From 30 September - 3 October 2024, the 68 member nations of the International Counter Ransomware Initiative (CRI) will convene in Washington DC for the group’s annual gathering. The CRI’s aim is to foster cooperation between nations to combat one of the most insidious collective action problems of the digital age – ransomware. With this, the fourth iteration of the summit and the final under the Biden Administration, the group will look to shift from norming to performing, expanding the number of nations, enabling them through capabilities and best practice policies and bringing industry into the fold in the process.

Since its inception in 2021, the CRI has more than doubled its membership and has grown to become the world’s largest international cyber partnership between governments. The groups rapid growth correlates with the expansion of the ransomware threat from a cottage industry to sustained national security threat for governments around the world. The CRI’s stated objective is to build international resilience to ransomware, create avenues for disruption of the operations of ransomware criminals and develop best practice policy approaches for countries to implement domestically.

The Tuckman model, describing the stages of group development: Forming, Storming, Norming, Performing, is a useful way to frame the CRI’s development. While the model primarily focuses on team dynamics, its principles can be applied to international relations to understand how countries form alliances and coalitions, navigate competing priorities, establish norms, and work together effectively.

The forming stage of the CRI can be traced back to 2021 in the aftermath of the ransomware attack on the Colonial Pipeline when the White House National Security Council (NSC) staff were grappling with Administration’s domestic policy responses and how best to catalyze international cooperation. Other nations, now also beset with ransomware attacks looked to the United States to provide international leadership. The convening power of the White House was pivotal in the creation of the CRI, particularly in the first year of its operation when the inaugural summit was held entirely online due to the COVID-19 pandemic.

As the CRI has evolved, it has rejigged its internal governance structures to meet the institutional and capacity realities of the nations involved and accommodate for an expanding roster of nations. For the first summit, four lines of effort were established with each of the countries identified below leading panel discussions at the gathering with the aim of creating a common understanding of the issues and lay out some foundational strategic tenets for the group.

It is one thing to convene representatives from across the globe to discuss an issue as vexed as ransomware, it’s another to get tangible agreements that increase the resilience of individual nations and impose costs on criminal actors conducting operations. Parsing the official communique published by the White House following the 2021 summit, you are hard pressed to find many substantial actions – but that wasn’t the initial focus.

The impressive feat of the CRI in its inaugural year was that it galvanized international political will to counter ransomware -- 30 nations took part. As a result, for the first time, international delegations brought together experts from different disciplines that often operate in isolation, like law enforcement, policy, diplomacy, financial regulators. All of these channels are needed to disrupt ransomware and the CRI provided a mechanism to connect and integrate to counter it more effectively. Deputy National Security Advisor Anne Neuberger, the United States’ lead official for the CRI, in her briefing to the press after the initial gathering, said the key takeaway from the summit was that “it takes a network to fight a network.”

If the 2021 summit was largely about forming of the group, 2022 was about “storming:” working out the best governance arrangements to allow the CRI to deliver outcomes now that political will was galvanized. This process was again spearheaded by the United States. The CRI governance structure leading into the 2022 summit evolved with Spain leading an effort on public private partnerships and co-leads being added to other work streams:

There were more tangible outcomes from the 2022 summit -- the first in-person summit -- than in 2021 but the big deliverable was again largely related to governance and establishing an enabling function – the establishment of the International Counter Ransomware Taskforce (ICRTF). Led by Australia, the ICRTF’s was set up to operationalize the CRI by developing cross-sectoral tools, facilitating cyber threat intelligence exchanges and sharing of best practice guidance. The ICRTF was also established to function as the way through which the CRI can connect with industry for defensive and disruptive threat sharing and actions.

As a result of the 2022 CRI summit and confirmed by a statement follow a subsequent meeting of several CRI members in April 2023 in the margins of the CYBERIK conference in Belfast, the governance arrangements were further refined. The U.S. would coordinate the CRI across three pillars:‍

This settled structure meant the 2023 summit was about delivering outcomes and showing the group could perform. The communique for the summit contained three key streams of deliverables with a number of actions under each:

• Developing capabilities to disrupt attackers and the infrastructure they use to conduct their attacks.
• Improving cybersecurity through sharing information.
• Fighting back against ransomware actors.

The big deliverable out of the last stream, and the one most widely covered by the media, came from the Policy pillar – a collective statement by the CRI members that governments should not pay ransom. Forty countries and INTERPOL agreed to, “strongly discourage anyone from paying a ransomware demand.” Although the pledge did not extend to the private sector and wasn’t followed by any similar pledge from industry, it was sign that the group was now performing effectively on the diplomatic front, highlighting their ability to unite multiple nations and international organizations towards a common cybersecurity goal. The feat was all the more remarkable considering that most governments hadn’t yet settled on this as domestic policy stance in their own jurisdictions. Less widely reported but just as meaningful were the following actions:

• Launching Capabilities - leading a mentorship and tactical training program for new CRI members to build their cyber capacity. The initiative also launched a project to leverage artificial intelligence to counter ransomware.
• Information Sharing - The CRI launched innovative information sharing platforms enabling CRI member countries to rapidly share threat indicators, including Lithuania’s Malware Information Sharing Platform (MISP) and Israel and the UAE’s Crystal Ball platform. Additionally, it was agreed Australia would build a CRI website (this is now operational- https://www.counter-ransomware.org/)
• Fighting Back Against Bad Actors - Along with the first-ever joint CRI policy statement declaring that member governments should not pay ransoms, the initiative also agreed to create a shared deny list of wallets through the U.S. Department of the Treasury’s pledge to share data on illicit wallets used by ransomware actors with all CRI members. Members also committed to assist any CRI member with incident response if their government or lifeline sectors are hit with a ransomware attack.

As the CRI moves into its fourth, the role of industry will be increasingly critical to its long-term success. The private sector, often the primary target of ransomware attacks, possesses unique insights and capabilities that can significantly bolster the CRI’s efforts. Private companies have access to vast amounts of data and threat intelligence that can be invaluable in identifying and mitigating ransomware threats.

The CRI has already partnered with companies on a number of discrete initiatives such as the information-sharing platforms and the CRI for a time recognized the importance of public-private partnerships in its governance structure, but there isn’t yet a formal mechanism for sustained industry engagement with the group. The good news is that the CRI members will likely move to establish this mechanism at the upcoming summit, a welcome evolution for the group.

The public-private partnership can extend beyond just information exchange with the CRI well placed to work with industry to shape the development of new tools and technologies to combat ransomware. Innovations in artificial intelligence, machine learning, and blockchain can provide new ways to detect, prevent, and respond to ransomware attacks. By collaborating with the CRI, industry can ensure that these innovations are effectively integrated into global cybersecurity strategies.

Industry stakeholders can also play a crucial role in shaping policies and regulations related to ransomware. By participating in policy discussions and advocating for effective cybersecurity measures, industry leaders can help ensure that the regulatory environment supports robust defenses against ransomware. This includes advocating for policies that discourage ransom payments, promote a viable insurance market, and promote transparency in incident reporting.

The integration of industry into the CRI’s efforts will mark a significant step forward in the global fight against ransomware. For a rapidly expanding international grouping, the CRI has shown remarkable agility and flexibility since its creation to adapt its governance structure, on-board new members, create policy consensus and work with the private sector on distinct projects. By leveraging the full strengths and capabilities of the private sector, the CRI can enhance its ability to disrupt ransomware operations, improve cybersecurity, and build resilience amongst participating nations. Supercharging the CRI with more sustained industry involvement will add another draw for new members and further winnow the field of countries, leaving only those that knowingly harbor cyber criminals.

‍