The cyberattack on the Colonial Pipeline spurred a clear message from the White House Monday that the onus lies with critical infrastructure owners and operators to secure their own networks. That leaves some demanding more from government to deter cybercriminals by placing increased pressure upon nations that choose to harbour the attackers.
DarkSide, the affiliate ransomware that caused the Colonial Pipeline to pause operations over the weekend, is run out of Russia, a nation long known to protect cybercriminals within its borders from international investigation and extradition. As the pipeline mitigates the attack, and the United States mulls policy solutions for ransomware, the Biden Administration will have to answer an immediately important question: What does the U.S. do about criminals protected by their own governments?
That question becomes more complicated with attacks against critical infrastructure, which is privately owned and operated, but also intrinsically tied to national security. Those distinctions make these companies high-value targets that are typically under resourced, which many argue are in government's best interest to protect.
When attribution doesn't help
The FBI attributed the attack to the DarkSide ransomware group Monday morning, which soon after confirmed the attribution with an unusual bit of corporate crisis communications: The group goes about crime without a political ideology or desire to cause chaos, it claimed, promising to better monitor that affiliates do not devastate critical infrastructure in the future.
"It just shows how safe they feel in Russia," said Jim Lewis, a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS) and former official at the departments of Commerce and State. "Can you imagine the Mafia releasing a press release?"
While the United States and other western powers frequently indict Russian hackers, Russia rarely captures them on the international community's behalf. Instead, those hackers typically only see the courts if they are arrested from an extradition country. The feeling among current and former U.S. officials, as well as those who study cybercrime, is that that hacker and Russian authorities operate with the understanding that crimes outside of Russia will not be investigated. Many variants of malware, including DarkSide, will not deploy against networks set to use the Russian language.
This leads to an interesting quandary for lawmakers trying to deter ransomware: jail is the traditional deterrent to crime, but criminals have no fear of prison time.
There have been several suggestions made on how to handle the issue, a mix of carrots and sticks.The most recent suggestions came in the extensive report by the Ransomware Task Force hosted by the Institute for Security and Technology. The task force was comprised of a massive cross section of government, security professionals, target industry and academic stakeholders.
"If you are responsible for an attack that hits a critical infrastructure sector, and significant economic harm arises or death, certainly, that there ought to be harsher penalties," said Megan Stiffel, co-chair of the task force, executive director for the Americas for the Global Cyber Alliance and former Department of Justice lawyer.
Hitting them where it hurt
The most common suggestion to cajole uncooperative governments into action is sanctions. It is a tactic that the task force report does bring up. But there may be more applicable pressure points for lawmakers to press nations to ramp up investigations into outward-facing cybercrime, said Stiffel. Many of the Eastern European countries known to house cybercriminals, for example, are also recipients of U.S. military aid. It's not out of the question, she said, to tie to cooperation.
That would not work for Russia, she noted, which has very little at stake in terms of positive relations with the U.S. But the ransomware report offers other levers to pull, including U.S. visa cooperation.
The U.S. would have more political firepower to draw against Russia with a broad international coalition fighting ransomware, the report noted. The Biden Administration would seem to agree: at a press conference Monday to discuss the Colonial Pipeline shutdown, officials emphasized their pursuit of greater international cooperation.
But none of these diplomatic levers are without controversy. The United States has long been judicious about sanctioning Russia and, as Lewis notes, there is only a finite number of benefits to routinely sanctioning a nation. He also described toying with visas as a disproportionate line of attack.
In the press conference Monday, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger mentioned international law enforcement efforts to disrupt the infrastructure used by different malware, including ransomware. "We expect that will be a continued focus area to make it far more difficult for these actors to prey on their victims," she said.
Beyond the comparatively gentle touch of law enforcement, using intelligence agencies' offensive cyber capabilities could also be an option.
“I think where you’ll see new activity over the next few years is the use of [Cyber Command] to throw sand in the gears of cybercriminals,” John Dermody, an attorney with O’Melveny who previously served as deputy legal counsel to the National Security Council and in the general counsel’s office at the Department of Homeland Security, told SC Media in February.
And if all else fails, the U.S. could resort to what Lewis called the "Barbary Pirate" strategy of military force to take down criminal enterprise. But that's "probably a bridge too far right now for the U.S.," opening the door to potential escalation, he said.
That said, the power of extraditions shouldn't be minimized.
"They hate that," Lewis said. "I was at an event in Moscow about a month ago where I said somewhat judiciously, 'I actually kind of liked extraditions. The Russians there, including Russian officials, had a complete fit."