Dmitri Alperovitch
TT

America Is Being Held for Ransom. It Needs to Fight Back.

The digital scourge known as ransomware — in which hackers shut down electronic systems until a ransom is paid — is worse than ever. Over the past few months, these attacks have leaked sensitive government data, thwarted the operations of hundreds of businesses and even temporarily shut down one of the United States’ biggest oil pipelines. The newest cybergang on the street — Groove, a motley crew of criminals that has already leaked 500,000 private passwords — has taken to threatening President Biden directly. (It’s likely, of course, to be sheer bluster.)

To combat the ransomware problem, the Biden administration has so far taken a two-prong approach: concerted diplomacy with nations harboring cybercriminals and expanded defensive capabilities at home. These are critically important efforts. But to really address the issue, the administration must develop an offensive strategy, too — and fight back.

Diplomacy with Russia, even if it succeeds, won’t be sufficient. Despite repeated requests from the Biden administration, there is no evidence that President Vladimir Putin of Russia has taken any action to put pressure on ransomware criminals operating within Russian borders. Instead, after a brief hiatus in August, REvil, the Russian-speaking group that claimed responsibility for this summer’s attacks on numerous American businesses, has brought its servers back online.

Although the most potent ransomware groups are believed to be operating from Russia, other countries, including North Korea and Iran, are also major players, and cybercrime from these nations is even more worrisome. America has significantly less diplomatic leverage over North Korea and Iran than it does over Russia. Both North Korea and Iran are already subject to extensive US sanctions, so gently asking, or even sternly insisting, that they stop ransomware groups simply won’t work.

Purely defensive strategies will also fall short. Cybersecurity expertise is expensive and in high demand in the United States. It is unrealistic to expect that every American hospital, school, fire department and small business can defend itself against highly sophisticated criminals. The task is too big.

Instead, a comprehensive anti-ransomware strategy must make it more difficult for criminal groups — and the nation-states that may sponsor them — to carry out attacks. An aggressive campaign would target the foundation of ransomware criminals’ operations: their personnel, infrastructure and money.

The United States is capable of conducting successful campaigns of this sort. In 2015, US intelligence and military professionals formed Task Force ARES and began a cyberwarfare campaign against the Islamic State while forces on the ground continued to drive out insurgents from Syria and Iraq. The digital operation targeted ISIS personnel with disinformation, disrupted their networks and locked them out of their servers and web accounts. The task force significantly disrupted ISIS’ online activity and reduced its media operation to a shadow of its former self within six months.

The United States should build off the model used by Task Force ARES, targeting ransomware criminals’ technical and financial infrastructure. Such a campaign could reveal personal details about the perpetrators, take down the ransom payment servers they are using to conduct operations, seize their cryptocurrency wallets and perhaps even introduce subtle bugs into their code that enable victims to unlock their data without paying a ransom.

Coupled with more aggressive law enforcement action as well as threats of severe sanctions, this type of offensive strategy is America’s best bet to disrupt the onslaught of attacks originating from states more or less immune to diplomatic appeals.

The United States should also aim to undermine the ransomware financial model, which usually depends on payments made through anonymous cryptocurrency wallets. Again, this is something America already knows how to do. After the ransomware attack in May on Colonial Pipeline, which shut down 5,500 miles of pipeline along the East Coast, federal officials were able to recover most of the ransom payments paid with cryptocurrency.

The European Commission recently proposed regulations that would impose certain identification requirements for cryptocurrency payment systems. This is especially important because cryptocurrency allows ransomware criminals to collect payments anonymously, reducing the likelihood of being tracked down by law enforcement. The US intelligence community and law enforcement agencies should push for similar changes.

Critics of this aggressive approach caution that it risks setting off a dangerous escalation of force between countries. But from the evidence available so far, countries rarely retaliate to cyberattacks with much greater force. One survey of incidents and responses between 2000 and 2014 found that cyberrivals are usually focused on stopping or slowing down the intrusion rather than on escalating a confrontation. Even if some escalation does follow, I believe it’s a risk worth taking.

In the short term, the Biden administration is right to bolster the federal government’s defensive capabilities and to encourage private companies to do the same. But the United States must recognize that it will not be able to defend its way out of the ransomware problem.

The New York Times