Noah Feldman

Big Cyberattacks Should Be Handled by Nations

On New Year’s Eve of 1879, Gilbert and Sullivan’s Pirates of Penzance premiered, featuring lovable corsairs relegated to the eponymous Cornish seaside resort. It marked quite an image makeover from the beginning of the century, when — in 1801 and again in 1815 — the US fought two naval wars in the Mediterranean against piracy, known as the Barbary wars.

How piracy went from menacing seaborne threat to charming comic opera over the course of the 19th century should give policymakers some clue about how to prevent attacks by cyber pirates, like the ransomware attack that crippled the Colonial Pipeline this week. Whether the pirates are in Russia or North Korea or elsewhere, the US is going to have to engage in some old-fashioned hard-power geopolitics to change those government’s incentives.

It’s no exaggeration to say that ransomware attacks have quietly become an industry. But it’s one that’s managed to maintain a low profile until now, because neither victims nor pirates are eager to share information on the scale or frequency of hacks. (That reticence could be one reason the FBI reports numbers that are almost laughably low.) Now, with the latest attack causing a pipeline shut-down and raising east coast gas prices, the national security side of the phenomenon is front and center.

That’s a good thing — because as history shows, there’s only one way to defeat pirates. Big, powerful states need to flex their muscles and crack down on the weaker states that harbor the scofflaws.
That would mark a considerable change from the status quo, which a class of professional data hostage negotiators advise their clients that they have little choice but to pay the ransom — and buy silence alongside their stolen data.

My guide to the issue, Seth Berman, a cyber lawyer with decades of experience in the field, points out that the costs go beyond a public data breach. Frozen data can shut down a company’s operations and kill revenue. These costs are almost inevitably more expensive than the price set by the pirates. And the costs are rising as pirates get bolder: One estimate found that the total costs of an attack rose from $761,106 in 2020 to $1.8 million in 2021.

According to Berman, pirates are increasingly aware of the damage they can inflict. Logically, they will always try to set the ransom below the company’s estimate of the costs of going offline or having its data exposed. And rationally, it makes sense to go after large companies, where the average ransom was $170,404 last year, as opposed to individuals; most people don’t bother to pay the ransom (they just buy a new computer) and even when they do pay, the average ransom demanded is just $504.

To solve the problem of ransomware piracy, it’s worth looking at how piracy itself was (mostly) eliminated over the course of the long 19th century. The short version: Big states with big navies used their influence to block pirates from pursuing their business from bases where they could previously operate with impunity. Sure, more and better ships helped capture pirates. But humans can’t be at sea all the time, and pirates need ports from which to operate.

Today, piracy of the seafaring variety persists pretty much exclusively in places with weak governments that lack the capacity or will to suppress it — think Somalia. (For an analysis of the data, see this study by researchers at the German Institute for Economic Research. Yes, the title of the study is “Gov-arrrgh-nance.”)

By analogy, ransomware piracy comes from states that either don’t bother to suppress the practice or else actively participate in it, sort of how some early modern governments commissioned privateers to engage in a kind of legally sanctioned semi-piracy.

The solution to ransomware thus comes from the US and other powerful countries using their power and influence to change the incentives of states like Russia and North Korea, from where most of the attacks seem to come. The tools are those of great power politics: sanctions, counter-attacks, and the acknowledgment that ransomware attacks are acts of piracy that can become acts of war. When it comes to weaker states that lack the capacity to block ransomware piracy, the tools are enforcement assistance and cyber infrastructure state-building assistance.

The lesson of history is that piracy won’t just fade away. It needs to be fought. And the pirates aren’t amiable comic-opera scoundrels with a sense of fun and duty. They are what international law always deemed them: hostis humani generis, enemies of all mankind.