The recent wave of high-profile cyberattacks by Russian organized crime groups has forced U.S. President Joe Biden’s administration to confront a difficult question: How should the United States respond to hacks not by hostile foreign governments but by criminal nonstate actors? Last October, Russian hackers targeted several U.S. hospital systems with ransomware, disrupting access to electronic medical records and leaving some providers to piece together medical protocols from memory in the midst of a global pandemic. Seven months later, in May 2021, hackers shut down one of the largest fuel pipelines in the United States, leading to shortages across the East Coast and forcing the operator to pay a ransom of $4.4 million to restore service.
President Biden seems to think so. During his recent summit with Russian President Vladimir Putin, he made a bold—if potentially overstated—threat by declaring that the United States has “significant cyber capability” and pledging to “respond with cyber” should Russian hackers attempt to disrupt U.S. critical infrastructure.t
REWRITING THE CYBER-PLAYBOOK
The recent spate of ransomware attacks by nonstate actors has upended the conventional wisdom about the nature of the cyberthreat to the United States. U.S. national security experts have historically focused on preparing for Armageddon-like scenarios in which foreign governments target critical infrastructure and crucial networks. Until recently, cybercrime and other malicious activities carried out by independent hackers barely registered as concerns in the highest levels of the government. As a result, the U.S. national security apparatus is not currently hardwired to defend the nation’s critical infrastructure from cyberattacks perpetrated by organized crime groups.
The usual U.S. playbook for responding to state-sponsored cyberattacks is unfortunately not very useful when applied to organized crime. Typical responses to state-sponsored cyberattacks—such as naming, shaming, and indicting or sanctioning the perpetrators—will not deter Russian organized crime groups from conducting future attacks. Robust and offensive cyber-action against potential hackers may seem like an attractive alternative, but as the cyber-campaign against ISIS revealed, it is difficult to execute.
In April 2016, as the United States intensified its military campaign against ISIS, Secretary of Defense Ash Carter ordered the U.S. Cyber Command (CYBERCOM) to destroy the communications networks ISIS used to spread propaganda, recruit new followers, and plan attacks against the U.S. homeland. As Carter’s deputy, Robert Work, memorably put it, the United States began “dropping cyberbombs” on the terrorist group.
The campaign achieved some successes. For instance, Operation Glowing Symphony, which deleted pro-ISIS propaganda and sowed technical errors throughout the organization’s computer infrastructure, was considered a great offensive achievement. But overall, the cyber-campaign against ISIS proved only marginally effective, yielding gains that were slow to materialize and quick to fade. CYBERCOM strikes would shut down ISIS propaganda pages, for instance, only for the same material to reappear elsewhere online in a matter of days or weeks.
Persistent challenges in intelligence collection, weapons development, and legal authority for cyber-operations stood in the way of effective offensive cyber-action against ISIS—and continue to stand in the way of effective cyber-action against other nonstate actors today. Most offensive cyber-operations take months—and sometimes years—to gather the requisite intelligence: the military needs long-term access to adversaries’ networks in order to know what to target. During the counter-ISIS campaign, the full force of the U.S. intelligence community was trained on ISIS. But even then, the terrorist group’s use of commercially available encryption applications and specialized wireless networks thwarted many intelligence collection efforts.
The U.S. national security apparatus is not currently hardwired to defend the country against independent cyberattacks.
The organized crime groups responsible for the recent ransomware attacks in the United States are among the most difficult targets for intelligence collection. They are made up of hackers who are extremely skilled at operating in the murky world of the Dark Web—an enshrouded recess of the Internet where users enjoy near-total anonymity. These hackers are disciplined about their operational security because they know that U.S. intelligence and law enforcement agents are looking for even the smallest cracks in their systems.
If the Biden administration decides to attempt preemptive cyberattacks against these kinds of hackers, the challenge of intelligence collection will be compounded by resistance from the intelligence community, which will not want to give up potentially valuable intelligence for the sake of cyberoffensives. This friction proved to be a major point of contention between the military and the intelligence community throughout the counter-ISIS cyber-campaign, with the CIA spuriously claiming that U.S. cyber-operations would permanently destroy extremely valuable intelligence reporting on the ISIS networks.
Just as daunting as intelligence collection is the challenge of developing cyberweapons to target specific networks—a process that also often takes months. Cyber-missions are not one-size-fits-all, and most cyberweapons must be individually crafted for the network and software of the intended target. If cyberweapons are not tailor-made for their targets or are hastily or carelessly deployed, their use could expose global cybersecurity flaws and lead to further large-scale ransomware attacks. The United States does not currently have the ability to develop cyberweapons as quickly or as carefully as it may need to—a problem that could be addressed with additional resources, but likely not fast enough.
The final obstacle to offensive cyber-operations against nonstate actors is securing a legal justification. During the planning and approval process for operations against ISIS, for instance, CYBERCOM obtained clear legal approval for cyber-missions in Afghanistan, Iraq, and Syria because the Authorization for Use of Military Force and international law on the right of self-defense overlapped, providing sufficient legal cover. But ISIS was able to move its online operations to other countries, including Russia, where the United States lacked the legal infrastructure to justify counter-ISIS cyber-operations. As a result, the terrorist group was able to continue its online activities in countries where CYBERCOM’s hands were legally tied.
Gaining legal approval for publicly disclosed offensive military operations remains complicated, particularly in the case of nonstate actors such as Russian organized crime groups. Stronger cases can be made for operations against foreign governments, in part because Congress has been more supportive of them in the wake of Russia’s interference in the 2016 U.S. presidential election. But there is a clear legal difference between hackers working for the Russian government and criminal groups simply operating from Russian territory. Biden himself has noted that there appears to be “no evidence” that the Russian government was involved in any of the recent ransomware attacks against the United States—meaning that any legal justification for cyberoffensives against Moscow would be tenuous at best.
Building on this momentum, the Biden administration should take steps to develop better, faster, and more reliable offensive options to target nonstate cybercriminals. First, the U.S. intelligence community needs to ramp up its collection of the requisite intelligence on Russian and Chinese ransomware groups by designating them as a top-tier priority. (Currently, the Office of the Director of National Intelligence’s annual threat assessment does not even include the word “ransomware.”) Second, given the evasive and shadowy nature of organized crime groups, the U.S. government must devise creative offensive tools that target cybercriminal infrastructure without impacting civilians. And third, if ransomware attacks against critical infrastructure continue, the Biden administration should establish the legal foundations for noncovert offensive actions against nonstate actors—something that will require building domestic and international support for such actions.
Until the U.S. government makes significant strides on each of these issues, policymakers will have to accept that the offensive cyber-option isn’t much of an option, after all—and that the lessons of the cyberbattle against ISIS have gone unlearned.