Anne Neuberger
Deputy National Security Advisor of the United States
New York, New York
November 8, 2024
AS DELIVERED
Thank you, Mr. President. Good morning. My name is Anne Neuberger and since 2021, I have had the privilege of coordinating the United States’ national security policy on cyber and emerging technologies. I am honored to represent President Biden today to speak about the threat of ransomware.
Thank you to the United Kingdom for devoting part of your Security Council presidency to this session, and for your continued leadership on promoting responsible state behavior in cyberspace.
Thank you as well to WHO Director-General Tedros Ghebreyesus, President of Ascension Healthcare Eduardo Conrado for joining us. We appreciate the expertise and insights of your briefings.
Today I want to talk to you about three topics. First, the nature of the threat posed by ransomware attacks, particularly to healthcare systems; second, what the United States is doing to address this threat both globally and at home; and finally, the critical role every state can and must play in confronting this challenge.
The reality is that ransomware attacks on hospitals and healthcare systems are a serious threat to international peace and security. They jeopardize lives; they destabilize societies. The Security Council therefore has a role to play in countering this threat to peace, and in spurring countries to action.
Just a few months ago, at the Security Council’s High-Level debate on Evolving Threats in Cyberspace, convened by the Republic of Korea, UN Secretary-General António Guterres called on us to reflect on the immense benefits that digital technologies bring to our societies.
However, as the Secretary-General cautioned, this same connectivity that brings us together also exposes countries around the world to significant cyber threats. Ransomware is one of the most pervasive and damaging of these threats.
The U.S. government is aware of over 1,500 ransomware-related incidents in 2023 alone, generating over $1.1 billion in [ransomware] payments. This is a significant increase from 2022, when we saw a little more than half that much in ransomware payments. Indeed the 2023 figure is a 10x increase since 2018 and a 100x increase since 2014.
And the United States isn’t alone. In July 2023, the Port of Nagoya, Japan’s business shipping port, was hit with a ransomware attack by the group LockBit, which forced the port to stop handling a large portion of incoming shipping containers. That same year, a ransomware attack against a pathology partnership in the UK led to significant risk to its national blood supply. And South Africa’s National Health Laboratory Service suffered a ransomware attack affecting the dissemination of lab results, hampering national efforts to respond to an outbreak of Mpox.
According to the U.S. intelligence community’s June 2024 analysis, 51 percent of global ransomware attacks in the first half of this year were against U.S. victims. The remaining 49 percent are spread all across the world. This is truly a global threat.
Healthcare and emergency services is one of the top four most targeted sectors for ransomware attacks, with at least 191 incidents worldwide in the first half of this year alone. In the United States, our Federal Bureau of Investigation reported 249 reports of ransomware incidents against the healthcare sector last year.
What does a ransomware attack mean for a hospital? As we just heard from the briefing, it means ambulances diverted and other delays in emergency care, cancellation of surgeries, delays to important medical treatments, and breaches of extremely sensitive healthcare records. When directed at blood banks, ransomware attacks can prevent access to life-saving supplies.
Ransomware targeting these facilities can result in major disruptions that jeopardize patient care and access to medications, increase the length of patient stays, force the transfer of patients to other facilities, and cost lives.
I want to re-emphasize that last sentence. Health experts have estimated that ransomware attacks were responsible for the deaths of dozens of patients in the United States. Medicare system between 2016 and 2021. More recent data confirms that mortality rates at hospitals increase when a hospital has been disrupted by cyberattacks.
So what are we doing about this dangerous crime spree? We start from the premise that there’s strength in numbers. We’re not alone in facing this threat, and we’re not alone in wanting to uphold international norms that prohibit all aspects of this behavior.
It was this belief that we could be more than the sum of our parts that inspired us in 2021 to launch the 68-member International Counter Ransomware Initiative, which includes a number of states who are around this table with me here today. This initiative focuses on disrupting ransomware attacks, enhancing the security of critical infrastructure, and increasing the capacity and incident response capabilities of our partners together.
We’re also using our own law enforcement capabilities to disrupt these crime waves. And to make ransomware attacks less appealing, we’re working closely with cyber insurers and the private sector to reduce ransomware payments and improve incident reporting.
We’ve also pledged – along with 40 other states – not to allow our governments or any of their agencies to pay ransomware bounties.
Beyond reducing ransom payments, we are engaged with public and private sector entities to halt the illicit flow of extorted ransomware payments, made in cryptocurrency, that is laundered through virtual asset service providers.
And looking into the future, our international development agency, USAID, is working to establish a fund to build long-term cybersecurity capabilities against ransomware attacks and to help countries respond to and recover from ransomware attacks.
But none of us is doing enough. Ransomware attacks will continue, and perpetrators will thrive, as long as ransoms are being paid and criminals can evade capture, particularly by fleeing across borders.
Which brings me to my third and final topic: what can and should every country be doing to end this cycle of victimhood, plunder, and impunity? And why should the Security Council, with its unique mandate, support efforts to tackle this evolving threat to peace and security?
Ransomware attacks are attractive to cybercriminals because of the large individual ransom payments. For a group like BlackCat, which received more than $420 million in ransom payments since 2019, this is a thriving business.
In fact, last year BlackCat and LockBit accounted for more than 30 percent of claimed healthcare ransomware attacks worldwide. And in 2024, among other attacks, LockBit claimed credit for a cyberattack on Croatia’s largest hospital and published confidential data on patients stolen from a French hospital system.
First, every state should act in accordance with the Framework for Responsible State Behavior in Cyberspace, endorsed by the UN General Assembly repeatedly, and by consensus. By affirming this Framework, we have already made commitments to address malicious cyber activities emanating from our territories.
Under the Framework, states should not knowingly allow their territory to be used for internationally wrongful acts using information and communications technologies; and they should respond to appropriate requests to mitigate malicious ICT activity emanating from their territory aimed at the critical infrastructure of another state.
So, when ransomware [actors] in one state target critical infrastructure like hospitals in another, it is incumbent on the first state to take action to investigate and mitigate that activity in line with the Framework’s norms, especially when they have been asked to do so.
Yet some states – most notably Russia – continue to allow ransomware actors to operate from their territory with impunity, even after they have been asked to rein it in.
The developer and administrator of the cybercriminal gang LockBit is Russian national Dimitry Khoroshev, whom our Department of Justice has charged for committing hacking crimes.We assess cybercriminals affiliated with the most impactful ransomware variants, like the one that committed the attack against Accension healthcare are tied to Russia, based on members’ citizenship, geographic location, claimed allegiance or association with known Russian cyber actors.
Some money launderers for these top ransomware actors are Russia-based and utilize Russian banks or cryptocurrency exchanges to launder their ill-gotten gains.
In 2021, President Biden met with President Putin and asked that he rein in ransomware attacks on U.S. targets. President Biden made clear in this meeting that when a ransomware operation is coming from Russian soil, even when it’s not sponsored by the state, the U.S. expects the Russian government to act.
Instead of adhering to its UN commitments, Russia continues to harbor these criminals. The United States implores states not to follow Russia’s practice in protecting international cybercriminals, and reiterates our request for states to follow the Framework for Responsible State Behavior in Cyberspace as a matter of upholding international peace and security.
We issue today a call to action: countries that experience a ransomware attack against a hospital should inform the country of origin of the attack and request that they take action in line with their UN commitments regarding responsible state behavior in cyberspace.
In conclusion, we can collectively eradicate this scourge if we act together, abide by our shared principles, refuse to pay criminal gangs, and help each other apprehend the cybercriminals who think they can outmaneuver our system.
I thank you for your attention and look forward to continued and expanded cooperation in the days and months ahead.