By Pieter-Jan Dockx*
When President Biden took office in January 2021, the US was in the midst of one of the largest government breaches in its history. The Russian cyberespionage campaign, known as the SolarWinds hack, was expected to dominate the new president’s cyber policy. One year later, attention has shifted away from espionage to ransomware.
In the past year, ransomware attacks, in which hackers lock up victims’ data until ransom is paid, have skyrocketed and also started targeting critical infrastructure. In May, an attack against the operator of the US’ largest petroleum pipeline led to shortages and panic buying. Two months later, attackers compromised software provider Kaseya, holding over a thousand of its clients ransom, making it one of the world’s largest-ever ransomware incidents.
To tackle the issue, the Biden administration is working on improving the country’s cyber defences while going after perpetrators. Rather than approaching the topic through the prevailing cybercrime lens, the president has reframed ransomware as a top national and global security concern.
Traditionally, ransomware has been viewed as a criminal matter, with limited government involvement. Profit-seeking ransomware gangs would target businesses that would then pay ransom or consult a private cybersecurity firm for resolution. Now, under Biden, the issue is increasingly seen as a threat to the nation. This is due to attacks on critical infrastructure, as well as ransomware’s drain on the economy.
Framing the issue as a national security priority has paved the way for an active government role. Accordingly, the White House has taken several measures to strengthen the country’s cybersecurity defences. New cyber positions have been created within the administration, such as the National Cyber Directorate that is tasked with advising the president. Mandatory cybersecurity standards have also been imposed on the pipeline industry to prevent another shutdown. With 85 per cent of the country’s critical infrastructure owned by private companies, Washington has also advocated increased government-industry collaboration.
Ransomware is also being increasingly perceived as a terrorist activity requiring similar countermeasures. In June, the FBI director compared the current ransomware challenge to the threat of global terrorism in the wake of the 9/11 attacks. The US Department of Justice has also started prioritising ransomware investigation in the same way it does terrorism. It has, for example, initiated a bounty programme offering rewards for information on hackers, a modus operandi originally invented to combat terrorism.
Sanctions, another established counterterrorism tool, are also being deployed in the fight against ransomware. To disrupt the hacker financial model, the US has sanctioned cryptocurrency exchanges that facilitate ransom payments. Washington has also brought criminal charges against members of ransomware groups accused of targeting the country. In November, it indicted a Russian and an Ukrainian involved in the Kaseya attack, with the latter awaiting extradition after being taken into custody in Poland.
The US has also carried out ‘forward cyber actions’ against ransomware operators—the digital equivalent of precision airstrikes used against terrorists. In October, the US Cyber Command, together with the FBI and other partners, conducted an offensive operation against REvil, the group behind the Kaseya attack. Unlike the FBI, USCYBERCOM is a military institution whose involvement in the mission also reveals an increasingly militarised approach to ransomware.
Ransomware has also become a matter of international security, featuring prominently on Biden’s foreign policy agenda. The majority of attacks against American organisations originate from Russia, for whom these attacks serve a strategic purpose. The Kremlin provides safe haven for ransomware gangs as long as they target adversaries and avoid Russian systems. This way, the malware becomes part of its hybrid warfare strategy to destabilise opponents, with blame falling on the extortionists rather than the Kremlin.
As a result, Biden has stepped up diplomatic engagement with his President Putin, demanding a crackdown on attacks. During their first in-person meeting in June, the US president designated 16 critical infrastructure sectors off-limits to attacks and threatened cyber retaliation if targeted. This red line was not only meant as a warning to the Kremlin, but also to other adversaries contemplating similar actions. The summit was also the first time cybersecurity topped the agenda, ahead of issues like nuclear weapons, highlighting its significance.
The White House is also working with allies to address the problem. In October, it organised the Counter Ransomware Initiative inviting 30 countries—excluding Russia—to devise a common strategy. Earlier, Biden had raised the ransomware threat at the G7 summit, resulting in a joint statement that mirrored the US’ position on critical infrastructure and Russia.
Whether the current policy will prove sufficient to stem the tide of ransomware attacks remains to be seen. What is clear is that unlike former President Trump, the current US administration has made ransomware a policy priority. Whereas Trump rolled back past cybersecurity policy, Biden has turned the malware into a matter of national security. This way, the White House is also increasingly matching the Kremlin’s strategic approach to ransomware.
*Pieter-jan Dockx, Researcher, Centre for Internal and Regional Security (IReS)