James Stavridis

Russia and the Pirates of the Cyber Seas

Queen Elizabeth had a problem, and it was not Meghan and Harry. This was the first Queen Elizabeth, who ruled from 1558 to 1603. Her problem was Spain. The Catholic Spanish Empire continually threated Protestant England, using vast resources flowing into the Spanish coffers from the colonies in the new world. Queen Elizabeth needed a means to interdict the treasure galleons that delivered their cargoes back across the Atlantic Ocean. Lacking a powerful navy, she turned to a clever idea: the letter of marque.

Such letters, granted by the crown, turned adventurous sailors like Sir Walter Raleigh and Sir Richard Grenville into, basically, legalized pirates. Using the protection of the queen, they could conduct all the piracy they wanted — and the riches of the Spanish Empire became their principle target.

The letters were in essence government licenses that permitted a private citizen to capture the vessels of a nation at war with England. Think of it as an early version of public-private partnerships. Perhaps the most celebrated of these “privateers,” as they came to be called, was Sir Francis Drake — both a patriot and a pirate.

In today’s world, it is the cyber seas that are unruly and increasingly dangerous. It seems that the Kremlin has taken a page from Queen Elizabeth’s strategy and is, in effect, issuing modern-day letters of marque to cybercriminals. While there is no hard public evidence that the government of Russia is benefiting financially, multiple sources — including the US Treasury Department — indicate that it is affording protection to hacking organizations that steal from and disrupt the West. If true, the rules appear simple: Don’t attack any Russian or Russian-aligned nations, but otherwise the cyber seas are open for hunting.

Although it’s uncertain if the Kremlin was involved, the ransomware attack on the East Coast pipeline system by Russian-based hackers known as DarkSide seems to fit this pattern.

“We have been aware for some time that the Russian security services have established relationships with criminal groups in Russia who engage in cyber activities against targets in the US,” retired Admiral Michael Rogers, former head of US Cyber Command, told me. “From the use of ransomware as a vehicle to extort money from businesses and governmental organizations to the theft of data and other activities.”

Rogers continued: “It is not by chance that the greatest concentration of cybercrime actors in the world is in Russia. This symbiotic relationship continues to increase, and with greater and greater impact and visibility — as we are seeing with the unfolding Colonial Pipeline situation. One has to wonder why the Russians ae not experiencing similar levels of cybercrime.”
How should the US respond?

A key element is working with allies. As military commander of the North Atlantic Treaty Organization, I often visited the NATO Cooperative Cyber Defense Centre of Excellence. It is appropriately located in Tallinn, Estonia – a NATO member that has suffered significant cyberattacks from Russian-based organizations over the past decade. Estonian officials have told me that the line between the Russian intelligence services and many of these privateers is a permeable membrane, and that using them to undermine critical infrastructure will be a continuing part of Russian President Vladimir Putin’s playbook.

Additionally, Washington needs to be willing and prepared to share and shame publicly. While President Joe Biden’s administration understandably won’t want to reveal confidential sources and methods, openly attributing these attacks is crucial to mobilizing the international community against states that protect or benignly ignore internal hackers.

Sanctions can be part of the solution, and they should be targeted at both institutions and individuals who are part of infrastructure attacks and the ransomware protection racket. The US should also look at expelling diplomats or commercial actors.

The National Security Agency and US Cyber Command need to be used more aggressively on the hackers themselves. If a drug cartel attacked a US company, you can bet there would be a significant government response directed against the assets of the drug lord — and many of them ultimately end up in US prisons. The US has capabilities that could be used to go after financial assets of the hackers, locate them both physically and in the cloud, and generally reduce their ability to conduct such operations.

When state-sponsored hackers go after critical infrastructure in particular, they become legitimate targets of military and interagency action, just as Queen Elizabeth’s “sea rovers” were battled by the Spanish navy.

Finally, if the US has appropriate evidence to show Russian government collusion with cybercriminals, it needs to respond in kind at the national level. It could, for example, intrude on Russian government systems and alter or erase data in a way that would be proportional, perhaps reducing the Russians’ ability to move natural gas to markets. Naturally, some US capabilities should remain unused and in a “war reserve” mode, but more prosaic tools could certainly be deployed.

As always, there is difficulty with attribution and defining precise relationships. But when America’s critical infrastructure is in the gunsights, it needs to respond. The best approach would be to internationalize the effort, sharing intelligence broadly and publicly; to put direct fire on the hackers; and to provide incentives and penalties for any national government to hold these modern-day pirates to account for their actions on the cyber seas of the 21st century.