Tech Republic reports on a White House sponsored “virtual ransomware summit this week with over 30 countries in attendance—although a few notable nations were excluded, such as China, Russia and North Korea. Australia, Brazil, Canada, France, Germany, India, Japan, United Arab Emirates and the United Kingdom were among the attendees.”
Cyberscoop adds that
Nations must better clamp down on money laundering in order to disrupt ransomware gangs’ illicit financial transactions, according to a statement Thursday from more than 30 countries that participated in two days of White House meetings focused on slowing hackers and digital extortion.
The joint statement also included commitments to other methods of countering ransomware, such as encouraging cyber hygiene practices to the private sector, collaborating across law enforcement and national security agencies and using diplomatic pressure against nations that harbor cybercriminals.
Bleeping Computer’s This Week in Ransomware discusses the summit and more.
ZDNet reports that
More than $5 billion in bitcoin transactions has been tied to the top ten ransomware variants, according to a report released by the US Treasury on Friday.
The department’s Financial Crimes Enforcement Network (FinCen) and Office of Foreign Assets Control (OFAC) released two reports illustrating just how lucrative cybercrime related to ransomware has become for the gangs behind them. Parts of the report are based on suspicious activity reports (SAR) financial services firms filed to the US government.
FinCen said the total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the $416 million reported for all of 2020.
Finally at this week’s CISA summit event marking Cybersecurity Awareness Week, the Acting U.S. Assistant Attorney General for the Civil Division Brian M. Boyton spoke about the Department’s Civil Cyber-fraud Initiative which leverages the False Claims Act to” identify, pursue and deter cyber vulnerabilities and incidents that arise with government contracts and grants and that put sensitive information and critical government systems at risk.”
We have identified at least three common cybersecurity failures that are prime candidates for potential False Claims Act enforcement through this initiative.
First, the False Claims Act is a natural fit to pursue knowing failures to comply with cybersecurity standards. When government agencies acquire cyber products and services, they often require contractors and grantees to meet specific contract terms, which are often based on uniform contracting language or agency-specific requirements. For example, cybersecurity standards may require contractors to take measures to protect government data, to restrict non-U.S. citizen employees from accessing systems or to avoid using components from certain foreign countries. The knowing failure to meet these cybersecurity standards deprives the government of what it bargained for.
Second, False Claims Act liability may be based on the knowing misrepresentation of security controls and practices. In seeking a government contract, or performing under it, companies often make representations to the government about their products, services, and cybersecurity practices. These representations may be about a system security plan detailing the security controls it has in place, the company’s practices for monitoring its systems for breaches, or password and access requirements. Misreporting about these practices may cause the government to choose a contractor who should not have received the contract in the first place. Or it could cause the government to structure a contract differently than it otherwise would have. Knowing misrepresentations of this kind also deprive the government of what it paid for and violate the False Claims Act.
Finally, the knowing failure to timely report suspected breaches is another way a company may run afoul of the Act. Government contracts for cyber products, as well as for other goods and services, often require the timely reporting of cyber incidents that could threaten the security of agency information and systems. Prompt reporting by contractors often is crucial for agencies to respond to a breach, remediate the vulnerability and limit the resulting harm.
At bottom, the department’s Civil Cyber-Fraud Initiative will hold accountable entities or individuals that put U.S. information or systems at risk.