Public Private Partnerships to Combat Ransomware: An inquiry into three case studies and best practices
Elizabeth Vish, Georgeanela Flores Bustamante
SUMMARY
This research report examines three existing public-private partnerships to combat ransomware: Europol’s European Cybercrime Centre (EC3), the United States Joint Cyber Defense Collaborative (JCDC), and the Institute for Security and Technology’s Ransomware Task Force (RTF). In selecting these cases, our goal was to highlight three separate elements of the effort to combat ransomware: criminally focused prosecution and disruption, operational collaboration, and policy measures. Additionally, each model is in different stages of development, with EC3 operating for a decade, and the RTF and the JCDC having launched in late-2020 and 2021 respectively.
This report utilizes these case studies to determine the characteristics of collaboration that make the partnership model successful in mitigating ransomware, as well as identifying the various challenges each faces. Therefore, our main guiding research questions included:
- How do these specific public-private partnerships to combat ransomware operate?
- What principles underlie existing partnerships that can be applied to other contexts and applications?
Case-Specific Research Findings
EC3
Our research into EC3 reveals four formal means of collaboration with the private sector. These include formal information sharing agreements, sector-specific advisory groups, the No More Ransom Project, and joint trainings on issues like open-source intelligence. EC3 excels at engaging industry partners, who commit valuable resources and actively participate in the partnership. We attribute this success to the EC3 staff’s understanding of the importance of fostering relationships at the individual level and gradually building a trusted network. However, the EC3’s success in fostering partnership may not be replicable across contexts. One significant insight from this case study is that the EC3 relies on substantial resources, including funding and personnel from EU member states, to execute both regional and, at times, global cybercrime investigations. A critical resource that makes EC3 successful is the participation of law enforcement personnel with deep understanding of cybercrime investigation—something achieved through drawing from Europol’s member states. Through a robust collaboration process and the allocation of substantial resources and personnel, Europol achieves excellent results in its cybercrime collaboration with the private sector.
JCDC
JCDC, situated within the U.S. Cybersecurity and Infrastructure Security Agency (CISA), actively organizes coordination efforts across three core areas: products, planning for response and recovery from cyber incidents, and operational collaboration. This report identifies five ways JCDC engages with the private sector, including: formal information sharing agreements, conducting analytic exchanges, coordinating on cyber threat alerts and advisory development, forming actor-specific action groups, and utilizing communication channels such as Slack for real-time information sharing. Two key aspects contributing to JCDC’s effectiveness are that CISA leadership recognizes that the private sector holds valuable information about ransomware/cyber threats and acknowledges the vital need for this partnership. However, JCDC grapples with bureaucratic and institutional challenges within the U.S. government’s multifaceted approach to cybersecurity collaboration, leading to potential confusion among JCDC participants and hampering information sharing and coordination efforts.
RTF
The RTF, a coalition-led collaboration, distinguishes itself from our other two case studies by being led by a civil society organization. Key collaborative elements involve the RTF’s steering committee and co-chairs representing civil society, the technical community, and for-profit organizations. Additionally, the RTF utilizes various lines of effort, including working groups, to address specific issues within the ransomware ecosystem. The collaboration’s success is attributed to the RTF’s ability to provide clear and focused policy recommendations, leveraging the expertise of its leaders with a range of current and prior experience in policy making across the public and private sectors. With a strong understanding of government processes, the RTF’s members frame policy suggestions in a manner conducive to government responsiveness. A challenge to replicating the RTF success, however, is the integral role that civil society actors played. The RTF relies on the organizing capacity of civil society and volunteerism, drawing on a philanthropic culture within the United States that may not apply in all national contexts.
Best Practices and Practical Recommendations
This report articulates global best practices and lessons learned from our case studies into four key themes. We highlight that successful public-private partnerships to combat ransomware should:
» Include a relevant and tailored range of stakeholders
» Catalyze effective information sharing
» Build trust through clear expectations and person-to-person collaboration
» Learn to navigate practical hurdles within the partnership
As a guide for future initiatives, this report concludes with a brief step-by-step guide on how to establish a partnership to mitigate ransomware and other cyber threats. The steps are:
- Define the goals of the collaboration
- Identify key stakeholders and gauge their interest
- Establish the ground rules for the partnership
- Start with trust-building practices
- Look for opportunities to achieve progress
- Continue to refine the protocols, convening methods, and the overall structure/goals of the partnership as needed