and a half years ago, is that as the United States and its partners undertook more. In most cases kind of overt responses to ransomware, the attacks would begin to kind of expand out. So if the United States were to harden itself both diplomatically and through protective measures. As well as demonstrably not just through diplomatic channels but overtly. 

And we can talk a little bit about what some of those overt signals have been that the United has taken. Because I think they've taken several other countries that have become targeted. But in the end, at the end of the day, what's driving these actors is money. And so one of the other key recommendations that we had in our task force report, was not to keep talking about it. But is that we need to follow the money and if we are going to. It's not a silver bullet turning off the money. Because we still will have vulnerable systems that are unpatched and the like that can be used for other malicious purposes.

 

Ransomware Evolution and the Quest for Global Financial Action

Megan: But if we are able to turn the money flow down, we can drive these actors to undertake different types of activities. Perhaps ones that we are better prepared to prevent. And at the same time though, we know that one of the ways to follow the money is by implementing some of the recommendations. Or all of the recommendations that the financial action task force has issued to help combat the malicious use of virtual assets. Cryptocurrency being a virtual asset, but not enough countries have implemented those recommendations. And so it's not to pick on the UK or Japan.

Audra: You can, I'm comfortable.

Megan: I'm almost certain that the UK has, I don't know that Japan has not. I just don't have that information in front of me, apologies. But other countries, particularly if we think about the global south, for example. last year the percentage of attacks in Latin America increased from 9% of global reports to 13%. We know there is less uptake of these recommendations. And so it's important we think to have consistently across the globe a common baseline of actions that financial systems are taking to reduce the malicious and illegal use of virtual assets. 

Because then there's kind of nowhere to hide where we have an uneven implementation of known best practices. One of those is reporting, what are we talking about reporting? We're talking about what's known in the United States as suspicious activity reports. So a ransomware payment is certainly suspicious. In the United States, if you're a money services business, you have to report suspicious activity to the treasury. 

 

Implications of Ransomware Evolution: The Global Response Landscape

Megan: What makes you a money services business in the case of ransomware is if you're facilitating a ransomware payment. So that's how we in the United States have begun to approach trying to clamp down on the spigot of money that's flowing to these actors.

Audra: Excellent. So what you're suggesting is remove the prize and they'll do something else as one of the things if money is their motivation. So if we focus on how the United States responds to cyber incidents associated with Russia specifically. How does that impact our relationship with other cyber powerhouses like China, North Korea, and Iran? How does that change things or have an impact on how we interact with one another?

Megan: I think there's a general consensus that everyone is watching us. Our friends, partners, and allies are watching us to see how we are leading in this space. Although I think for a period of time we haven't quite been the leaders in cyber policy that we would like to be. But also what is our defensive practice and what is our response approach?

And that goes for our enemies so to speak. Or the countries that we don't share many common values with more authoritarian regimes like Russia, China, Iran, or Korea. And so were we to take an approach of not responding to an incident like the colonial pipeline. Incident perceptions or reality of perceived weakness is observed by others. And I think can signal to them or inform their approach on what types of attacks they might attempt in order to send a variety of signals.

 

 

Deciphering the Ransomware Evolution: Motivations and Escalation

Megan: So different countries obviously have different motivations in why they choose to attack US critical infrastructure or rifles. And hold hostage small businesses in the early days, so to speak. We used to talk about the Chinese as a rather selfie, I think, and the Russian. Maybe it was the reverse, I can't even remember now because I don't think the analogies are true. But it was kind of the drunk burglar versus the stealth operator.

And now we see many of these countries, are overtly in our systems. Networks and making noise and leaving a trail of breadcrumbs to signal to us that they are holding us at risk. And so I think where we don't on the ransomware front see as much of that perceived probably, or at least overtly described holding us at risk on the ransomware front. We tend to think that much of this is kind of clumsiness. In the other cases, we see some of the other actors leveraging, not necessarily ransomware, but other cyber attack tactics do signal that we are held at risk.

Audra: So they want to be found or they want to show they're there.

Megan: Certainly for ransomware actors, yes. They can't get paid unless we know they're there.

Audra: Exactly. I agree with that. 

Megan: But ransomware hasn't necessarily been the tool of choice. I would say to send it for a kind of high-level conflict. However, the vulnerabilities that are leveraged to undertake ransomware attacks can also be the building blocks of higher escalatory types of attacks.

Audra: So could you name a few? So where do they move on to if they're going higher?

 

 

[16:12]Unraveling the Ransomware Evolution with Criminal Gangs

Megan: Well, I think this is where the picture begins to break down a bit. In many cases, the assessment is that many of these ransomware gangs are operating in and in neighboring regions of Russia where there are largely criminal groups who are driven by money. But there are some who may be either operating at the behest of or informed by or protected by the Russian government. So where do they go next? 

Well, if they become quite a successful ransomware gang member. The United States sends an information request to say we think that this particular person is involved in unlawful activity in violation of a range of criminal laws. The Budapest Convention is kind of where a convention on cybercrime articulates. And is internationally accepted as a common set of criminalized behaviors when it comes to computers rather than saying, okay, we'll go out and arrest this guy. Oh, he's quite, he or she, most cases it's he's quite capable, we'll recruit him to the government. 

And so then you can kind of see where it goes, where we get those skills. The skills deployed for other areas where we have seen. If you think about the Shields Up campaign that CISA had was less about ransomware prevention. Although there are aspects of it that are effective against combating ransomware. But more in the sense of critical infrastructure protection where some of these gang actors may also be what we used to call or still call. 

I think moonlighting is certainly what we thought with regard to China. If you think back to when the United States indicted a number of actors associated with the three PLA. There was a perception that they were doing both criminal and government-directed activity against US networks.

 

The Evolution of the International Counter Ransomware Initiative

Audra: Yes, no, totally. And it's a very good example of people with two motivations or more in terms of their activities. So let's talk a bit more about the International Counter Ransomware initiative. Obviously initially founded in full of 2021, the CRI has expanded to include more than 40 member countries and it continues to grow. Can you talk about how this organization works to mitigate the global ransomware environment and any successes that you've found through this mitigation?

Megan: Sure. So yes, the Counter Ransom initiative. If one can think of it as simply a coalition of the willing.

Audra: Okay, so willing to share.

Megan: So back to the earlier, well, I think they're working towards share. I think the first phase of willingness is to say that ransomware is a risk to all of the member countries and not just them. And so if we all have a common risk, then hopefully we can undertake common measures to mitigate that risk. The first meeting, as you noted, was in the fall of 2021. There was a meeting last fall in November 2022, and now there's a plan for a meeting coming again this year. 

The International Counter Initiative Task Force, ICRTF is one of the pieces of work that the counter ransomware initiative is undertaking. I think one of the success stories of the initiative at a very high level is the spectrum of countries who are participating in it. So there are countries as large as the United States as a leader or the founder of it. Over two countries that are less known necessarily not to cast aspersions. But one doesn't necessarily think about Bulgaria, for example. Which is a member of the CRI as a cyber policy lead.

 

Global Commitment and Information Sharing Initiatives in Ransomware Evolution

Megan: And so I think where we have this broad spectrum of stakeholders who are willing to make this commitment. And announce that they believe that ransomware is an issue that deserves global attention, that's critical. So they've announced a range of actions, including, as I mentioned a few minutes ago. This idea of implementing recommendations, financial and task force recommendations, looking at again, a coalition working to use law enforcement capabilities to address ransomware. 
And so we've seen a number of disruptions along those lines involving CRI member countries. And then looking at better shoring up their own domestic space. So that they're less likely to become victims of ransomware in the first place.

Audra: So in terms of the information sharing that's going on amongst the 40 member countries and growing. What kind of information is being shared? Is it best practices? Is it known as bad actors or bad groups? What kind of information is actually being shared to help create this united front?

Megan: I think that's an area where it would be good to have greater transparency. Frankly, our sense is that it's a little bit of both, but there has not been a lot of information. I think about it, I think there has been a greater conversation around the workaround information sharing that's being led by the UAE and Israel now. I've forgotten the name of it, then I'll find it and give it back to you.

Audra: If you remember it later.

 

 

From Technical Information Sharing to Ransomware Evolution

Megan: A technical information-sharing platform. But actually what type of technical information are we talking about I think is a little less clear also who participates in that? I think we don't have a full sense of it. But I do think it's interesting and a good signal that these two countries have come together to work together on this effort around information sharing. But it needs to be holistic sort to your question, it should be about, we shouldn't just be identifying TTPs. 

We should be also looking at feeding those commonly used tactics, techniques, and procedures back to the vendors. Whose products are insecure and being leveraged to conduct these types of attacks. So I don't think that the platform, the name of which I can't remember at the moment is supporting that. But I think the overall initiative as it evolves. I would hope that it would work to build that kind of an information environment.

Audra: I think that would be amazing. The whole thing is trying to stop these things at the base effectively. These solutions that have the vulnerabilities, they're enablers. And if those enablers are not addressed. No matter how much we do, it's always going to be a challenge if there's always an open door.

Megan: Agreed.

Audra: So you have a really amazingly interesting background. I was wondering if you'd be happy to talk a bit about how you ended up where you are today. I always quite like to know how people get somewhere. And I never think it's that straight a road and it always makes it quite interesting. Are you happy to talk a bit about your previous roles and how you ended up where you are today?

 

 

[24:14]Megan's Journey in the Ransomware Evolution

Megan: Yes. The come to being story, right place at the right time, wrong place at the wrong time. No, I think I would say it's on the positive front. It's the right place at the right time, but not as intentional of a course to get there. So I would say I joined IST almost two years ago and had spent time as an adjunct with IST for a number of years prior to that. And I joined IST among other things to help support the implementation of the ransomware task force where I was a co-chair. But I was in my prior role at the Global Cyber Alliance at the time. But that's a long way of saying I'm now in nonprofit land.

I've been here, since leaving the government. I left the government in 2014. And I think what unites many of us in the nonprofit space around these issues is that there continues to be a sense of mission. I think that's what drives all nonprofit organizations. That's how they get to their status. But what I've appreciated about being in the nonprofit space is that in many cases I'm still working with a number of the same colleagues. 

Some of us have left the government. But we're still in a unified front as stakeholders in different spaces working towards a common goal. Which is to have a more secure cyberspace, so to speak, a more secure internet. And I think one of the roles that helped me better recognize the role of. We all know that industry plays a critical role and we call this kind of broad stakeholder effort.

 

Megan's Path from Government to Internet Governance

Megan: That means that we're talking about what industry can do, what academia can do, what civil society can do to nonprofits. And what the government can do to advance a more secure ecosystem was my time at the NIC where I left the government. From there I led internet governance and interagency work. Internet governance is kind of the norms that we set around how we operate and maintain the Internet. Because there isn't actually a global governance board for the Internet. 

There are a couple of different organizations that make up and set standards around how the IP spaces are allocated. The requirements among companies that are then locating those IP spaces. Like through the work of internet governance. I had the opportunity to move from the shadows of the national security space and engage more closely with all of the stakeholders. Of course at that time, and we continue. I think the United States supports what we refer to as the open, interoperable, secure, and reliable Internet.

We've added another phrase to it. But that work I think was really kind of the bridge between spending a lot of time in the national security space. Thinking about how the government can undertake its duties under the Constitution to help protect the people of the United States and ensure public safety in a manner that reflects our values. So in a way, there is accountability for government actions that can. Where there lack of accountability and structure, reporting, and transparency. And safeguards can be leveraged to invade people's privacy and overstep in a way that doesn't reflect the values of the United States. 

 

From FISA Attorney to Ransomware Evolution

Megan: And that's where I spent a lot of my time prior to the National Security Council staff thinking about how the government does its surveillance work. Particularly around intelligence collection. And so initially began my government career as a FISA attorney. So I was doing applications for FISA. Many people around the world, especially in the United States, didn't really know existed until kind of the past decade or so since the Snowden disclosures. And I joined the Department of Justice after two years in industry, so to speak, in legal services. So happy to talk further about any of those. But that's the short or long version.

Audra: No, I think it proves that you're driven, and I agree being mission-driven and particularly cybersecurity is important but so is privacy. That side of things that sits very strongly with me. One of the first things that happened when I actually joined Forcepoint was working on what our privacy policy should be and doing privacy by design. So you need the security side. Absolutely, a hundred percent. But it's more about protecting individual's, right to privacy at the same time. Extremely important.

Megan: Yes. And so I think it's a growing space, certainly across a number of different professional paths. These ideas of privacy and security. We need policies that support that, but we also need technologies developed with these two priorities in mind.

 

 

The Impact of Questioning and Stakeholder Engagement

Megan: And so there's a critical conversation. It's not just one conversation that needs to happen between employees. And really anybody developing this technology in order to ensure that we are moving in a more sustainable direction. We're not continuing to develop products that lack adequate security and don't have a pathway toward becoming more secure.

Audra: Totally agree with you on that. So a bit of a different question, but still related to how you got to where you are today. What's the most impactful lesson you've learned over the course of your career and what did it teach you?

Megan: Well, that's a tough one. Probably questioning something is actually to the benefit of everybody involved in the process. But unfortunately, I think sometimes it can be taken as an attack. And so where we were, if you are looking at how the government, is the government authorized under the law to undertake a particular type of activity. Well, you have to ask questions to understand what it's all about. 

Similarly, when a product comes to market, we need to ask. We should be asking questions about that somewhere along the way up to and including our policy priorities. How did we set them? And so I think part of questioning really is stakeholder engagement. And so I think, I guess the flip side of that, if I can have two answers to the question, is kind of like never judge a book by its cover. 

 

 

Learning from Questions and Building Collaborative Solutions

Megan: So never judge a question by looking below the surface and seeing. Try to take an open mind in responding to questions, and try to take an open mind in interpreting the intent of the question. Is the intent of the question to scuttle your process or is it to learn more? To hopefully make your process as successful as possible, make your policy agenda as successful, implementable, and supported as possible. And I think that's leading from a vantage point or a perspective that there's always something to be learned from every conversation. 

So maybe I had three answers, but certainly, we can't move forward. We can't have a more secure cyberspace, if you will, or more sustainable cyberspace. Meaning that it's better than it was 10 years ago and it's going to continue to evolve in a better direction as opposed to a worse direction without engaging a range of stakeholders. In order to do that, we need to talk with them.

Audra: Absolutely. I am in a hundred percent agreement on that one. And there shouldn't be anything wrong with a situation or challenge. So like products when they come out. Like the Internet of things, products, a whole raft of products that have bad security, and so they need to be challenged to be fixed. I'm in total agreement with you on that. So, Megan, we're just running out of time. And I just wanted to thank you so much for joining us and talking about ransomware evolution and also your career. Really appreciate it. And I just wanted to say to our listeners, till next time, stay safe.

 

 

About Our Guest

 

Megan Stifel is the Chief Strategy Officer for the Institute for Security and Technology. She is the founder of Silicon Harbor Consultants, which provides strategic cybersecurity operations and policy counsel. Prior to founding Silicon Harbor Consultants, she was an attorney in the National Security Division at the U.S. Department of Justice (DOJ).

She most recently served as Global Policy Officer and Capacity and Resilience Program Director at the Global Cyber Alliance. She was previously the Cybersecurity Program Director at Public Knowledge.