Ransomware was a major point of discussion for both US President Joe Biden and Russian President Vladimir Putin during their first in-person summit on Wednesday. After the three-hour meeting in Geneva, Switzerland, both leaders held separate press conferences where they hinted at key points of discussions and potential compromise.
Putin denied that Russia was harboring ransomware groups and refused to answer questions about other cyberattacks. Biden was also vague about what was agreed upon between the two leaders but confirmed that he pressed Putin specifically on the issue of ransomware.
"I talked about the proposition that certain critical infrastructure should be off-limits to attack. Period. By cyber or any other means. I gave them a list, 16 specific entities. 16 defined as critical infrastructure," Biden said.
Tom Kellermann, a US Secret Service's Cyber Investigations Advisory Board member, said the 16 entities Biden was referring to were what CISA has defined as "critical infrastructure sectors."
Kellermann added that the 16 sectors are chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waste, transportation systems, water and waste systems.
All of these sectors have faced dozens of ransomware attacks over the last three years, and Biden said he pushed Putin to understand what the US was going through. He referenced the ransomware attack on Colonial Pipeline, which left parts of the East Coast scrambling for gas for days.
"I looked at him and said: 'How would you feel if ransomware took on the pipelines from your oil fields?' He said: 'It would matter.' I pointed out to him that we have significant cyber capability. And he knows it," Biden said to reporters.
He went on to say that there were "reputational" consequences to the cyberattacks being leveraged from Russia that Putin was aware of.
The meeting follows a stern warning that was sent out by the US and other G7 countries on Monday that specifically called out Russia for either launching their own cyberattacks or harboring ransomware organizations.
The G7 said Russia needed to "identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes."
NATO also sent out a statement after the summit in Brussels reaffirming the idea that "the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack."
Kellermann, who is also head of cybersecurity strategy at VMware, said the summit was "a seminal moment for civilizing cyberspace" and praised Biden for highlighting the need to protect critical industries.
"As a result of this delineation, I believe that significant ransomware attacks against major critical infrastructures will diminish now, but possibly increase against traditional corporations, such as in the retail and financial sectors."
Many cybersecurity experts said the summit would have little effect on ransomware groups allowed to operate with impunity in a number of countries.
But the idea that cybersecurity had reached a level of concern worthy of mention among two world leaders was a positive sign for some.
"It was an excellent use of the 'bully pulpit' to let the world know that cybersecurity matters to America -- and specifically the office of the president. We in the cybersecurity world already have an 'all-hands-on-deck' mentality -- but it's healthy to see that our concern is now shared in the prism of leadership outside of our sector," said YouAttest CEO Garret Grajek.
Elena Elkina, a partner at privacy and data protection consulting firm Aleada, noted that Putin does not like demands or is told what to do. She predicted he would respond to Biden's forceful talk about cyberattacks in a more understated way. "It will be something more tangible that makes obvious his opinion," she said.
Cybersecurity researcher Chloé Messdaghi said the summit was just one manifestation of a deeper 'cyber-Cold-War' that both countries needed to back down from. While the summit was a good start to addressing the problems between both countries, Messdaghi said formalized pacts around cybersecurity would be hard to come by.
"The reality is that we may never have absolute and effective treaty-level accords on cyberattacks because so much is done by proxy, but each global superpower must strive to prevent chaos within their borders," Messdaghi added.