Remarks at a UN Security Council Briefing on Ransomware Attacks against Hospitals and Other Healthcare Facilities and Services United States Mission to the United Nations
pAnne Neuberger
Deputy National Security Advisor of the United States
New York New York
November 8 2024ppAS DELIVEREDppThank you Mr President Good morning My name is Anne Neuberger and since 2021 I have had the privilege of coordinating the United States national security policy on cyber and emerging technologies I am honored to represent President Biden today to speak about the threat of ransomwareppThank you to the United Kingdom for devoting part of your Security Council presidency to this session and for your continued leadership on promoting responsible state behavior in cyberspaceppThank you as well to WHO DirectorGeneral Tedros Ghebreyesus President of Ascension Healthcare Eduardo Conrado for joining us We appreciate the expertise and insights of your briefingsppToday I want to talk to you about three topics First the nature of the threat posed by ransomware attacks particularly to healthcare systems second what the United States is doing to address this threat both globally and at home and finally the critical role every state can and must play in confronting this challengeppThe reality is that ransomware attacks on hospitals and healthcare systems are a serious threat to international peace and security They jeopardize lives they destabilize societies The Security Council therefore has a role to play in countering this threat to peace and in spurring countries to actionppJust a few months ago at the Security Councils HighLevel debate on Evolving Threats in Cyberspace convened by the Republic of Korea UN SecretaryGeneral António Guterres called on us to reflect on the immense benefits that digital technologies bring to our societiesppHowever as the SecretaryGeneral cautioned this same connectivity that brings us together also exposes countries around the world to significant cyber threats Ransomware is one of the most pervasive and damaging of these threatsppThe US government is aware of over 1500 ransomwarerelated incidents in 2023 alone generating over 11 billion in ransomware payments This is a significant increase from 2022 when we saw a little more than half that much in ransomware payments Indeed the 2023 figure is a 10x increase since 2018 and a 100x increase since 2014ppAnd the United States isnt alone In July 2023 the Port of Nagoya Japans business shipping port was hit with a ransomware attack by the group LockBit which forced the port to stop handling a large portion of incoming shipping containers That same year a ransomware attack against a pathology partnership in the UK led to significant risk to its national blood supply And South Africas National Health Laboratory Service suffered a ransomware attack affecting the dissemination of lab results hampering national efforts to respond to an outbreak of MpoxppAccording to the US intelligence communitys June 2024 analysis 51 percent of global ransomware attacks in the first half of this year were against US victims The remaining 49 percent are spread all across the world This is truly a global threatppHealthcare and emergency services is one of the top four most targeted sectors for ransomware attacks with at least 191 incidents worldwide in the first half of this year alone In the United States our Federal Bureau of Investigation reported 249 reports of ransomware incidents against the healthcare sector last yearppWhat does a ransomware attack mean for a hospital As we just heard from the briefing it means ambulances diverted and other delays in emergency care cancellation of surgeries delays to important medical treatments and breaches of extremely sensitive healthcare records When directed at blood banks ransomware attacks can prevent access to lifesaving suppliesppRansomware targeting these facilities can result in major disruptions that jeopardize patient care and access to medications increase the length of patient stays force the transfer of patients to other facilities and cost livesppI want to reemphasize that last sentence Health experts have estimated that ransomware attacks were responsible for the deaths of dozens of patients in the United States Medicare system between 2016 and 2021 More recent data confirms that mortality rates at hospitals increase when a hospital has been disrupted by cyberattacksppSo what are we doing about this dangerous crime spree We start from the premise that theres strength in numbers Were not alone in facing this threat and were not alone in wanting to uphold international norms that prohibit all aspects of this behaviorppIt was this belief that we could be more than the sum of our parts that inspired us in 2021 to launch the 68member International Counter Ransomware Initiative which includes a number of states who are around this table with me here today This initiative focuses on disrupting ransomware attacks enhancing the security of critical infrastructure and increasing the capacity and incident response capabilities of our partners togetherppWere also using our own law enforcement capabilities to disrupt these crime waves And to make ransomware attacks less appealing were working closely with cyber insurers and the private sector to reduce ransomware payments and improve incident reportingppWeve also pledged along with 40 other states not to allow our governments or any of their agencies to pay ransomware bountiesppBeyond reducing ransom payments we are engaged with public and private sector entities to halt the illicit flow of extorted ransomware payments made in cryptocurrency that is laundered through virtual asset service providersppAnd looking into the future our international development agency USAID is working to establish a fund to build longterm cybersecurity capabilities against ransomware attacks and to help countries respond to and recover from ransomware attacksppBut none of us is doing enough Ransomware attacks will continue and perpetrators will thrive as long as ransoms are being paid and criminals can evade capture particularly by fleeing across bordersppWhich brings me to my third and final topic what can and should every country be doing to end this cycle of victimhood plunder and impunity And why should the Security Council with its unique mandate support efforts to tackle this evolving threat to peace and securityppRansomware attacks are attractive to cybercriminals because of the large individual ransom payments For a group like BlackCat which received more than 420 million in ransom payments since 2019 this is a thriving businessppIn fact last year BlackCat and LockBit accounted for more than 30 percent of claimed healthcare ransomware attacks worldwide And in 2024 among other attacks LockBit claimed credit for a cyberattack on Croatias largest hospital and published confidential data on patients stolen from a French hospital systemppFirst every state should act in accordance with the Framework for Responsible State Behavior in Cyberspace endorsed by the UN General Assembly repeatedly and by consensus By affirming this Framework we have already made commitments to address malicious cyber activities emanating from our territoriesppUnder the Framework states should not knowingly allow their territory to be used for internationally wrongful acts using information and communications technologies and they should respond to appropriate requests to mitigate malicious ICT activity emanating from their territory aimed at the critical infrastructure of another stateppSo when ransomware actors in one state target critical infrastructure like hospitals in another it is incumbent on the first state to take action to investigate and mitigate that activity in line with the Frameworks norms especially when they have been asked to do soppYet some states most notably Russia continue to allow ransomware actors to operate from their territory with impunity even after they have been asked to rein it in
The developer and administrator of the cybercriminal gang LockBit is Russian national Dimitry Khoroshev whom our Department of Justice has charged for committing hacking crimesppWe assess cybercriminals affiliated with the most impactful ransomware variants like the one that committed the attack against Accension healthcare are tied to Russia based on members citizenship geographic location claimed allegiance or association with known Russian cyber actorsppSome money launderers for these top ransomware actors are Russiabased and utilize Russian banks or cryptocurrency exchanges to launder their illgotten gainsppIn 2021 President Biden met with President Putin and asked that he rein in ransomware attacks on US targets President Biden made clear in this meeting that when a ransomware operation is coming from Russian soil even when its not sponsored by the state the US expects the Russian government to actppInstead of adhering to its UN commitments Russia continues to harbor these criminals The United States implores states not to follow Russias practice in protecting international cybercriminals and reiterates our request for states to follow the Framework for Responsible State Behavior in Cyberspace as a matter of upholding international peace and securityppWe issue today a call to action countries that experience a ransomware attack against a hospital should inform the country of origin of the attack and request that they take action in line with their UN commitments regarding responsible state behavior in cyberspaceppIn conclusion we can collectively eradicate this scourge if we act together abide by our shared principles refuse to pay criminal gangs and help each other apprehend the cybercriminals who think they can outmaneuver our systemppI thank you for your attention and look forward to continued and expanded cooperation in the days and months aheadppppBy United States Mission to the United Nations 8 November 2024 Topics Highlights Remarks and HighlightsppFooter Disclaimer p
Deputy National Security Advisor of the United States
New York New York
November 8 2024ppAS DELIVEREDppThank you Mr President Good morning My name is Anne Neuberger and since 2021 I have had the privilege of coordinating the United States national security policy on cyber and emerging technologies I am honored to represent President Biden today to speak about the threat of ransomwareppThank you to the United Kingdom for devoting part of your Security Council presidency to this session and for your continued leadership on promoting responsible state behavior in cyberspaceppThank you as well to WHO DirectorGeneral Tedros Ghebreyesus President of Ascension Healthcare Eduardo Conrado for joining us We appreciate the expertise and insights of your briefingsppToday I want to talk to you about three topics First the nature of the threat posed by ransomware attacks particularly to healthcare systems second what the United States is doing to address this threat both globally and at home and finally the critical role every state can and must play in confronting this challengeppThe reality is that ransomware attacks on hospitals and healthcare systems are a serious threat to international peace and security They jeopardize lives they destabilize societies The Security Council therefore has a role to play in countering this threat to peace and in spurring countries to actionppJust a few months ago at the Security Councils HighLevel debate on Evolving Threats in Cyberspace convened by the Republic of Korea UN SecretaryGeneral António Guterres called on us to reflect on the immense benefits that digital technologies bring to our societiesppHowever as the SecretaryGeneral cautioned this same connectivity that brings us together also exposes countries around the world to significant cyber threats Ransomware is one of the most pervasive and damaging of these threatsppThe US government is aware of over 1500 ransomwarerelated incidents in 2023 alone generating over 11 billion in ransomware payments This is a significant increase from 2022 when we saw a little more than half that much in ransomware payments Indeed the 2023 figure is a 10x increase since 2018 and a 100x increase since 2014ppAnd the United States isnt alone In July 2023 the Port of Nagoya Japans business shipping port was hit with a ransomware attack by the group LockBit which forced the port to stop handling a large portion of incoming shipping containers That same year a ransomware attack against a pathology partnership in the UK led to significant risk to its national blood supply And South Africas National Health Laboratory Service suffered a ransomware attack affecting the dissemination of lab results hampering national efforts to respond to an outbreak of MpoxppAccording to the US intelligence communitys June 2024 analysis 51 percent of global ransomware attacks in the first half of this year were against US victims The remaining 49 percent are spread all across the world This is truly a global threatppHealthcare and emergency services is one of the top four most targeted sectors for ransomware attacks with at least 191 incidents worldwide in the first half of this year alone In the United States our Federal Bureau of Investigation reported 249 reports of ransomware incidents against the healthcare sector last yearppWhat does a ransomware attack mean for a hospital As we just heard from the briefing it means ambulances diverted and other delays in emergency care cancellation of surgeries delays to important medical treatments and breaches of extremely sensitive healthcare records When directed at blood banks ransomware attacks can prevent access to lifesaving suppliesppRansomware targeting these facilities can result in major disruptions that jeopardize patient care and access to medications increase the length of patient stays force the transfer of patients to other facilities and cost livesppI want to reemphasize that last sentence Health experts have estimated that ransomware attacks were responsible for the deaths of dozens of patients in the United States Medicare system between 2016 and 2021 More recent data confirms that mortality rates at hospitals increase when a hospital has been disrupted by cyberattacksppSo what are we doing about this dangerous crime spree We start from the premise that theres strength in numbers Were not alone in facing this threat and were not alone in wanting to uphold international norms that prohibit all aspects of this behaviorppIt was this belief that we could be more than the sum of our parts that inspired us in 2021 to launch the 68member International Counter Ransomware Initiative which includes a number of states who are around this table with me here today This initiative focuses on disrupting ransomware attacks enhancing the security of critical infrastructure and increasing the capacity and incident response capabilities of our partners togetherppWere also using our own law enforcement capabilities to disrupt these crime waves And to make ransomware attacks less appealing were working closely with cyber insurers and the private sector to reduce ransomware payments and improve incident reportingppWeve also pledged along with 40 other states not to allow our governments or any of their agencies to pay ransomware bountiesppBeyond reducing ransom payments we are engaged with public and private sector entities to halt the illicit flow of extorted ransomware payments made in cryptocurrency that is laundered through virtual asset service providersppAnd looking into the future our international development agency USAID is working to establish a fund to build longterm cybersecurity capabilities against ransomware attacks and to help countries respond to and recover from ransomware attacksppBut none of us is doing enough Ransomware attacks will continue and perpetrators will thrive as long as ransoms are being paid and criminals can evade capture particularly by fleeing across bordersppWhich brings me to my third and final topic what can and should every country be doing to end this cycle of victimhood plunder and impunity And why should the Security Council with its unique mandate support efforts to tackle this evolving threat to peace and securityppRansomware attacks are attractive to cybercriminals because of the large individual ransom payments For a group like BlackCat which received more than 420 million in ransom payments since 2019 this is a thriving businessppIn fact last year BlackCat and LockBit accounted for more than 30 percent of claimed healthcare ransomware attacks worldwide And in 2024 among other attacks LockBit claimed credit for a cyberattack on Croatias largest hospital and published confidential data on patients stolen from a French hospital systemppFirst every state should act in accordance with the Framework for Responsible State Behavior in Cyberspace endorsed by the UN General Assembly repeatedly and by consensus By affirming this Framework we have already made commitments to address malicious cyber activities emanating from our territoriesppUnder the Framework states should not knowingly allow their territory to be used for internationally wrongful acts using information and communications technologies and they should respond to appropriate requests to mitigate malicious ICT activity emanating from their territory aimed at the critical infrastructure of another stateppSo when ransomware actors in one state target critical infrastructure like hospitals in another it is incumbent on the first state to take action to investigate and mitigate that activity in line with the Frameworks norms especially when they have been asked to do soppYet some states most notably Russia continue to allow ransomware actors to operate from their territory with impunity even after they have been asked to rein it in
The developer and administrator of the cybercriminal gang LockBit is Russian national Dimitry Khoroshev whom our Department of Justice has charged for committing hacking crimesppWe assess cybercriminals affiliated with the most impactful ransomware variants like the one that committed the attack against Accension healthcare are tied to Russia based on members citizenship geographic location claimed allegiance or association with known Russian cyber actorsppSome money launderers for these top ransomware actors are Russiabased and utilize Russian banks or cryptocurrency exchanges to launder their illgotten gainsppIn 2021 President Biden met with President Putin and asked that he rein in ransomware attacks on US targets President Biden made clear in this meeting that when a ransomware operation is coming from Russian soil even when its not sponsored by the state the US expects the Russian government to actppInstead of adhering to its UN commitments Russia continues to harbor these criminals The United States implores states not to follow Russias practice in protecting international cybercriminals and reiterates our request for states to follow the Framework for Responsible State Behavior in Cyberspace as a matter of upholding international peace and securityppWe issue today a call to action countries that experience a ransomware attack against a hospital should inform the country of origin of the attack and request that they take action in line with their UN commitments regarding responsible state behavior in cyberspaceppIn conclusion we can collectively eradicate this scourge if we act together abide by our shared principles refuse to pay criminal gangs and help each other apprehend the cybercriminals who think they can outmaneuver our systemppI thank you for your attention and look forward to continued and expanded cooperation in the days and months aheadppppBy United States Mission to the United Nations 8 November 2024 Topics Highlights Remarks and HighlightsppFooter Disclaimer p
