Attacks linked to Russia have hit oil company Colonial Pipeline, meatpacking business JBS and, most recently, IT management software firm Kaseya Ltd. These attacks and other events have concerned the U.S. public and propelled President Joe Biden to tell Russian President Vladimir Putin in June that certain critical infrastructure should be exempt from cyber attacks.
The ransomware incidents also represent a particular slice of cyber crime that Putin may not be invested in maintaining or protecting, said cybersecurity and policy experts during a July 22 Atlantic Council panel.
That fact opens the door for winning concessions, if Biden delivers the right negotiations and pressure to make action worth Putin’s while.
“Am I hopeful that we can get to accommodation on ransomware? Yes. Precisely because it is so important to us, but also because it is not important to Putin,” said Dmitri Alperovitch, executive chair of the Silverado Policy Accelerator, an organization aimed at fostering U.S. policy solutions for economic, strategic and technological issues.
ANOTHER SOLARWINDS
The former appears to be the driver behind the 2020 SolarWinds attack, which led to hackers installing spyware on federal agency systems. The U.S. attributed the attack to Russia’s Foreign Intelligence Service, although Putin continues to reject this claim. Traction against such attacks is unlikely, given that both Russia and the U.S. have a vested interest in conducting digital espionage, Alperovitch said. This reality creates little appetite for establishing potentially helpful cyber norms.
Also speaking on the panel was Katie Nickels, director of intelligence at information security firm Red Canary and a member of the Institute for Security and Technology-convened Ransomware Task Force. Nickels suggested that nations may consider disavowing certain espionage methods, such as those that compromise numerous unrelated organizations, like SolarWinds, in pursuit of traditional political targets.
Along with espionage, Putin is also likely to continue conducting other cyber interference like election meddling, Alperovitch said.
“The reality is, we’re not going to stop most of the cyber activity we’re seeing from Russia,” he said.
Where Alperovitch is optimistic, however, is ransomware.
REDUCING CYBER EXTORTION
Putin is known to turn a blind eye to criminal groups that target victims overseas, and Russia’s constitution prohibits extradition. But ransomware perpetrators reside outside of Putin’s inner circle and aren’t a significant source of profit for the government, in Alperovitch’s estimation.
Criminal ransomware is not a zero-sum game where the U.S. wins concessions only at the cost of Russian interests, emphasized Matthew Rojansky, director of the Woodrow Wilson International Center’s Kennan Institute, a nonpartisan policy forum focused on global issues.
“This isn’t something [Putin] cares that much about; they just weren’t taking it seriously,” Rojansky said.
The Russian government’s low investment in enabling the criminals creates an opportunity for the U.S. to persuade Putin to crack down. This strategy would require the White House to demonstrate that Russia could gain sufficient benefit or cost-avoidance from playing ball.
One potential complication is the lack of a clear line separating private criminals and political agents, as the same parties often wear both hats. The Russian government is known to recruit criminal talent to support state campaigns while still allowing those actors to continue their own illicit activities, said Louise Shelley, director of George Mason University’s Terrorism, Transnational Crime and Corruption Center. Nickels suggested this wrinkle may require U.S. response policy to focus on the motives behind attacks rather than on specific players.
Any retaliatory measures the U.S. promises — such as severe sanctions — must be carefully chosen to be impactful and credible, Alperovitch said. Putin must believe the U.S. can and will implement the response, and the U.S. must be committed to following through, regardless of negative economic impact on itself or its allies.
Speakers also said the fight against ransomware doesn’t need to be won in one fell swoop and that getting commitments to avoid hacking nuclear control systems, schools, hospitals and other important infrastructure would all be useful steps.
AN EXPANSIVE THREAT
Moving the needle on ransomware also entails working with international and private-sector partners to tackle what has emerged as a sprawling issue. Engaging a broad swath of nations will be critical to stopping bad actors from hopping borders and continuing operations from more lenient countries or from collaborating with partners in such countries, Shelley said.
Even Russian actors who don’t perpetrate attacks may still foster cyber crime by selling tools on the dark web, and there are indications that China-based attackers may be using Russia-made solutions, Shelley said.
Another strategy would be disrupting the systems that illicit outfits use to attract customers and access ransom payments, Shelley and Alperovitch pointed out. Payment processors alerted about problematic users could cut them off, Shelley suggested.
Alperovitch also said the U.S. and allies could pressure companies that serve cyber criminals to stop enabling them. Governments could sanction hosting services providers that serve bad actors and take aim at cryptocurrency exchanges that don’t perform know-your-customer (KYC) or anti-money laundering (AML) checks.