Deterring Cyber Disaster

The Biden administration is facing an urgent national-security threat as a non-state entity—Russian cybercriminals—likely acting at the acquiescence of a state—Russia—is conducting debilitating ransomware attacks on U.S. infrastructure. Nearly twenty years ago, on 9/11, a similar dynamic was evident when a non-state group—Al Qaeda—operating from its safe haven in a state—Afghanistan—carried out devastating terrorist attacks on New York and Washington.

FBI Director Christopher Wray sees “lots of parallels” between recent cyberattacks and the challenge of terrorism after 9/11. Those parallels point not only to the potential magnitude of the threat, but also to the strategy that can be employed to counter it. That strategy—focused on states—will not eliminate the threat, but will take us a substantial way toward that goal.

Unlike 9/11, the recent cyberattacks thankfully had no loss of life but were massively disruptive. In the matter of a few short weeks, two different Russia-based cyber-criminal groups breached and encrypted the data of a major US energy provider—causing widespread panic-induced gas shortages—and a worldwide meat processor – halting 1/5th of America’s meat supply—until ransom demands were made or back-up capabilities were brought online. Energy Secretary Jennifer Granholm has confirmed that U.S. adversaries – criminal or nation state – have the capability to shut down the nation’s power grid.

Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, has stated that the Biden administration’s goal is “to disrupt and deter” attacks deploying ransomware. Deterrence, a classical strategic concept, occurs in two variants—denial and punishment. Deterrence by denial would entail cyber defense mechanisms—strengthening computer networks to block unauthorized access and increase their resilience—that would frustrate an adversary’s ability to achieve its objective. Deterrence by punishment would hold states accountable for cyberattacks which either they or their proxies conduct. This variant of deterrence is the more familiar of the two from the Cold War era.

A state-based strategy employing both variants of deterrence turned the tide on the challenge of global terrorism. Deterrence by denial started with eliminating Afghanistan as a base in which Al Qaeda could mount attacks on the United States and continued with homeland security measures across U.S. society to reduce vulnerability. Deterrence by punishment was codified in UN Security Council Resolution 1373 which stipulated that any state providing a safe haven or support to a terrorist group would be subject to punitive collective action.

In the cyber realm, the Biden administration’s recent executive order is a form of deterrence by denial. But while a critical measure, this presidential measure is actually limited in scope because it can only impose regulations on the federal government and on companies doing business with the government. Federal agencies are mandated to improve cyber defenses (e.g., by migrating to cloud platforms and initiating multi-factor authentication) and tighten software supply-chain security. The executive order also establishes a cybersecurity review board to assess major incidents and make recommendations for improvement.

What government can really do to prevent ransomware attacks is to mandate that the targets report them to the authorities, track the funds paid, and block cybercriminals’ ability to cash out crypto-funds (a countermeasure with a long regulatory history in the terrorism context). Apropos blocking cybercriminals from their illicit gains, the Department of Justice’s digital extortion taskforce recently recovered $2.3 million in bitcoins that Colonial Pipeline paid to “Dark Side,” a hacking group given safe haven by Russia.

Because deterrence by denial only goes so far, it raises the thorny question of the complement—deterrence by punishment. The United States leads the world in offensive cyber capabilities but has been reticent to wield that instrument because American society is most vulnerable to a retaliatory response. The first reported instance of an offensive U.S. cyber-operation (in collaboration with Israel) was the Stuxnet malicious computer worm employed to disrupt Iran’s uranium enrichment program.

Effective deterrence relies on the ability to attribute cyber-attacks to their source. Attribution itself is not difficult for the United States. Every malign actor of any notable size has recognizable techniques, tools and procedures that they use. The U.S. government though takes time and care in making attribution for legal reasons, so that indictments can be successful. But any potential perpetrator of a cyber-attack, whether conducted by a state directly or through a proxy, would have to take into account that the attack would be backtracked and attributed.

So if deterrence by punishment is problematic because the United States is a cyber-glass house, what can be done? What options are there other than blacking out a major Russian city, which would hurt the Russian people, not the regime? The alternative to a tit-for-tat response, which is a slippery escalatory slope, is to leverage the power of the international community’s shared interest in preventing cybercrime and cyber-attacks on critical infrastructure.

If the G7 can agree on a global corporate tax rate, these powerful states, whose economies constitute over 1/3 of global GDP, should be able to make it hard globally for cybercriminals to cash out cryptocurrencies. The Western democracies of the G7 can take down the computer infrastructure cybercriminals need to carry out hacks. And as these groups rebrand once caught, we need to improve intelligence collection against them so they can never be sure if their activities are safe or monitored, and that any state linked to them will be exposed.

Beyond what the G7 can do with its own major capabilities, the Biden administration should push for an international agreement that would hold states accountable. A precedent for such an agreement in the terrorism realm was UN Security Council Resolution 1373 that was adopted after 9/11. The centerpiece of such an agreement would be a commitment by states: No more safe havens. The agreement would further stipulate that cybercriminals carrying out ransomware attacks and operating within the borders of a state would be made available for debriefing at a minimum and extradition and prosecution at a maximum. Such investigative steps need to be accomplished relatively quickly so that groups aren’t able to disperse and regroup in another format. An international agreement would also require taking down the servers being used by hackers and agreeing not to process crypto payments into hard currency without an international verification process (as is done in the conventional banking system).

While Russia, the United States and 23 other nations affirmed through the UN Group of Governmental Experts that states should not hack each other’s critical infrastructure, this affirmation does not go far enough.  A state-focused strategy of deterrence and cyber-arms control offers a pathway for addressing threats that can be mitigated but not eliminated.