Ransomware Everywhere: Advancing Responsible State Behavior in Cyberspace

While the behavior of state actors (and their proxies) in cyberspace is a pressing national security concern, the recent wave of high-profile ransomware attacks serve as a stark reminder of the importance of addressing a wide diversity of actors and the range of relationships they can have with states around the world. 

What role can and/or should international cooperation play in addressing this spectrum of actors? How should the Biden administration respond to the rash of attacks originating in Russia? What form should engagement with Russian President Vladimir Putin take? Where have we made the most progress and what gaps remain?

Key Takeaways

1. Russia, China, and the U.S. all have different objectives in cyberspace; understanding those objectives is a critical first step in developing any deterrence strategy.
2. Deterring malign behavior in cyberspace is complex with many possible inadvertent consequences. Many of these deterrence tactics have been tried before, and so the question remains what options are on the table now—and what will their impact be?
3. It's critical to understand how adversaries view threats and opportunities in cyberspace.

Selected Quotes

Dmitri Alperovitch

"When it comes to ransomware, I think we can make progress, precisely because this is not a critical issue for Putin. It is not his government that’s orchestrating these attacks or directing them. He doesn’t know who these criminals are. It’s quite likely that these criminals are getting some level of protection from Russian intelligence services, but very likely at a low level. [...] So, these are precisely the types of people he can absolutely take action on, either arrest, ideally, and prosecute, or even just send a message. 'Knock this off, get back to just stealing credit cards.' Obviously we wouldn’t like this either but it would be much more preferable to the ransomware attacks that we’re seeing now. So, that’s exactly where we can get progress from Putin, with a credible threat of severe sanctions that would have an enormous impact on his economy, in a way that existing sanctions we’ve put in place since 2014 really have not." 

WATCH CLIP

"A lot of people told us after our op-ed that we are advocating for some very severe sanctions, some unprecedented sanctions on the oil and gas sector of the Russian government, which is supplying quite a bit of funding for the annual budget. We’re advocating for secondary sovereign debt sales, which would have an impact on their ability to raise funds overseas. And the reason we did that is to really send a strong message to Russia that this is beyond the pale. We have a lot of problems with what Russia has been doing both in cyber and in the physical world over the last really almost 20 years. On cyber alone, we’ve had the election interference issues that we’ve been dealing with since 2015, we’ve had destructive attacks like NotPetya… and a whole slew of other nefarious activities that we’ve complained to the Russian about—including the recent SolarWinds attacks. But in our opinion, ransomware eclipses all of those… Ransomware hits the pocketbooks of the average Americans. It hits our small businesses… It’s the small and medium businesses, it’s the dentist offices, it’s the libraries, it’s the school districts, it’s the fire departments all over this country that are actually not in a position to either pay the ransom or do the necessary steps to recover their network after a devastating attack."

"Aside from the merits of doing sanctions on the specifics of the exchange hacks or on SolarWinds, just in the broader scheme of things, we have sanctioned China, we have sanctioned Iran, we have sanctioned North Korea for a variety of nefarious cyber activities over the years. We have never sanctioned China for anything they have done on cyber. Surely there is something that they’ve done over the years that deserves sanctions, including, in my opinion, the massive theft of intellectual property that they’ve been conducting for the better part of two decades. And yet we’ve never taken that step."

"I think we actually need to have a multi-pronged approach to this ransom problem… One of the big concerns that I have personally is the North Koreans who have dabbled in ransomware in the past, would take up the void and would start conducting huge numbers of attacks going forward to try to fund their regime… This can’t be the only answer—this threat of ultimatum vis-a-vis Russia. We absolutely need to use cyber command and other intelligence assets that we have to try to disrupt these groups, try to take money back like we did with the ransom for the part of the colonial hack, we need to be going after the infrastructure, and doing a variety of things to make it difficult for them to operate."

Matthew Rojansky 

"One of the pressure points is the belief in Moscow that there are limits to what the United States can do because of what our principal European allies and trading partners, and some of our Asian allies and trading partners, need vis a vis access to the Russian market, ability to trade on secondary markets in Russian debt, ability to deal directly with Russian, state-owned firms, and not have to make a zero-sum choice of dealing with the United States or dealing with these Russian firms. All of this is a way of saying…that’s a real pain. It’s either economic pain to American companies, diplomatic pain to the United States in terms of dealing with allies, or, it’s the pain of having to force uncomfortable choices that we haven’t done before. If we’re imagining that we can make this ultimatum clear without that pain, then we are not imagining the right ultimatum." 

WATCH CLIP

"This speaks to the core of who we are as a nation. This is people’s livelihoods, this is their life’s work. When thousands of small businesses and medium businesses, community institutions like schools, medical offices, et cetera, are affected, as in the Cassaya hack some two weeks ago, this speaks to the core of President Biden’s message of a foreign policy for the middle class. If you’re going to stand up for the American middle class, if you’re going to stand up for small businesses, if you’re going to stand up to the American people when they’re directly attacked by criminals, this is something you have to take very seriously."

"The value of sanctions is the recognition of what matters to us versus things we just say. And I think… in this comment about red lines, critical infrastructure, versus whatever doesn’t fit into that, is the issue of a lot of stuff gets said. A lot of stuff gets said between Washington and Moscow, a lot of stuff gets said between Washington and Beijing, and a lot of stuff gets debated in public. And messages get really muddled. And I argue that this has been an enormous problem in communicating clearly between Washington and Moscow."

"What I can say with certainty without necessarily having any insight into what the war plans are, is in case of a war between the United States and the Russian Federation, of course the Russians will turn off the lights. They will do more than that. They will use every cyber tool in their arsenal just as we would do. And the reason that I know that is because they do do that. To Georgia in 2008. They have done things short of that to Estonia. And they continue to do that to Ukraine."

Congressman Jim Himes 

"For three presidential administrations now, I’ve tried to make the case, that particularly with Russia, we’re going to be having a very big problem, until we actually effectively establish a sense of deterrence. And I was terribly disappointed with the Obama response to 2016…the “PNG”ing of, whatever the number was, sixty plus so-called diplomats, the closure of the Maryland facility…That’s a slap on the wrist for Vladimir Putin. And we’ve seen that consistently. And even someone like me, who has fairly good insight into the operations that we take, I can say with some confidence that we have not, in any way, established the deterrence—a sense that these adventures will be met with very costly responses."

WATCH CLIP

"Twelve years ago, honestly, in this [Congress], if you said cybersecurity most people would look at you quizzically. And even people with stars on their epaulettes would look a bit confused when you asked what the Pentagon… was doing about cybersecurity. That has gradually changed… in the last couple of months. And I think that sea change is attributable to a couple of things. Number one, Colonial Pipeline was different than the other stuff. When you are really worried about gasoline lines in eastern Virginia that’s very different than the thrill that comes from seeing a Sony executives email that probably should never have been sent. In a way, it’s much more abstract… And then, when people came to realize, as I came to realize… that the government’s interaction with the company was not even close to optimal."

"You… can’t talk about cybersecurity and cyber attacks without really thinking about privacy issues. So, there’s a new focus here in the Congress on all of those issues, but in particular, around cybersecurity."

"We always forget to mention, and to really think hard enough about, the rather inelegantly named “cyber hygiene.” If you talk to Gartner, if you talk to the experts, they will tell you that we rarely see a zero-day attack. And therefore, almost all of the nefarious stuff that succeeds succeeds because people are sloppy about updating their software, about sticking unknown memory cards into their devices, clicking on links… We don’t spend enough time thinking about that but that is by far the lowest cost and lowest risk way of taking a huge problem and making it a smaller problem."

Meg King 

"I’m the optimist here in the group. I do think that because we have so many companies that rely on selling goods and services to China that we have an opportunity here, and I think the administration is trying to explore that, at least on the Chinese side. [...] We have seen some behavior change after the threat of sanctions in the past, but we have more tools than just sanctions that will likely make the Chinese think twice. So I think there is a lot of opportunity ahead and I hope that we can begin a dialogue, and at this point, we have zero dialogue, so we can only go up. "

WATCH CLIP

"I look at this as one size shouldn’t fit all, and every country looks at cyberspace in a different way. And our signals… don’t necessarily match those of other countries. And so, just applying the same tool against each adversary isn’t going to work."

"We’ve done a lot of talking about sanctions, there’s a lot of other creative deterrence tools we have [at our disposal]. … A lot of the tools being used by states and nonstate actors were originally obtained from the U.S."