By Clint Watts*
(FPRI) — In 2009, while working in Washington, D.C., I remember the issue of Russian criminal syndicate hacking arising for the first time. Discussions about an appropriate measured response—one that would deter criminal hacking groups in places like Russia—quickly led to a common refrain: “America has too much to lose in cyberspace; we’re too vulnerable, and if we were to strike back, our infrastructure and our economy could be crippled by cyber attacks.” In subsequent years, Richard Clarke, former presidential advisor for counterterrorism who’d warned of al Qaeda and Bin Laden before 9/11, published his book Cyber War, which warned of the next great threat to America’s national security: a no-notice catastrophic cyber attack. Clarke accurately foretold of the coming danger on the internet battlefield. After 2011, every cybersecurity conference or event mentioned the possibility of a “cyber Pearl Harbor” or a “cyber 9/11.”
While Clarke was likely writing his book, we later found out that in 2010, “elite hackers, most likely from Russia, used at least two zero-day vulnerabilities to penetrate the computer network operated by Nasdaq Stock Market, a hack that allowed them to roam unmolested for months and plant destructive malware.” Again, I sat in a meeting of cybersecurity experts and asked: “Why don’t we fight back? Why don’t we do a counterattack?” Again, arguments claiming that we “have more to lose” and we’re “too vulnerable” arose. The same solutions posed five years before were again offered as a vision for cyber defense: improve our cybersecurity at home, harden our systems, increase user training, and improve information sharing regarding attacks and attackers between the public and private sectors. The U.S. incrementally took these steps, each year spending more and more to defend America from hackers of all types. And yet, the hacking continued and became more voluminous and sophisticated.
Soon came the next unprecedented Russian cyber attack using malware known as BlackEnergy, an attack that shut down the Ukrainian power grid in December 2015. Seemingly an act of war against a U.S. partner, the discussion of deterring Russian cyber attacks again surfaced. Hackers in Russia—some working for Russian intelligence services, some working for criminal syndicates, some criminal syndicates working for the Russian government—were bringing cyber Pearl Harbor events to American allies and partners in Russia’s backyard.
Sitting in a panel on cybersecurity in early 2016, I inquired about establishing deterrence through offensive cyber operations. D.C.’s consensus quickly set in: America was too vulnerable; Russia’s response could be apocalyptic, like turning off the internet; we must respect cyber sovereignty; too much risk. I personally found the argument over cyber sovereignty perplexing, given that Russia had so deeply violated Ukrainian sovereignty by shutting off its power in the dead of winter. Further, I had just been notified a few months prior that the FBI had visited the think tank at which I am a fellow to notify them that they’d been the target of a cyber attack. The agents would not reveal the attacker, but noted it might have something to do with articles that I had written, specifically one on Russia. My team was in the midst of tracking the rebirth of the Kremlin’s active measures which targeted the 2016 U.S. presidential election. While cybersecurity hand-wringing over cyber sovereignty ensued, Russia’s intelligence service hackers compromised the Democratic National Convention, the Democratic Congressional Campaign Committee, a presidential campaign chairman, a former Secretary of State and Chairman of the Joint Chiefs, the NATO commander, and American electoral systems. Russia was not respecting our cyber sovereignty to say the least.
In 2017, I participated in an Aspen Security Forum panel, entitled “War By Other Means,” with some government representatives. Earlier during the day, I’d heard President Donald Trump’s advisor on cybersecurity, Tom Bossert, note that the U.S. government was responsible for defending its .gov domains, but could not protect .com domains—private sector America would be largely on its own. Having been notified by the FBI before and watching the Russian trampling of American cyber sovereignty, I offered a scenario during the cybersecurity panel: If a business or an individual in the private sector is attacked by foreign intelligence service or a foreign hacker based in Russia and the U.S. government says it will not defend the private sector, can private individuals or private-sector collectives retaliate to protect their own assets? The answer was unclear, but presumably “no.” The U.S. government would conceivably view such action as a cyber crime committed by its own citizens.
America’s decade of conventional wisdom on cyberspace has led to a crisis. Not a cyber “Pearl Harbor,” but an untreated cyber “cancer” that slowly cripples American society. In just the past six months, ransomware hacking collectives (by all accounts residing in Russia) disrupted one of the Western world’s largest beef providers and shuttered the oil pipeline for most of the American Southeast, prompting panic-buys at gasoline stations along the East Coast. Russia’s intelligence service hackers, APT 29, snuck into America’s cyber supply chain, executing a massive hack into government computers and servers via SolarWinds. Why does America continue to put up with Vladimir Putin’s Russia and the Kremlin’s relentless attacks via the cyber and information space?
President Joseph Biden should use the upcoming summit with Putin to establish boundaries in U.S.-Russia relations in cyberspace. After the meeting, however, the new administration must develop cyber deterrence and shake the constraints of assumptions that no longer make sense. Yes, America’s cyberspace remains vulnerable—this has and will remain a constant. We’ve learned that despite massive cybersecurity investments, improvements in public-private partnerships, and improved law enforcement capabilities, the Russian state and criminal underground have increased the scale of their malign cyber activity and the sophistication of their attacks that violate America’s cyber sovereignty. Fears of a cyber 9/11 or Pearl Harbor—where the entire internet is cut off—have always been overblown. The Russian economy broadly feeds on the U.S. cyber-enabled economy. Taking the entire U.S. internet offline is catastrophic for everyone—including cyber criminals. The threat of such an incident is more likely not the result of a nation-state like Russia, but brilliant hacker collectives tied to a destructive ideology seeking to shut down society or technological advances. The idea that American infrastructure and economy could be further harmed by a measured cyber response is moot: Our infrastructure and economy are being repeatedly harmed by Russia-based cyber attacks.
Deterrence strategies have many facets, and while we once hoped for plans of general deterrence against all cyber attacks originating in Russia, we currently have an immediate need for deterrence specifically against ransomware. The Kremlin does not fear sanctions, and in some ways additional sanctions help Putin tighten his group on his citizens’ assets. The U.S. can develop proportionality and be specific in terms of its targeting, seeking to impose costs on Russia’s criminal underground first and, should that not slow cyber aggression, then on the Kremlin itself. The FBI’s recovery of Bitcoin from the Colonial Pipeline hackers offers a starting point, but the U.S. government could develop plans in many forms to impose costs on ransomware hackers. What if, upon notification of a ransomware strike on a U.S. industry, the U.S. government could stop all Bitcoin trading on all markets until the decryption key for the ransomware is provided? Limited offensive cyber strikes should also be on the table. If Russian cyber syndicates produce malware harming the U.S., there should be no stopping the U.S. government from destroying cyber criminal infrastructure, particularly if the Russian government will not police these actors. The U.S. could employ intermittent, limited distributed denial of service (DDoS) in areas where hacking collectives reside, or conduct open and covert campaigns online offering rewards for the identification and capture of syndicate hackers.
The U.S. cannot completely know the ultimate outcome of any offensive cyber operations to deter Russia until they are attempted. There’s not enough data to understand how this game might play out. In the meantime, the U.S. continues to be bullied by Putin, taking losses every day, and America will continue to lose until we impose costs and reduce the benefit of Russian malign cyber activity.
The views expressed in this article are those of the author alone and do not necessarily reflect the position of the Foreign Policy Research Institute, a non-partisan organization that seeks to publish well-argued, policy-oriented articles on American foreign policy and national security priorities.
*About the author: Clint Watts is a Distinguished Research Fellow at the Foreign Policy Research Institute.
Source: This article was published by FPRI