Biden Faces Russian Ransomware Curtailment ChallengeWhite House Tells Moscow: Take Action, or We 'Reserve the Right' to Do So
(UPDATE: On Friday, U.S. President Joe Biden spoke to Russian President Vladimir Putin about the latest ransomware attacks that have targeted American organizations and said that the U.S. government is prepared to take "any necessary action to defend its people and its critical infrastructure in the face" of these attacks, according to the official readout posted by the White House. Later, Biden told reporters that he was "very clear" in telling Putin that when a ransomware attack originates on Russian soil "we expect them [Russia] to act." Asked if there would be consequences, Biden said "yes.")
See Also: Top 50 Security Threats
The Biden administration has a message for Russia: Rein in the criminal hackers operating from inside your borders who hit Western targets, or we'll do it for you.
The White House says that's the imperative being stressed in ongoing talks between high-level officials in the U.S. and Russian national security teams following the mid-June summit in Geneva between U.S. President Joe Biden and Russian President Vladimir Putin.
Experts say disrupting ransomware will take more than diplomacy, and needed cybersecurity improvements in the "critical infrastructure" - overwhelmingly run by private companies - will take time and focused private-public partnership efforts to fix.
But disrupting the criminals launching these attacks remains a top law enforcement and diplomatic priority, U.S. officials say, and the Biden administration is bringing multiple tactics to bear.
After the Geneva meeting, for example, Biden said he'd told Putin that certain types of "critical infrastructure" were off-limits to any attacks emanating from Russia, including any repeat of the May ransomware attack against Colonial Pipeline Co., which supplies 45% of the fuel used along the U.S. East Coast.
"I looked at him. I said: 'Well, how would you feel if ransomware took down the pipelines from your oil fields?' He said it would matter," Biden said. "This is not about just our self-interest. This is about our mutual self-interest."
Biden added: "Responsible countries need to take action against criminals who conduct ransomware activities on their territory."
Since that meeting, "We have undertaken expert-level talks that are continuing, and we expect to have another meeting next week focused on ransomware attacks," White House Press Secretary Jen Psaki told reporters on Tuesday. "And I will just reiterate a message that these officials are sending, as the president made clear to President Putin when they met: If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own."
Criminal and Nation-State Overlaps
Obviously, ransomware poses a difficult challenge, as highlighted by the fact that it remains so difficult to disrupt.
But many ransomware operations appear to be tied to Russian-speaking individuals - who may be operating from Russia. The Colonial Pipeline attack, for example, was launched by a ransomware-as-a-service operation called DarkSide, which U.S. intelligence said appeared to be run, at least in part, from Russia. Credit for the Friday supply chain attack against remote-management software vendor Kaseya has been claimed by REvil - aka Sodinokibi - which is a RaaS operation that many experts suspect is run from Russia.
"One of the interesting things about ransomware is that it's this blend of criminal and nation-state activity, which is to say that clearly most of the criminals that are involved in carrying this out are out to make money," says Michael Daniel, president and CEO of the Cyber Threat Alliance.
"On the other hand, it is also the case that ... the REvil group [is] right there being harbored by and sheltered by a nation-state," says Daniel, who from 2012 to 2017 served as the White House's cybersecurity coordinator. "And so, there are these overlaps and interconnections between the criminal world and the nation-state world that make ransomware a very challenging threat to deal with."
But there have been increasing calls to do something, including holding Russia's leadership to account for failing to blunt such attacks. "Vladimir Putin is harboring these organizations, and more importantly, he is benefiting from their actions," says Tom Kellermann, head of cybersecurity strategy at VMware Carbon Black.
"There should be a proportionate cyber response," he says. "There should be a targeted response against REvil infrastructure in the dark web. … There should be a campaign of disinformation against REvil - amongst the other cybercrime cartels - to underscore and undermine their credibility."
How Might US 'Take Action'?
How would this be done? Likely by using U.S. Cyber Command, a military unit with offensive hacking capabilities, to try to disrupt specified criminal operations.
The former head of Britain's National Cyber Security Center, Ciaran Martin, writing in Lawfare, has backed this strategy for use by Western governments. He noted that it was used successfully by Cyber Command, for example, to disrupt Russia's Internet Research Agency troll farm ahead of the 2018 U.S. midterm elections.
"A direct cyberattack on an adversary’s infrastructure to destroy it and therefore prevent its future hostile use … has been used against transnational cybercriminals in the past and should, in my view, be deployed where possible against the scourge of ransomware," he said.
'Tricky Time' for Geopolitics
Any attempt to hold a government accountable for the actions of criminals operating inside its borders, however, can be fraught.
"We are entering a very tricky time - the wrong decision now could escalate very quickly," says cybersecurity expert Alan Woodward, a visiting professor of computer science at the University of Surrey.
"The bottom line is the authorities in the U.S. are very unlikely to stand quietly by if the attacks continue at this sort of rate," he says. "What’s left: offensive defense - hacking back, disable the hacking infrastructure by attacking it electronically. The trouble with this is that it lays the U.S. open to a certain extent to the same criticism often levelled at the Russians about carrying out 'operations' on foreign soil."
Woodward says any such attacks on adversary infrastructure would have to remain narrowly focused on criminal infrastructure. If political targets were hit instead, things could quickly spiral out of control, becoming "a hop, skip and a jump to proper cyber warfare - and cyber warfare will not be purely electronic, as damaging as that could be, and could quickly lead to kinetic attacks on related cyber targets," he says. "It’s all too easy to see how it could escalate to a place no one in their right minds wants to go."
Espionage Versus Criminality
Could the U.S. restrain its offensive cyber targeting to just criminal targets? After all, not all network intrusions emanating from Russia are criminal in nature - some instead involve espionage. The backdooring of security vendor SolarWinds' software that came to light last December, for example, has been attributed by the U.S. government to the SVR, Russia's Foreign Intelligence Service.
Reminder: Spies are going to spy.
For example, the Republican National Committee this week announced that an attempt to breach its systems had been detected by its managed service provider, Synnex. The RNC told Information Security Media Group that the attempt was unsuccessful. Bloomberg News, without citing any sources, says investigators suspect the intrusion attempt traced to the Russian government hacking team known as Cozy Bear, aka APT29, which is believed to be run by the SVR.
"Let’s keep our eye on the prize, folks. The real national security issue is ransomware," Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and the former CTO of CrowdStrike, said in the wake of that attack.
"Attempted hacking of political organizations - without dump of data - is called espionage," Alperovitch says. "The Russians have been doing it for hundreds of years and will continue doing it for hundreds more. As will we."
But some ransomware operations and operators may not be clearly delineated from intelligence apparatuses.
VMware Carbon Black's Kellermann, who held a seat on the Commission on Cybersecurity for the 44th Presidency, says that many cybercriminals inside Russia - including REvil - have government ties. "They're one of the more sophisticated ransomware crews out there. They definitely have affiliations and connective tissue back into the intelligence services. They're viewed as a cyber militia - in many regards - to help offset economic sanctions and when called upon to do so, to launch attacks against the Western world in a punitive fashion for geopolitical tension or escalations of such," he says.
Whether disrupting ransomware operations' infrastructure would be successful, however, remains to be seen. For starters, many are run as affiliate programs, bringing together distributed administrators and affiliates, including various types of specialists. Many ransomware-using criminals appear to speak Russian, but that doesn't mean they're operating from Russia. Many operations, furthermore, appear to be very distributed.
Public-Private Partnerships Key
On the ransomware front, many experts continue to emphasize that a solution to the problem will not come via government showdowns or diplomatic imperatives, but rather on multiple fronts.
For starters, organizations must improve their defenses to better repel attackers, Daniel says, noting that security teams should be highlighting the latest incidents, such as Kaseya, to senior management. "This is yet again leverage to have the discussion with leadership about why prevention is way more cost-effective than the cure, and that investing in prevention - investing in better cybersecurity upfront - will really pay dividends down the road," he says.
Public-private partnerships will also be vital to help organizations in the critical infrastructure understand just how vulnerable they are, the University of Surrey's Woodward says. "Government doesn’t want to run some of these services but they may be best-placed to ensure those services have adequate security put in place by those that are running them," he says.
The U.S. Cybersecurity and Infrastructure Security Agency says it's pursuing these exact types of strategies. "President Biden signed an executive order back in May that lays the groundwork for what we think is a much more secure cybersecurity posture for the federal government, and it really identifies a number of areas where we can use the federal government's procurement power and standard-setting ability to help shape the software development cycle for the IT community that could have broad effects on the private sector - well beyond just the federal government," Brandon Wales, CISA's acting director, tells ISMG.
Wales also notes that the White House has launched 60-day sprints focused on ransomware as well as improving the security of industrial control systems. Such sprints already have been widely used in critical infrastructure sectors, such energy, chemicals and water. More broadly, he says that "to work in partnership, to reduce those risks," remains a core part of CISA's founding mission statement.
"We've got a lot of work to do. But I feel like we have, in some respects, the winds at our back: We've got strong support from the administration, we've got strong support from Congress, and we're moving out quickly to see what we can do to improve our cybersecurity posture," he says.
No Quick Fixes
Despite moves by CISA and others, experts say no quick fix for the ransomware problem will likely be forthcoming. Organizations will need time to improve their defenses to make it more difficult for ransomware-wielding criminals to exploit them. Diplomacy, too, takes time.
"I suspect, as tedious as it sounds, the answer is going to be a long-term diplomatic endeavor: Try to convince countries like Russia to join in an international effort to stop these attacks as it's in their own interest because they do suffer attacks themselves," Woodward says.
"But don’t think the law enforcement agencies aren’t quietly working away behind the scenes tracking down the criminals - following the money, seeing who is selling what in the dark and generally zeroing in on the culprits."