The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> GIACOMO PAOLI PERSI: Good afternoon, everybody. Welcome to Nowhere to hide: Accountability to fight global ransomware. My name is Giacomo Paoli Persi, UNIDIR. I have the pleasure of being your moderator today.
Whether you're joining us in person in Oslo or online, we're excited to have you join this event.
If you're here, you have to wear your headset, and we're broadcasting on Channel 5 for this meeting.
Over the course of the panel, there will be an opportunity to engage with our excellent speakers and ask questions. If you are here in the room, you will see microphones at the periphery of the seating area. The moderator will pass online questions to me, and we will extend it to the speakers.
Why ransomware? It's growing by nearly 300% last year alone. Now, ransomware is not new. So the question comes, how sit possible that despite the fact that we know what ransomware is, that it still has a devastating impact on cybersecurity? How come these percentages keep growing? That's a combination of different factors.
There's the technology factor that is making these ransomware campaigns more difficult to detect, quicker to deploy at scale.
There is also another evolution of the threat landscape, which is the emergence of commercial off‑the‑shelf ransomware tools.
On one side, there's definitely a threat that's continuously evolving and becoming more complex.
On the other side, we have failure, a systemic failure to find the right countermeasures to mitigate this threat.
And these countermeasures start from basic individuals and escalate up to organisational and governmental and intergovernmental responses.
So, through the panel today, we're really hoping to get different perspectives from speakers that are representatives of different stakeholder communities that can really help us understand better not only how is the threat evolving but, also, what can we do to monitor, to detect, and to respond to such ubiquitous threat as is ransomware.
So I'm very happy to be joined by great speakers today. I will introduce them here. They're both in the room and joining us online.
Starting here on my immediate left, Brendan Dowling, DFAT, Australia.
On his left, Francesca Bosca.
Further down the table, we have Chelsea Smethurst, Microsoft.
And then Julie Rodriguez Acosta, MFA El Salvador.
So we will go and give each speaker an opportunity to share some of their initial remarks. Then we have structured this panel through a series of questions and answers.
So I would like now to give the floor to Ambassador Dowling, on my left, for his remarks.
>> BRENDAN DOWLING: Thank you, Giacomo.
There are more criminal groups taking advantage of this crime type. The way the ecosystem has developed means you no longer need to be a sophisticated group to be able to conduct a ransomware attack. We have a service industry where you can talk to a liaison person or broker who will conduct the initial attack on the system. There will be people who will fence the data for you, who will conduct each element of the operation for you. So it is now an accessible crime type.
For more groups, they will take 20% of the profit from the attack that you can deduct. So it's become democratised and industrialised, and it is ubiquitous.
What we're worried about is groups are targeting the smaller, vulnerable types of society. They realise that attacking the structure like with the colonial pipeline attack is bad for business. It's more productive to attack a higher volume even though if you're extracting a low‑value ransom.
What we're seeing in Pacific Islands, some populations of fewer than 100,000 people are being targeted by groups out of Russia.
Last week, Tonga, a service was shut down by a ransomware attack. We have deployed a team from Australia to assist them with recovery, but it's astonishing that in a country the side of Tonga, one of the most remote islands in the Pacific is being targeted not at their government or business level but the National Health Information Service.
At the moment, in hospitals in Tonga, people are using paper and pen to deliver health care to their people.
Nursing are struggling to process and triage patients because of these attacks. So for anyone who doubts how much of a scourge this crime type is globally, that is the sort of activity that we're seeing now. We have an attack against the company. 10 million Australians had their health information compromised.
For any of think it's a technical issues, of that incident, we saw women and families experiencing domestic violence from people not aware of the health treatment that their spouse or mother or sister had been seeking and had to be moved to safe houses to escape violent partners or former partners.
These are not cyber issues or technical issues. These are whole of nation security and safety issues.
What can we do about it? It's really hard. This is a crime type that didn't exist before cryptocurrency. It enabled the long‑range launching of ransomware attacks across the globe.
So that financial innovation has made finding this crime much more difficult. We need better access to crypto exchanges to disrupt things.
This relies on a lot of brokers, middle operators who make the system functional. We need to get better at disrupting the entire ecosystem.
In Australia, we apply travel sanctions against cybercrime actors. This is an important‑but‑limited measure.
Hard disruption of the ecosystem, earlier this year, we fried the servers of the people who hosted the data in the ransomware attack. But this crime thrives because too many jurisdictions are not doing enough about it.
They're operating out of safe harbours, safe jurisdictions where there are few consequences.
Primarily, these groups are operating out of Russia, not solely, but we need jurisdictions to take this more seriously. That's why we supported mechanisms like the cybercrime jurisdictions.
It's basic vulnerabilities. It would be better if they were forced to use certain techniques, but they can get by with knowing vulnerabilities because we're not doing enough to patch. Technology companies are not making it easy enough to upgrade software and replace end‑of‑life hardware.
This needs to be a global response to hit all aspects of both the ecosystem in which this crime thrives but how we also build up resilience. We also need to talk about it more openly. There's a sense of shame amongst businesses or entities that no one wants to be open about this.
So I get attacked today, and my neighbour gets attacked tomorrow because I didn't share the information about it.
This is important. This crime type is getting worse. It's targeting the most vulnerable. And, at the moment, we are not winning.
>> GIACOMO PAOLI PERSI: Thank you, Ambassador, for touching off on many points that I'm sure will be picked up by speakers in their remarks and definitely during our Q&A.
I would like now to pivot online and welcome Julie, connecting from New York. I hope can hear me and see us okay.
Julie, if you're ready, it is floor is yours.
>> JULIE RODRIGUEZ ACOSTA: Thank you so much. I hope you can see me and listen to me okay. Greetings from New York City. Today, it's really, really hot.
Let me extend my thank you to the organisers for organising this discussion. I cannot think of a better group of stakeholders to reflect on how we can collectively counter the impacts of one of the most pressing information security threats of all time.
My first point is that, as was just mentioned, cyber crime ‑‑ ransomware is just not a cybercrime issue. It has effectively boiled into a national security crisis around the globe, and its consequences are tangible and personable and affects individuals like you and me. Businesses, hospitals, schools, local governments, they all have been targets. No one is immune.
So beyond this impact, ransomware also has brought implications for international security, including the potential leaks to the financing of weapons of mass destruction.
So, in this context, the United Nations continues to offer a platform to advance dialogue, promote international cooperation, and build collective responses.
Notably, ransomware was not included until the first report of the working group that's currently addressing these issues in 2022.
And, as Giacomo says, ransomware is not new.
El Salvador was among a country that advocated for inclusions. We were pleased to see ransomware formally acknowledged in the report.
(Audio is distorted)
>> JULIE RODRIGUEZ ACOSTA: It can affect state's ability to maintain governance. Since then, El Salvador has advocated for strong language that references ransomware directly, especially as we face new threats exacerbated by other emerging technologies like artificial intelligence.
As was just mentioned, AI has enhanced the sophistication of social engineering and phishing campaigns.
We also support language reflecting concern over the rise of ransomware as a service model that allows individuals without technical backgrounds to launch highly disruptive attacks. These evolving business models significantly lowers the entry for cybercriminals and the technicalities of more sophisticated actors.
The potential implementations for international peace and security must not be underestimated.
We also have supported advancing a more holistic view of the ransomware ecosystem, one that includes effective prosecution, disruption of technical ‑‑ and breaking the financial cycle.
(Audio is cutting in and out)
>> JULIE RODRIGUEZ ACOSTA: One of the elements that was mentioned in recent discussions is the human‑centred approach, one that prioritises understanding in addressing the real‑world impact of individuals and communities.
Much needs to be done to strengthen the mechanisms and also the adoption of common standards.
I will top here, but, definitely, I will look forward to hearing the perspective of other speakers and to continue this conversation.
And thank you so much for having me on.
>> GIACOMO PAOLI PERSI: Thank you, Julie, for sharing your initial remarks. We'll come back to you with a couple of questions.
Now I would like to move to Francesca. We've heard already that the first two interventions are the first challenges about countering ransomware, the ability to look at campaigns and trace the various actors and their malicious actions.
>> FRANCESCA BOSCA: Thank you to the organisers and to Giacomo, the moderator.
It's a pleasure to contribute to the discussion today. Allow me to give a bit of context on the work of the CyberPeace Institute to give thoughts. The CyberPeace Institute is an organisation devoted to reduce the harms by assisting vulnerable communities. And we do this in a very concrete way, starting by analysing cyberthreats. So the participation in advocating for responsible behaviour in cyberspace based on what we gather.
We provide free cybersecurity support to other organisations, and we use this knowledge to engage in international forums, also like this one, to promote responsible behaviour in cyberspace and also by monitoring emerging technologies, like Julie was just mentioning, artificial intelligence. Also, we anticipate how future cyberthreats might impact on the threat landscape of vulnerable communities.
As a tangible example of how we work and building on the excellent remarks that Giacomo and Julie just mentioned, giving concrete examples, we would like to contribute with an ongoing project specifically focusing on ransomware, which is building on a long‑standing gain at the Institute.
We started the Institute in 2020. Obviously, immediately, the mind is going to the campaign. At that time, what we did was to create the first platform that was monitoring cyber incident against the health care sector.
With the specific angle, not only by tracking and tracing the different cyberattacks but also highlighting what it means in terms of concrete impact, harm to people and society.
So highlighting what it means, in terms of people that don't get the vaccines and so on and so forth.
At the Russian‑Ukraine war we started looking at the infrastructure and harms to society, analysing disruption to psychological harm.
At the Munich conference, we launched the third part of our tracers, which is the CyberPeace tracker.
It analyses other organisations that are active in both development and humanitarian context.
What we found occurring, basically, across the different tracers that we set up is, indeed, the prevalence of ransomware attacks and considering the persistence of attacks and at the end of March, we decided to have sort of like a threat‑focused type of analysis and type of work, which is the project that we are currently doing.
Phase one is a global mapping of ransomware threat actors, their affiliations and targets, providing evidence‑based support to stronger multilateral actions.
Phase two will evaluate the state compliance with the UN cyber norms and the misuse that paves the way for more mechanisms.
If you allow me five minutes, we would like to share with you the very first initial findings.
To do this, I'm joined by my colleague, Nedelcho, online, who will present the preliminary findings from our work.
‑‑ the floor is yours.
>> Thank you. It's a pleasure being here. I will share my screen now.
>> NEDELCHO: Make sure you can see it.
>> GIACOMO PAOLI PERSI: Not yet, but I'm sure it will come soon.
>> NEDELCHO: ‑‑
(Overlapping speakers)
>> NEDELCHO: I'm sorry. I don't know.
>> FRANCESCA BOSCA: Oh, wow. Otherwise, maybe you can start. Yes, exactly.
>> NEDELCHO: We started transition towards the more interactive part of the discussion, but I'm also looking at our colleagues in the back that are taking care of the tech. Whenever you are ready to show the screen, just flag, and we will go back to Nedelcho.
>> GIACOMO PAOLI PERSI: Chelsea, I would like to come to you and thank you and Microsoft for convening this event and for the leadership that Microsoft has been showcasing and really promoting stakeholder discussions on this interesting topic.
I see that perhaps ‑‑
>> FRANCESCA BOSCA: Nedelcho, are you ready to go?
>> GIACOMO PAOLI PERSI: Since we see online the repetition of the screen, while the technology is still being sorted, I come to you, Chelsea, with the first question. Then we can go back to Nedelcho.
How has the global ransomware threat evolved in recent years? And what trends are most concerning today?
This may be, actually, a very good introduction to then what Nedelcho is going to show.
>> CHELSEA SMETHURST: Thank you for inviting me. Microsoft produces an annual defence record, usually in October of every year. What we see in terms of year over year changes, in terms of ransomware. 275% change, a whopping change in the last 12 months in terms of the increase in use of ransomware.
There's been two accompanying trends that go with it. While we have seen the 275% use of, we've also gotten better, as a collective industry, defending against ransomware.
We've seen, in terms of quantitative numbers, an increase in software that's gotten to ‑‑ it's significant because once you get there, you're at the husk of cybercriminals using the ransomware.
Another interesting point is while we've seen positive numbers to account for the large increase in use of the ransomware, what we have not seen is 90% really attack unmanaged devices. These are entities like hospitals or NGOs, which will continue to be targeted because they have access to fewer resources.
So really thinking about what is the collective capacity to address ransomware, we're really only as strong as our weakest link.
I think this is very true in the ransomware domain.
I think this is the context.
I would be happy to switch it over to the CyberPeace now.
>> GIACOMO PAOLI PERSI: Thank you. Let's try to go back to Nedelcho to see if we can see your slides when you share your screen.
>> NEDELCHO: I think it should work now.
>> GIACOMO PAOLI PERSI: Yes. I confirm we can see it. Thank you.
>> NEDELCHO: Just an introduction, my name is Nedelcho. I'm a threat analyst. I've been working with the tracer platforms.
As Francesca mentioned, the programme consists of multiple phases.
I will go into the aim and study. The goal is to provide a dataset on ransomware activity, including the threat actors, et cetera.
The second objective is to create a database of incidents, including target location, target sector, and threat actor name.
Now I just want to very briefly touch upon our research methodology, as it is an essential part of all the analysis team.
So we start with the analytical question and key terminology. We collect the schemas for both the research and threat actors.
We document the limitation of our work, which mainly revolve around the usual constraints of research and the current limits of AI and LLM as we incorporate documentation every step.
So the research was mainly guided by foreign questions. Which threat actors have been responsible for development, deployment, or facilitation of ransomware operations?
Where do they operate from?
Which opensource indicators contribute to the geographic attribution of ransomware?
And which have been most frequently targeted by ransomware attacks?
Now, for datasources, we use data shared by partners in structured and unstructured form.
Regarding the previous research from the tracers, that could have impacted the results of the data collection.
So initial data analysis and findings, we have analysed information, around 300 threat actors. 52% remain unattributed to specific geographic locations. 54% to Russia. 8% to Iran, and 7% to China.
We have collected 2,717 incidents, conducted by 184 threat actors against organisations in 22 sectors across 90 countries. More than half of attacks were attacks against organisations in the United States. More than a third were attacks against the health care sector, followed by nonprofits and the ICT, with the top being LockBit, BlackRock, et cetera.
Threat actors have been marked related to countries they are connected to.
Members were arrested in multiple jurisdictions or several indicators connect them to more than one country.
Finally, the last two slides present a simplified dashboard view of our initial results.
First one are the results of our analysis into the targets of ransomware attacks.
And the second are the results into the analysis of the perpetrators of ransomware actors.
You can see the distribution of threat actors among the global incident database.
Thank you.
>> GIACOMO PAOLI PERSI: Thank you, Nedelcho. This is representativity of the research community. I'm always in favour of bringing more evidence and data‑driven decision‑making to the table.
To the you and to the CyberPeace Institute. I'm looking forward to seeing how it evolves.
Before we go back to the panellists and continue with our questions, I wanted to remind colleagues online that you can start asking your questions, if you want, using the chat.
We have Michael Karimian from Microsoft. He is our great online moderator, and he'll make sure that those questions reach me here in the room.
Ambassador, I would like to come back to you and also to you, Julie, because you both alluded to or mentioned the fact that ransomware is not just a cybercriminal behaviour, but it can reach the threshold of being a national security threat or at least a national security concern, for a variety of reasons.
Can elaborate on your perspective on this?
>> BRENDAN DOWLING: We thought about things our ICT team needed to be aware of.
As we look at the ripples of society, we need to be conscious that these are not confined. They are not purely cyber incidents. These are incidents governments need to take much more seriously.
The important part of that incident is when an organisation is attacked, it shouldn't be seen as something that just affects that business. Oftentimes there's things born by the broader government and the community, not just effects by the business.
If businesses start talking and sharing information about their attacks, that actually impedes the ability of their competitors or other people in the industry to protect themselves.
So we need to start seeing ransomware as a much broader, national threat to say, one, not only is it okay to talk about these type of attacks if they hit you, but we need you to do that to better protect our citizenry and better protect our nation.
We're doing a lot in Australia to drive that behaviour, increasing our expectations on industry to report attacks, making it clear that if you seek assistance from the cybersecurity centre, it's not something to be ashamed of. Actually, it's trusted government entity that can help you out.
When we see these attacks affecting society so broadly, it needs to be a whole of society response, not just something that's seen as a manageable, keep‑it‑within‑yourself attitude.
Because we're realising the scale of the attacks, it's a national security attack that requires national and global responses.
>> GIACOMO PAOLI PERSI: Thank you.
Julie, I would like to talk about how in some‑degree, Costa Rica, it was a wake‑up call for many governments. You alluded to the fact that even in El Salvador, you started to take initiatives with respect to ransomware. Will you elaborate a little bit as how you see ransomware as a threat?
>> JULIE RODRIGUEZ ACOSTA: Yes. First, we see an increased number of ransomware attacks targeting critical infrastructure. So this is very concerning. These attacks, as it was mentioned, go beyond financial motivations and represent a clear violation of what we have as the guideline of responsible state behaviour.
(Audio very low)
(Audio is cutting in and out)
>> JULIE RODRIGUEZ ACOSTA: There's a growing evidence of ‑‑ so we see where ransomware has been used, not primarily for financial gain but to ‑‑
(Audio is poor)
>> JULIE RODRIGUEZ ACOSTA: Costa Rica was the first time that a national government was directly targeted in such a way. So these attacks disrupted essential public services and compromised ‑‑ of citizens' personal data.
So the first impact undermines the public trust and the ability to secure a digital system.
This is especially worrisome as all governments are trying to increase how to utilise public services.
So, third, I mentioned this in my initial remarks, we also see linkages between ransomware and security concerns, particularly by the cryptocurrency ‑‑ this is a direct threat to international peace and security.
Also, it's made more difficult to hold perpetrators accountable.
So these are examples after how ransomware intersects with national security and also with broader international security architecture. This evolving threat landscape demands cooperation between multilateral institutions and other stakeholders, as was mentioned by the previous speaker.
>> GIACOMO PAOLI PERSI: Thank you, Julie.
I would like to go back to Chelsea and Francesca because both Microsoft and CPI, through different ways ‑‑ you collect a lot of data and have visibility in a way that perhaps other organisations don't.
I would like to go back to where we started, which was with the recognition of how ransomware is increasing.
The number of ransomware attacks has grown significantly over the last several months.
So based on the data that you've collected, as a business, what can you share around the reasons why we've seen the numbers grow so much.
First Chelsea and then Francesca.
>> CHELSEA SMETHURST: Thank you. So at Microsoft, we track over 600 million cyberattacks daily. If you break that down to a minute‑by‑minute basis, you're looking at 415,000 attacks a minute. And that's just us as a company and what we have purview and visibility into.
So we're up against a pretty large mountain, in terms of cyberattacks.
One is what we call ransomware‑as‑a‑service. This is essentially a product. It lowers the barrier of entry for cybercriminals who want to use these techniques, because it's easier, frankly.
Secondly, the other thing I will mention is the rise of cryptocurrency. This is problematic for two reasons. It's easy to get paid for these ransomware attacks, and it's really hard to track. If you cannot assign accountability and transparency, it's really hard to deter these attacks. Right? If you can sort of hide behind your actions, it's difficult to track.
Finally, third and the most important factor in this issue is what we call safe havens. So these are geographic entities where, you know, you can actually base out ransomware attacks against international victims, but they're really not held accountable at the legal and international level. It's really difficult, from an industry perspective, to target and minimise these safe‑haven opportunities for ransomware.
So this is an area where I would like to see more collective and international cooperation across both the private sector and also governments. And that's something that I think we'll see more of in the future.
>> GIACOMO PAOLI PERSI: Thank you.
Francesca?
>> FRANCESCA BOSCA: Yeah. Maybe some of the points were already made and maybe just on the first one, meaning the ease of access to tools and the rise of ransomware as a service that all the previous speakers mentioned. Indeed, I would say potentially also amplified and enhanced by artificial intelligence and emerging technologies. So this is definitely something that will impact the cryptocurrency ecosystem and the sort of widespread availability and relative anonymity of currency facilitating the payments.
In the way the expanding global digital footprint provides vulnerability for threat actors to exploit, this means they are trying to, in a way, optimise the work and use the same infrastructure, basically, for launching different type of criminal activities.
And this is why the second phase of the programme will focus specifically on exploitable and exploited infrastructure, which is something that is also ‑‑ not so well, I would say, or not so much investigated. An output of this mapping will be able to demonstrate that the same infrastructure is used, for example, for other crimes beyond ransomware.
Allow me to mention two other factors we see when it comes to the why, the increase. There's a thriving initial access broker markets. You have brokers that specialise in obtaining and selling access to networks. So often high‑value organisations which ransomware groups exploit to deploy their malware.
So it's like cyberorganised crime activity but with a very specialised professionals at the beginning providing ransomware operators with the data they need carry out the attack.
Let's not forget a very important part.
We've seen ransomware groups shifting from, let's say, opportunistic attacks against as many individuals as possible to more strategically targeting critical infrastructure, like, for example, health care, education, even civil society with limited resilience and high sensitivity to disruption. That's interesting because I was checking the criminal profits hit record high because according to trend analysis, victims paid more than 1 billion of U.S. dollars in 2023 facilitated through cryptocurrency, which means still criminals are getting quite some profit out of it.
>> GIACOMO PAOLI PERSI: Thank you. If we have time at the end, I would like to go back this kind of driver discussion. In basic criminal studies, you know that criminals need motives, need means, and need opportunities in order to perpetrate their crime.
Whether it is technology or cryptocurrency or regimes that allow them to do what they do, I don't think there's enough focus on opportunities, which is what are the weaknesses.
One is probably a hybrid between both a means and opportunity. But if we have time, I would like to discuss more.
Going back to a point that Chelsea mentioned around safe havens, I would like to come back to you, Brendan, about what mechanisms currently exist to hold states accountable when ransomware groups operate within their borders. What can states do?
>> BRENDAN DOWLING: It's a tough one. There's 11 norms of responsible state behaviour states that states should take action to prevent actors from operating in their territory, but we still see this happening quite commonly.
We then look to what international measures do we have that can help us address that issue?
One is bilateral. We engage with several attacks that have been launched from Russian territory against Australia or partners in the region.
We engage with the Russian government, and we make clear that we expect action to be taken against these actors.
Usually, there is no response.
So a big part of that problem is we have a government that's not taken seriously and is likely profiting from some of the activities taking place in its jurisdiction.
We've been trying to use sanctions to try to target the people behind the attacks. These are a limited measure. They do have an impact, a deterrent, but the problem is a challenge. Then sanctions, if a person does not have financial assets in a country, they're always going to have a limited effect.
When we do find cybercriminals in jurisdictions that cooperate, ensuring the information is made available to support successful law enforcement and prosecution, and that's where the Bucharest convention, the cybercrime convention, it's where states take measures to ‑‑ throwing sand in the gears to make things harder for these actors has to be a response. Time‑consuming attribution can be a difficulty. We have had success against LockBit where there's been significant impacts to disrupt their operations for some time.
Countries have been brought together to talk about building up corporation to combat ransomware. That's still a work in progress. But I think a broader number of countries are coming together to take this seriously. We're going in the right direction. When you hear the figures Chelsea shared, there's a long way to go to put a dent in this crime.
>> GIACOMO PAOLI PERSI: Thank you. I would like to come back to you, Julie, to look at the multilateral side of this equation.
Before I do, I wanted to share with Chelsea and Francesca a question that came online, so you have time to think about it.
So Julie can give us her multilateral perspective
(Please stand by)
>> GIACOMO PAOLI PERSI: So you think of anything regarding blockchain in this context that would affect this action.
What role do you think the UN should play in establishing norms but also in establishing frameworks for state accountability in cyberspace.
>> JULIE RODRIGUEZ ACOSTA: Thank you. As highlighted, at the UN, we have the framework for responsible state behaviour that basically outlines expectations on how states should act in cyberspace. It includes voluntary, not by the norms, variation of applicability of law.
(Audio is cutting in and out)
>> JULIE RODRIGUEZ ACOSTA: It's effectively off limits. However, while ‑‑ the reality on the ground tells us a different story, as you would see from this research. Data and reporting continue to show a rise in hostility in pervasive cyber activity, including ransomware attacks that target ‑‑ so the UN should continue to play a central role in the implementation of these norms and ‑‑ technical actions at the technical level to enhance compliance. This includes the advancement in social information sharing, joint investigations but also reinforcing norms that clearly outline behaviors, especially those regarding trust and security in cyberspace.
More broadly, international community must work together to disrupt the ransomware business model and build resilience seek national policies and laws are not enough to address what is inherently a transnational threat, and no country can tackle this challenge in isolation. That's why we promote to do these through ‑‑
(Audio is poor)
>> JULIE RODRIGUEZ ACOSTA: Yes, kind of rounding out, more corporations do need it, but it may be the corporation that's practical and focuses on disrupt, deter, and prepare and has more effective response mechanisms to leverage.
>> GIACOMO PAOLI PERSI: Thank you, Julie, for your perspective.
Also to give Chelsea and Francesca more time to think about it.
We're getting to the point where the current working group is wrapping up its five‑year mandate, and we're about to enter a new mechanism with some details already being agreed on and others up for negotiation. But it looks like this new mechanism will have the opportunity to really go and focus more on the implementation of all the existing commitments that are already in place.
If we accept that beyond all commitments, there has to be the political will to implement them. If we take that as a given ‑‑ because if there isn't, then there's no practical measure that can work without the political wheel and commitment to prevent it.
If we take the commitment as a given, then I think there are a number of issues where the UN and the NETmundial approaches can help.
Some states may not even be aware that their territory is being used as a staging ground for ransomware campaigns.
Some may be aware but don't have the means do anything with it, technology means and legal means. Maybe they don't have a national legislation that allows them to intervene.
All these things, despite that we're talking about ransomware and cybersecurity, which make them feel like new, they are not new in the UN system. There are many conventions that have been negotiated before that then have followed with practical instruments and measures been developed minority to help states deploy them and abide by commitments.
So a model for countries that need to adopt measures at the national level that would enable them to intervene and disrupt a ransomware campaign emanating from their territory.
These things, you know, you need to have legal coverage to do certain things, if you want to share evidence with your neighbour or cooperate, these require very well‑developed regulatory frameworks or cooperation mechanisms that would require a little bit of assistance in developing.
With that, I turn it back to Francesca and Chelsea and ask if you had the chance to think about the topic of blockchain and whether or not you are aware of any, work or any research that has been conducted to explore which would be helpful in this context.
>> CHELSEA SMETHURST: So I'm not aware of the latest around bit coin and blockchain research, but one brief point I will make is cryptocurrencies are based on blockchain technology. If cryptocurrencies and transactions are processed through changes like know your customer, this enables law enforcement to use tools. We can look through and see if we can't pinpoint where the origin of the payment came from.
I'm sure there's a lot more to assess on that topic, but it's an interesting part of the technology platform that can be used for both positive means, right, but also criminal means too. So good question. Looking forward to Francesca's points on this.
>> FRANCESCA BOSCA: That's interesting because it's a topic close to my heart. It was like two jobs ago. I left. I was doing research on blockchain. So provided it's a little bit of outdated information, and I would need to decide to look into that again.
There are a couple of things. One, from a technical standpoint, I would say I do see and remember doing research on how, for example, research can be done ‑‑ let's not call it the black sheep of the cybersecurity, but ‑‑ I'm thinking about threat sharing that can be benefit when thinking about cybersecurity.
I'm thinking about identity and access management, for example, where, obviously, the decentralisation of the digital identities can help. For example, when it comes to the centralised security, thanks to the architecture and the consensus mechanisms and, obviously, the fact that you have the key strength of the blockchain resides in the multiple data ledger.
I mean, obviously, you can improve the audit trails and the data integrity.
Again, outdated information, but I would suggest there were a couple of things that came to mind. The UNISA (phonetic) agent did work and on 2019, there's work done on the World Economic Forum. These are the ones that came to my mind. My knowledge is a little bit dated.
It's a very good question. I think it also helps us in thinking about a potential future direction. What I would really be interested in seeing is how to, for example, use blockchain for ransomware resistance.
One aspect is also how you can integrate blockchain with an AI for automated threat detection as well.
>> GIACOMO PAOLI PERSI: Thank you.
And we may go back to the more general topic of which technology exists out there that could help, but I'm also conscious of the time. Before we continue, we were probably a little bit too ambitious with the number of questions we had prepared.
I'm cautious of the time we have, 12 minutes before we have to wrap up this interesting session. I also wanted to make sure that I give the opportunity to colleagues in the room, if there's anyone who would like to ask a question.
If you could reach for the microphone or you know right and introduce yourself.
>> Thank you so much for an excellent panel. My name is Vilda (phonetic). I think ransomware is such an interesting type of crime. As a criminologist, it's my favourite crime, from an academic perspective.
I have a question for Julie and Brendan. I wrote my master thesis on ransomware. Many of the many, many interesting aspects of ransomware is that it's, as far as I can tell, the only type of crime where the private sector is dominating both on crime prevention but also handling the incident and dealing with the aftermath.
I was just wondering, coming from a government perspective, in your respective countries, how are you dealing with that cooperation with the government and the private sector?
Thank you.
>> BRENDAN DOWLING: It's a really interesting question. You're right in cyber. So much on the frontlines is in the hands of ‑‑ and in no other crime would we say it's the complete responsibility of the private sector. It is a challenging environment. Some of the things we've done in Australia, without using compulsion but to try to build a far more collective response to these crime types, when we had two major cyber incidents affecting millions of Australians, going back to 2022, the government came out and very publicly engaged with those companies, send teams of police officers and cybersecurity experts from the government to sit in the headquarters of those companies and to provide assistance to launch the investigations in a very collaborative way.
Now, those were very large‑scale incidents. So that's the type of response you can use, but we have tried to create an environment where we normalise engaging with the government as soon as there's an incident that sharing information with the government to aid in the response is not just a nice thing to do, but it's actually the respectful thing to do.
We have introduced legislation that says if you're the person who has engaged with cybersecurity, there's a safe space to seek that assistance. Now we're introducing a reporting scheme.
It's not something to be seen and managed but something to be seen and managed, and the engagement with the government, with the cybersecurity experts, it's a normal way of responding to these incidents.
It will take time. I think it improves when it's modelled well by companies. When it becomes the norm, there's a collective response rather than just something that's dealt within isolation.
>> GIACOMO PAOLI PERSI: Thank you. Julie, would you like to come in on this question?
>> JULIE RODRIGUEZ ACOSTA: Thank you so much for the question. I think this is very pertinent. I will apply from the Global South. This is very pertinent because there's often this idea that ransomware only targets large enterprises or companies that can afford to pay a ransom. In reality, a small organisation around the globe are affected, and the consequences for these organisations are often ‑‑ on a national level, we have these multistakeholder corporation. Ransomware, we wanted to make sure we have not replaced all these items that protect our privacy. It's linked with private industry, law enforcement agencies, and, of course, we leverage a lot. Cooperation that we can build through entities like the United Nations. There would also be a lot of work. For example, OAS.
So we look at everything that's been done on an international level.
As we have highlighted throughout the finalists is global. So it's in the best interest to have tried to leverage that level of corporation so we can all combat and encounter ‑‑
>> GIACOMO PAOLI PERSI: Actually, I would like to take this question and link it to the rest of the panel because we did have, in our list, a question around successful models for public/private that could be scaled.
Going back to you, Chelsea and Francesca. You have probably seen many different configurations on how the public and private sectors work together. What are some of the most successful stories you've seen or some of the models that could with used as an inspiration?
>> CHELSEA SMETHURST: So I will go ahead and start. I really liked your question from the audience.
Earlier this month, Microsoft announced a programme to integrate investigators into the crime centre The Hague. I think these partnerships are an interesting thing to try out because you're marrying the private expertise and what we see in ransomware with the legal and powers of states and governments. That's an important tool. I would like to see it implemented across environments.
There's more to be seen if this model will scale and be successful. But I think willingness to try to partner is a really great attempt. So...
>> FRANCESCA BOSCA: And maybe the other one that comes mind is the ransomware task force. It's a multistakeholder effort from different organisations and civil society. It was very well received and very well sustained.
So I think these are the ones that come to mind. With my civil society hat, I would say not only private government but organisations can bring added value. There's one aspect, which is something that I try to highlight in the panel documenting the impact that ultimately runs somewhere and is having, as we said, also, sand remarked by the previous panellists as a societal threat and not just a technical one or not just a business‑related one.
But it can also be a sort of like ‑‑ in a way, a supporting source of, like, thinking outside the box. Civil Society has a unique capacity to test proposals.
Ethical frameworks reinforces the need to do due diligence in the infrastructure. So coupling with law enforcement and the collaboration with the private sector, I think that, also, civil society can definitely play a role.
>> GIACOMO PAOLI PERSI: Thank you. I'm cautious of the time. We have two minutes.
I would like to do one final round to all the speakers, giving you the chance.
What is the one key takeaway that you would like the audience here in the room and online to bring back to the session?
>> BRENDAN DOWLING: I think working together to build resiliences. We received help tracking down the perpetrator behind the bank attack. This affects everybody at different levels. There's no one lever. We need to pull all levers at once. Talking about this as a national policy issue in all your countries is crucial.
>> GIACOMO PAOLI PERSI: Thank you.
Coming to you, Julie, your key takeaway.
>> JULIE RODRIGUEZ ACOSTA: Thank you to all the panellists. This has really been interesting. The UN is waiting to extend a future permanent mechanism. So I think these are opportunities for states regardless of their size, capacity, they can share, and we can decide ‑‑
(Audio is cutting in and out)
>> JULIE RODRIGUEZ ACOSTA: ‑‑ to find ransomware together.
Thank you.
>> GIACOMO PAOLI PERSI: Thank you. Francesca.
>> FRANCESCA BOSCA: I'm super happy to hear very concrete, let's say, examples.
My aspiration for the panel is to go out and say collaboration needs to be meaningful so it's not just a password that we have there.
Then allow me to say one thing I forgot to mention before, which I think is important. We did not have time to dig into it, but definitely capacity building. Don't forget we're on the same page. We got different examples from different areas of the world. We need to build the inclusive capacity‑building workstream across the different sectors and geographies.
>> CHELSEA SMETHURST: I would like to see how skill‑building changes the problem. I think it could be an exciting thing to see how our counter measures around ransom wear will evolve.
>> GIACOMO PAOLI PERSI: Thank you. With that, all that's left to do is thank you our audience. Thank you to the audience that's here and in‑person.
Again, thanks to Microsoft for bringing us together to discuss this interesting topic.
Thank you very much. Thanks.
(Applause)