White House digs in on ransomware

The Biden administration is set to hold a two-day summit on ransomware, as it works to kick-start a year-old effort to unite the international community against digital extortion.

HAPPY MONDAY, and welcome to Morning Cybersecurity! I was reminded of something important Friday, when I rolled out of bed on my “off-day” to attend a Commerce Department roundtable featuring Chris Inglis, Jen Easterly and Anne Neuberger: Nothing beats attending events in-person.

On a livestream, you can’t observe the note-passing and the side-eyeing that takes place behind the camera. You miss the sideline commentary. And it’s impossible to see officials’ reactions — the moments eyes open wide, those they seem to fade into the weekend.

In sum, you lose the texture that forms the grist of good reporting. After all, if I didn’t know a certain tech exec’s son is soon to experience his first Triwizard Tournament, this newsletter would probably nose-drive straight into your spam folder.

Got your tips, feedback or other commentary? Send them to me at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

The Biden administration hosts members of the Counter Ransomware Initiative for a two-day summit in Washington, D.C. Not open to the public.

Camille Stewart Gloster, deputy national cyber director for technology and ecosystem security, speaks at an Aspen Digital event on the White House’s forthcoming cyber workforce strategy. 11 a.m.

DIGGING IN — Today and tomorrow, the White House will host representatives from 36 foreign countries and the EU for a two-day summit on ransomware, as it doubles-down against a stubborn digital threat that has persisted even after the attack on Colonial Pipeline elevated digital extortion to a high-profile national security issue.

The representatives of the Counter Ransomware Initiative — an intergovernmental partnership the White House formed last October — have been cooperating over the last 12 months to arrest ransomware actors, improve victims’ defenses, trace the digital currencies that fuel extortion payments and apply pressure to states that fail to address ransomware activity within their borders.

Still, the U.S. continues “seeing the pace and the sophistication of ransomware attacks increasing faster than our resilience and disruption efforts,” a senior administration official told reporters during a Sunday night press call.

The 48-hour D.C. conclave offers members a chance to assess their progress and “redouble” the groups’ efforts, continued the official, “because fundamentally, no one country can take [ransomware] on alone.”

A-listers — Over the course of the two days, CRI members will hear from a who’s who of top U.S. officials, including FBI Director Chris Wray, Deputy Treasury Secretary Wally Adeyamo, Deputy Secretary of State Wendy Sherman and national security adviser Jake Sullivan.

Other top officials, like the new ambassador at large for cyberspace and digital policy, Nate Fick, and Eric Goldstein, executive assistant director at CISA, will also attend.

Notable absence — The CRI does not count among its members Russia, where many prominent ransomware groups operate.

On the Sunday press call, the official dismissed the idea that the CRI would suffer from the Kremlin’s absence. The effort is “less about Russia and more about how we make it harder and riskier for ransomware groups to operate,” the official said.

Private sector has a voice — Thirteen entities from the private sector will partake in the summit, offering their thoughts on how the government and industry can work together against digital extortion.

From the U.S. that list includes security giants Microsoft, Crowdstrike, Mandiant and Palo Alto Networks, and nonprofits the Cyber Threat Alliance, the Cybersecurity Coalition and the Institute for Security & Technology. On the foreign side of the house, Flexxon, SAP, Siemens, Internet 2.0, Tata Consultancy Services and Telefónica will also sit in.

Building momentum — At the conclusion of the summit, the Biden administration plans to announce a slate of new efforts to jump-start the initiative.

That includes a platform where members would be able to upload, identify and share tips on ransomware payloads they spot within their borders. The administration will also issue a statement outlining new ways CRI members can apply diplomatic pressure to countries harboring ransomware groups.

One last nugget — When the summit kicks off at the FBI today, the official said, CRI members will receive a briefing from the U.S. intelligence community with “their outline of the origins of the [ransomware] problem.”

That is a contentious question for which the U.S. government appears to have an answer: The briefing will include a chart mapping bitcoin prices to the increase in ransomware attacks and a second graphic with 4,000 foreign ransomware attacks sorted by sector.

AT THE BALLOT BOX — A respected nonprofit is calling on lawmakers to establish standards for how states verify electoral results, an effort it hopes could avoid a repeat of 2020, when a wave of ham-handed election audits run by partisans and amateurs undermined Americans’ confidence in the outcome of the vote.

The absence of any recognized process for post-election auditing or a certification system for auditors has opened space for “sham reviews” that damage rather than restore confidence in well-run elections, argues a report out today from the Center for Democracy and Technology and shared exclusively with MC.

The problem — Post-election auditing offers “the strongest tool available” to restore public confidence in the results of elections. But there are no clear standards or processes for conducting them, making it difficult for outside observers to differentiate between legitimate and illegitimate reviews.

For example — The audit in Maricopa County, Arizona, “flagrantly violated each of the principles of a good post-election audit,” finds the report. It was carried out by an unqualified third-party, it had an unclear mandate and it fell “far short” of the transparency expected of legitimate audits, among other problems.

“Fraudits” of that kind, the report says, undermine trust in elections, risk voter privacy and even cost taxpayers huge amounts of money, since the risk of tampering can compel state officials to procure expensive new election equipment.

Show me the way — Creating national audit standards, implementing an accreditation system for election reviewers, and establishing elections offices within state audit programs could “expand the use of good post-election audits, and mitigate the effects of sham reviews by disincentivizing them,” the authors argue.

Though each recommendation would mean “additional red tape” for state officials, CDT believes the implementation of any one of them could “considerably improve” the country’s audit process.

CLOUD GAZING — On the sidelines of last Friday’s aforementioned Commerce Department roundtable, MC sat down with Jeanette Manfra, director of risk and compliance at Google.

Before decamping for the private sector, Manfra worked on critical infrastructure protection in government, with stints at CISA, DHS and the National Security Council. She shared her thoughts on CISA’s new cybersecurity performance goals, its push for multi-factor authentication and why she’s such a strong advocate of international cyber standards.

— Performance goals: Asked whether Google intended to incorporate CISA’s just-released cyber baselines into its cloud service offerings, Manfra said Google would need to take a “closer look” but her initial impression was “that many, if not all of them, shouldn’t be a challenge for Google customers to achieve.”

Google will identify ways to help its users meet standards and outcomes the U.S. government expects industry to achieve “as a matter of principle,” she added.

— MFA visibility: In a recent blog post, CISA Director Jen Easterly called on large technology providers to publish transparency statistics on their users’ adoption of two-factor authentication. But are tech giants like Google willing to play ball?

Manfra said there is “no reason” why large technology providers like Google couldn’t provide aggregate data on MFA usage for their customers, though she cautioned there could be contractual issues with sharing user-level data. Overall, she concurred the initiative could be “interesting and useful.”

— Time for international standards?: Because you can get hacked no matter what you do, argued Manfra, the best way to assess right and wrong in the aftermath of a breach is to consider whether a victim applied “acceptable practices.”

The hitch? Those don’t exist yet, meaning the cyber community has to “keep working” to define them at an international level, said Manfra.

ADVICE FOR THE ADVISERS — Today, the White House’s top cyber workforce official is due to ask the public for help brainstorming ways to remedy a roughly 700,000-person shortfall in national IT talent.

Camille Stewart Gloster, deputy national cyber director for technology and ecosystem security, will appear at a webinar today to encourage researchers, advocacy groups and the general public to respond to an Office of the National Cyber Director request for information about growing and diversifying the country’s pool of cyber-savvy workers.

Fast approaching — The feedback, which is due Thursday, will support the Biden administration’s forthcoming cyber workforce strategy.

Last month, Gloster told The Washington Post that she is particularly focused on efforts to support three groups: IT professionals, employees who work at cybersecurity-adjacent organizations and the general public.

Big prize — Once the proposals are in, the ONCD will invite the respondents with the best submissions to pitch their ideas before White House officials.

That phase of the public solicitation process will wrap up inFebruary, while the Biden’s administration’s new cyber workforce strategy is expected to follow the broader national cyber strategy sometime in the coming months.

Managed service providers — Security represents a key growth area for managed service providers — the companies that manage IT services for mostly small- and medium-sized businesses — according to a survey out today from Datto. The survey of 1,800 MSPs found that incident response (24 percent) and forensics and endpoint threat detection and response (22 percent) ranked just below collaboration software (26 percent) as the top anticipated growth areas among respondents.

Treat and treat — Security firm Synack has two treats to offer you this Halloween: first, a new report detailing the security risks of the near-ubiquitous use of application programming interfaces, or APIs — the software intermediaries that help two programs talk to each other. Second, it is launching a pen-testing service for its customers to root out API-specific vulnerabilities, one of the top sources of data breaches in web applications this year.

We know humor is the best medicine. It might be the best security control, too.