Secretary of Homeland Security Alejandro Mayorkas said the U.S. and European Union are discussing how to “operationalize” their relationship to better coordinate on ransomware policy and investigations.
The comments follow meetings that took place this week between EU Interior Ministry and the Departments of Homeland Security and Justice. While speaking Thursday at an event hosted by the German Marshall Fund, Mayorkas said the U.S. and its transatlantic allies largely agree on the scope of the challenge presented by ransomware groups, as well as the need for likeminded nations and other entities to cooperate. Now they’re focused on finding ways to translate those sentiments into concrete actions.
“I think we have a very similar vision between and amongst us, and what we are really focused on now is operational advancement,” Mayorkas said. “How to take the shared vision, the shared strategy and really operationalize it – I think that was one of the key takeaways.”
When asked by SC Media what that would mean in practical terms, Mayorkas said it often amounts to coordinating and offering a consistent message when engaging with the private sector and other non-public entities, while still being mindful that each nation is bringing different legal and political realities to the table.
“It could be…we have Country A and we would benefit from having Company A take certain steps [on ransomware], and Country B might think of some steps and country C might think of the same steps,” he said. “Are we speaking collectively with that company? Are we aligning our requests most effectively? Because the company could be put in a very difficult predicament with different rules and different expectations in different countries.”
Mayorkas also pointed to joint operations between U.S. and European law enforcement agencies to arrest ransomware operators when they travel to other countries, as well as efforts disrupt the command and control IT infrastructure they use and seize or deny them the ransom payments they extract from victims.
Ylva Johannson, European commissioner for home affairs, noted that it’s easy for countries to talk about cooperation, but doing it is another matter. Nations must grapple with the fact that their visibility around the ransomware ecosystem is poor and that the attacks they do learn about are often “just the tip of the iceberg” as many companies remain reluctant to inform police or deal with the reputational fallout from a compromise.
Recently, the U.S. Congress shelved plans to include a provision mandating that critical infrastructure entities report ransomware and other compromises to CISA in a must-pass annual defense spending bill. Mayorkas expressed hope that lawmakers will find another way to enshrine the requirements into U.S. law, while Johannson said the European Union is currently debating similar proposed legislation that could become law as early as next year.
“This is about awareness raising so…that we can build in more of the prevention and security from the beginning, but if it’s a hidden crime, then that’s not going to come up to the surface,” she said.
Johannson suggested efforts to expand cooperation between law enforcement entities across the U.S. and Europe and standardize parts of the investigation process would make it easier to coordinate across borders in the aftermath of an attack.
“It could mean, for example, that we agree on the different steps to take in a specific investigation so that we can be more effective, so that not every single investigation has to reinvent the wheel…if you have different standards on how to do the investigation, you will lose energy in the cooperation,” she said.
Mayorkas’s department and its lead cyber agency CISA have been dealing with fallout from the damaging and broad-based Log4j vulnerability. When asked how DHS and other agencies were prioritizing the issue, he said it was the kind of issue that will require a close working partnership not only with industry but other countries to effectively mitigate.
“It’s uppermost in our minds and quite frankly, uppermost in our action plans,” he said, later adding: “This is once again an example where the boundaries between states are illusory when it comes to cybercrime.”