Just 10 years ago, ransomware was the domain of mostly small-fry hackers encrypting files to squeeze a few hundred dollars out of random individuals. Today it's an urgent issue of national security.
How the U.S. can deter ransomware attacks
Hardening network defenses, and allowing liability for failure to do so, is one step. But it's not enough. The threat of proportionate retaliation must be real.
By Jonathan Welburn and Quentin Hodgson
As President Joe Biden said in late July: If the U.S. ends up in "a real shooting war" with "a major power," a "cyber breach of great consequence" will be to blame.
Cybercriminals have been escalating their attacks for years — locking up the computer systems of police stations, city governments and hospitals. But the ransomware attack in May on the operator of the largest petroleum pipeline in the U.S. — which disrupted gasoline supplies in much of theountry — is one of many cyberassaults that are tiptoeing closer to an act of war.
DarkSide, the hackers-for-hire believed to be based in Russia, dropped out of sight after the company Colonial Pipeline paid $4.4 million in bitcoin. But cybercrime groups frequently reorganize and rebrand. Haron and BlackMatter are among the new names that have emerged this summer. The FBI recently announced it was tracking more than 100 active ransomware groups.
To rein in ransomware attacks, the U.S. needs to upend the risk-reward ratio for hackers — and for the countries that harbor or support them. Such a national deterrence strategy would make networks harder to breach, hit back harder against hackers and claw back gains from those who succeed.
Many corporations and other private-sector organizations haven't sufficiently hardened their own defenses, despite repeated warnings. In part, this is because they've paid too little a price for their negligence. In 2013, Target suffered what was then the largest-ever data breach, which compromised the financial data of 40 million customers. In 2017, the sensitive financial records of more than 140 million people were exposed in the data breach of Equifax, a credit-monitoring company.
Neither company — nor many others like them — was punished by their shareholders or their customers over the long term.
That could change if companies start to be held legally liable — beyond government fines — for damage caused by their lax security. For instance, a class-action lawsuit has been filed on behalf of 11,000 gas station owners who are seeking damages for sales lost because of the Colonial Pipeline shutdown.
Their claims of negligence may have merit. Colonial and other pipeline operators had been alerted to ransomware threats months before the attack by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. And yet DarkSide easily made its way into Colonial's networks using an inactive Virtual Private Network log-in found among many stolen passwords from the dark web.
The incursion might have been prevented by basic internet hygiene practices — deactivating old accounts, mandating frequent password updates and two-factor user authentication, and practicing running company operations from backup data.
Still, cyberattacks are becoming so sophisticated that hardening network defenses won't be enough. The hack of developer SolarWinds, discovered in 2020, corrupted a routine update of its widely used IT management tool, while the Microsoft Exchange breach in March took advantage of four vulnerabilities in the email software that were exploited before a patch could be issued.
Retaliation is the lodestone of any deterrence strategy. The question is whom to strike back against and how hard.
Charging individual hackers with crimes rarely works because so many operate outside the reach of U.S. law enforcement. Eastern European governments have been particularly unwilling to stop cybercriminals from operating within their borders. Economic sanctions are another tool — but they have yet to push Russia to deal with its local ransomware groups such as DarkSide and REvil. Other countries directly support such criminal activity; North Korea notoriously uses an army of cybercriminals to raise money for the totalitarian state.
To raise the stakes for its adversaries, the U.S. could launch online counterattacks on a hacking group or its host country. Retaliation measures taken could become more severe when ransomware jeopardizes public safety or access to necessities like healthcare, food and gasoline. This appeared to be what Biden was seeking to convey during his June meeting with Vladimir Putin, when he handed the Russian president a list of 16 critical infrastructure sectors that Biden declared off-limits.
Such resolve must be backed up by more than words. For deterrence to be credible, the U.S. needs to send clear signals that it is prepared to retaliate proportionately — especially if state-sponsored hackers take down a power grid or disrupt the operation of a dam. Under international law, such actions are considered "use of force" against another country, and that puts a military response on the table.
Some experts argue that private companies also should have the right to counterattack. Among the provocative ideas are reviving congressionally issued letters of marque, a permit given to merchant ships to search out pirates and take back stolen assets by force in the 18th century. A modern version would incentivize corporations to act as "cyber scouts" and share information with U.S. agencies in return for some immunity from fines and protection against lawsuits. A "hack back" bill introduced in Congress in 2019 would have gone further, allowing the private sector to use hacking tools against cybercriminals in the name of "active defense."
These policies could, however, create more danger than they prevent. Ransomware attacks are frequently misattributed in the days after they become public. Private parties could unintentionally start an international conflict or escalate existing tensions. But the fact that these ideas are being taken seriously speaks to how recent approaches have fallen short.
Another way to deter ransomware attacks would be to deny hackers any gains from their successes. Regularly backing up data and exercising recovery can help, but it is not foolproof. The FBI advises against paying ransoms, but there is no consensus on whether banning ransom payments outright makes sense.
When ransoms are paid, the same digital ledger technology that powers bitcoin, ethereum and other cryptocurrencies can aid efforts to follow the money. For instance, the FBI watched DarkSide transfer its Colonial ransom haul across digital accounts, then moved in to seize about half the ransom, roughly $2.3 million. In addition, law enforcement agencies can try to make it harder to use cryptocurrencies to launder ransoms or purchase illicit goods.
Just two months after the Colonial Pipeline shutdown, another group of hackers stole sensitive data from Saudi Aramco — the largest oil company in the world — in an attempt to extort $50 million. That reflects the pernicious nature of problem: Left unabated, the scourge of hacking for ransom will extract ever-larger costs and cause wider disruptions that threaten our economic and national security.
The U.S. cannot rely on a passive, defensive strategy. Deterrence will require undermining everything that makes ransomware attractive by making it harder for hackers to profit — and quickly striking back against those who try.
Jonathan Welburn and Quentin Hodgson research cybersecurity, deterrence strategy and infrastructure protection at the nonprofit, nonpartisan Rand Corp. This article first appeared in the Los Angeles Times.
about the writer
Jonathan Welburn and Quentin Hodgson
The time has come to build a Hennepin County Juvenile Mental Health Treatment Center.