Anne Neuberger is an influential figure in US policy on cybersecurity as a member of President Biden's National Security Council. In the fight against cybercrime, Neuberger has proposed banning ransomware payments, a strategy that has strong ties to changes in federal foreign policy.
Anne Neuberger is an eminent voice in the United States Government’s cybersecurity policymaking. Currently a member of President Biden’s National Security Council, Neuberger previously served as the National Security Agency’s first Director of Cybersecurity.
In her role as Deputy National Security Advisor for Cyber and Emerging Technology, Neuberger focuses on protecting the nation's cybersecurity and addressing emerging technological threats. President Trump eliminated the cyber deputy position in 2018; Neuberger’s appointment is one of the more visible efforts by the Biden Administration to elevate cybersecurity’s importance as a national security and foreign policy imperative.
In a January 2023 interview with the Washington Post, Neuberger pressed for new government cybersecurity mandates, citing the ineffectiveness of previous policies: “Voluntary efforts have been insufficient against the threat to the critical services Americans rely on”. More recent developments in federal policy back this sentiment: timely reporting on cyber incidents has been mandated by CIRCIA, the SEC, as well as the National Credit Union Association.
Neuberger is the Federal Government's most outspoken advocate for banning ransomware payments to cybercriminals. In a speech for the Institute for Security and Technology’s Ransomware Task Force, she explained that because “[f]undamentally, money drives ransomware”, making ransom payments is “the wrong decision” for the larger issue of ransomware. While Neuberger admits some situations may necessitate an as-yet undefined waiver exception, she sees a general ban as a solution in the long run: “But we have to ask ourselves, would it be helpful more broadly if companies and others didn’t make ransom payments?”
In Congressional hearings in the aftermath of Colonial Pipeline and other high-profile 2021 ransomware incidents, agencies including the NSA, DOJ, CIA, CISA, and Secret Service deflected questions about a ban on payments. The FBI, TSA, and Chamber of Commerce have been vocal in opposition to a ban on payments.
Neuberger’s comments highlight that this is an ongoing conversation. To some, banning ransom payments is the first step to combatting the recent increase in this specific cybercrime. At a glance, this solution makes sense; if threat actors don’t get the money they demand with ransomware attacks, then they are less likely to make ransomware attacks in the future. This perspective is not uncommon; in Australia, there is an ongoing effort to ban ransomware payments, and in the U.S. the FBI has been on record saying that they do not support making ransom payments.
Still, others have pointed out the potential issues with banning ransom payments. Criminalizing ransom payments could make people less willing to report cyber incidents. In North Carolina, banning ransomware payments has not necessarily reduced ransomware attacks.
The waiver part of Neuberger’s comments at the IST’s Ransomware Task Force adds more nuance to the conversation. While waiver requirements have not been officially discussed, it would not be surprising for exceptions to be based on new compliance requirements. The new cybersecurity framework from the NIST provides easily accessible tools for building up a company’s cybersecurity strategy, and may become a baseline for cybersecurity citizenship, where compliance serves as the standard for permission to contemplate ransomware payments.
In concert with Neuberger’s attention to the ransomware problem, it’s not shocking that the Counter Ransomware Initiative, an international effort to curb ransomware attacks in over 40 countries, has discussed banning ransomware payments.
Neuberger’s prominence is part of a larger national (and international) security effort, and highlights how cyber threats are increasingly bleeding into US foreign policy. The Russian-Ukrainian War has had a role in the increase of cyberattacks from Russian cybercriminals. According to the Director of National Intelligence, Russia continues to be a “top cyber threat”, with its focus on “improving its ability to target critical infrastructure…in the United States as well as in allied and partner countries because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.” Since Russia’s invasion of Ukraine, several German wind-energy companies have been hit by Russian cyberattacks. Neuberger notes that “[a]nother Russian cyberattack on the European energy systems remains a concern”.
As with Neuberger’s role on the National Security Council, the State Department is also paying more attention to cyber threats. 2022 saw the State Department establish the Bureau of Cyberspace and Digital Policy (CDP) (which includes policy units on International Cyberspace Security, International Information and Communications Policy, and Digital Freedom). Part of the CDP’s mission is to staff a cyber expert into every US embassy by 2025.
The State Department has also coordinated working groups to counter specific threats from Russia and North Korea. In May 2023, the Bureau Of International Narcotics And Law Enforcement Affairs offered a reward of up to $10,000,000 for information leading to the arrest of Mikhail Mateev, a notorious Russian ransomware operator.
Until recently, private sector cybersecurity was primarily treated as a law enforcement issue. Ann Neuberger, the National Security Council, and the State Department are shifting the conversation to make cybersecurity a foreign policy issue. As discussions progress and new strategies are used to tackle the rising threat of ransomware attacks, policymakers, cybersecurity professionals, and legislators will likely look to Neuberger's input and insights, along with other government officials. It's a labyrinth of complex decisions, and like navigating a labyrinth, the task requires calculated steps and continuous reassessments.
This post is part of DAR's "Federal Fridays" series. Be sure to follow DAR on LinkedIn for the latest updates!