What touches the American psyche more deeply than a gas shortage? If the Colonial Pipeline attack is any measure, nothing. Ransomware has been a growing problem for years, with hundreds of brazen criminal hacks against schools, hospitals, and city governments—but it took an attack that affected people’s cars for the US to really take notice.
The strike on the Colonial Pipeline may have only led to panic buying rather than genuine gas scarcity, but it pushed the country hard enough to demand a response from the president of the United States.
On May 10, after the company had paid $4.4 million to the hackers responsible, President Biden made his argument. While there was no evidence of direct Russian government involvement in the Colonial Pipeline attack, he said, Moscow has a responsibility to deal with criminals residing within their own borders.
His statement is based on what experts have long known: that Russia is a cybercrime superpower in large part because the line between government and organized crime is deliberately hazy.
“We have a 20-year history of Russia harboring cybercriminals,” says Dmitri Alperovitch, the former CTO of cloud security company Crowdstrike and chairman at the Silverado Policy Accelerator, a technology-focused think tank in Washington, DC. “At a minimum they turn a blind eye toward cybercriminals; at a maximum they are supported, encouraged, facilitated.”
Knowing what is happening is one thing, however. What’s more difficult is working out how to change it.
Under international law, states have a responsibility not to knowingly allow their territory to be used for international crime. This most often happens in piracy, but it also applies to terrorism and organized crime. Global agreements mean that governments are obligated to shut down such criminal activity or, if they lack capability, to get assistance to do so.
Russia, however, has been known to protect criminal hackers and even co-opt them to undertake attacks on its behalf. More often, it simply tolerates and ignores the crooks as long as the country itself is not affected. That means hackers will routinely skip any computer using the Russian language, for instance, in an implicit admission of how the game is played.
Meanwhile, the Kremlin routinely strongly resists international efforts to bring the hackers to heel, simply throwing accusations back at the rest of the world—refusing to acknowledge that a problem exists, and declining to help.
On May 11, for example, shortly after Biden’s statement, Kremlin spokesman Dmitry Preskov publicly denied Russian involvement. Instead, he criticized the United States for “refusing to cooperate with us in any way to counter cyber-threats.”
The calculus for Russia is difficult to measure clearly but a few variables are striking: ransomware attacks destabilize Moscow’s adversaries, and transfer wealth to Moscow’s friends—all without much in the way of negative consequences.
Now observers are wondering if high-profile incidents like the pipeline shutdown will change the math.
“The question for the US and the West is, ‘How much are you willing to do to the Russians if they’re going to be uncooperative?’” says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies. “What the West has been unwilling to do is take forceful action against Russia. How do you impose consequences when people ignore agreed-upon international norms?”
“I do think that we need to put pressure on Russia to start dealing with the cybercriminals,” Alperovitch argues. “Not just the ones directly responsible for Colonial, but the whole slew of groups that have been conducting ransomware attacks, financial fraud, and the like for two decades. Not only has Russia not done that: they’ve strenuously objected when we demand arrests of individuals and provided full evidence to the Russian law enforcement. They’ve done nothing. They’ve been completely obstructionist at the least, not helping in investigations, not conducting arrests, not holding people accountable. At a minimum, we need to demand them to take action.”
There are numerous examples of cybercriminals being deeply entangled with Russian intelligence. The enormous 2014 hack against Yahoo resulted in charges against Russian intelligence officers and cybercriminal conspirators. The hacker Evgeniy Bogachev, once the world’s most prolific bank hacker, has been linked to Russian espionage. And on the rare occasions when hackers are arrested and extradited, Russia accuses the US of “kidnapping” its citizens. The Americans counter that the Kremlin is protecting its own criminals by preventing investigation and arrest.
Bogachev, for example, has been charged by the US for creating a criminal hacking network responsible for stealing hundreds of millions of dollars through bank hacks. His current location in a resort town in southern Russia is no secret, least of all to the Russian authorities who at first cooperated with the American-led investigation against him but ultimately reneged on the deal. Like many of his contemporaries, he’s out of reach because of Moscow’s protection.
To be clear: there is no evidence that Moscow directed the Colonial Pipeline hack. What security and intelligence experts argue is that the Russian government’s long-standing tolerance of—and occasional direct relationship with—cybercriminals is at the heart of the ransomware crisis. Allowing a criminal economy to grow unchecked makes it virtually inevitable that critical infrastructure targets like hospitals and pipelines will be hit. But the reward is high and the risk so far is low, so the problem grows.
What are the options?
Just days before the pipeline was hacked, a landmark report, “Combating Ransomware,” was published by the Institute for Security and Technology. Assembled by a special task force comprising government, academia, and representatives of American technology industry’s biggest companies, it was one of the most comprehensive works ever produced about the problem. Its chief recommendation was to build a coordinated process to prioritize ransomware defense across the whole US government; the next stage, it argued, would require a truly international effort to fight the multibillion-dollar ransomware problem.
“The previous administration didn’t think this problem was a priority,” says Phil Reiner, who led the report. “They didn’t take coordinated action. In fact, that previous administration was completely uncoordinated on cybersecurity. It’s not surprising they didn’t put together an interagency process to address this; they didn’t do that for anything.”
Today, America’s standard menu of options for responding to hacking incidents ranges from sending a nasty note or making individual indictments to state-level sanctions and offensive cyber-actions against ransomware groups.
Experts say it is important to get allies to publicly acknowledge the problems and endorse the consequences—and to be less hesitant. Biden’s public assertion that the Kremlin bears responsibility for cybercrime carried out from Russian soil could be a signal to Moscow of potential consequences if action isn’t taken, although he didn’t say what those consequences could be. The fact that the United Kingdom’s foreign minister, Dominic Raab, soon echoed the sentiment is a sign of growing international consensus.
“The preponderance of opinion is for caution, which of course the Russians know and exploit,” Lewis says. “Colonial hasn’t fully changed that, but I think we’re moving away from a timid response. We’re not changing anything, and things are getting worse.”
Action can be stymied for fear of escalation, or because cyber can take a back seat to other issues important to the Russia-US relationship, like arms control or Iran. But there are efforts under way to expand the options for action now that senior leaders from both sides of the Atlantic now clearly see ransomware as a national security threat.
This is a fundamental shift that could drive change—in theory.
“I wonder about the idea against action, because it risks making the Russians mad so they’ll do something back to us,” says Lewis. “What exactly have they not done?”
Today, the White House is actively working with international partners, the Justice Department is standing up a new ransomware task force, and the Department of Homeland Security is ramping up efforts to deal with the problem.
“This is a solvable problem,” says Reiner, who was a senior National Security Council official under Obama. “But if action isn’t taken, it’s going to get worse. You thought gas lines for a day or two were bad, but get used to it. They’re going to continue to ramp up against schools, hospitals, businesses, you name it. The ransomware actors won’t care until they face consequences.”