EMERGING TECHNOLOGY HORIZONS CYBERSECURITY
Ransomware - The Pirate’s Perspective
When President Thomas Jefferson went to war with the Barbary States in 1801, he redefined U.S. national security to encompass the economic security and prosperity of private U.S. citizens.
Despite the occasional resurgence of conventional pirating, the pirates of today do not sail the high seas. Rather, they sit behind keyboards, conduct cyberattacks and hold stolen information for ransom.
As defined by international law, piracy takes place outside of any state’s jurisdiction, is conducted without any state’s authority and is not driven by political motives. Ransomware mirrors this definition.
Recent events like the Colonial Pipeline hack that caused gas shortages along the eastern seaboard of the United States and the attack on the world’s largest meat processor that threatened U.S. beef and poultry supplies prove ransomware attacks are hitting closer to home.
Much like the Barbary pirates, cybercriminals employing ransomware have found safe havens in countries that are either unwilling or unable to curtail their actions. Once again, the United States must redefine national security, demarcate where ransomware fits within the broader national defense strategy and provide the Defense Department with a clear understanding of its role.
Ransomware is an ever-evolving form of malware designed to encrypt files on a device and render any files, and the systems that rely on them, inaccessible to the owner. Malicious actors then demand a ransom in exchange for decryption. Ransomware is a criminal enterprise, conducted primarily by non-state actors targeting governments and private businesses, but with murky connections between state actors and ransomware gangs.
Despite the threat that ransomware poses to commerce and national security, the Pentagon has not previously had a clear role to play in response due to ransomware’s criminal nature. Consequently, the FBI and Department of Justice take the lead in investigating incidents, identifying perpetrators and prosecuting them in U.S. courts.
However, the inclusion of cyber as a defense modernization priority marks a clear opportunity for the Pentagon to act and for industry — including NDIA’s Emerging Technologies Institute — to make recommendations to shape its approach.
To date, court indictments, public shaming, diplomacy and sanctions have failed to deter ransomware attacks on major U.S. businesses and infrastructure, leading President Joe Biden to directly raise the issue with Russian President Vladimir Putin in Geneva in June. Biden attempted to define reasonable action in cyberspace, outlined which areas of U.S. infrastructure were off-limits to attacks, and stated his expectations of Russian government responses to attacks originating from Russia.
However, ransomware gangs continue to target the United States, necessitating a shift in how the government understands ransomware — not just as a criminal threat, but as a national security challenge necessitating Defense Department involvement. To this end, a mix of long- and short-term policies are recommended.
Like the pirates of the 19th century, ransomware gangs operate from states that either cannot or will not limit their activities. The Pentagon’s 2018 Cyber Defense Strategy adopted “defend forward” as its guiding principle in cyberspace. The Defense Department would “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”
This doctrine should be expanded, and U.S. Cyber Command should work to disrupt major ransomware gangs before they target U.S. companies.
During the 2018 U.S. midterm elections, the Pentagon targeted the servers of the Internet Research Agency, an infamous Russian bot farm, and took it offline for the days surrounding the election. In 2020, Microsoft and the Defense Department both took uncoordinated actions to eliminate a bot network that could have launched ransomware attacks against state voting systems.
These two instances demonstrate that the U.S. military has the capacity to target and temporarily disable cyber threat actors operating abroad.
They should do it again and target the major ransomware gangs wreaking havoc today, providing the breathing space needed to implement long-term deterrence policies.
The Office of the National Cyber Director was formally established in the fiscal year 2021 National Defense Authorization Act to coordinate a whole-of-government strategy for cyberspace, but its responsibilities need to be clarified to prevent interagency turf wars. As the Defense Department adjusts its “defend forward” doctrine to include major criminal gangs, it will be increasingly important that the Pentagon does not become the de facto leader in everything cyber-related.
The department should support a strong national cyber director who takes a broad understanding of their authorities as outlined in the 2021 NDAA. A strong director will have the capability to lead a whole-of-government response to ransomware, incorporating both law enforcement and the intelligence community alongside the Defense Department. This will ensure a balanced government response that does not rely solely on the Pentagon’s offensive capabilities.
Ransomware, reminiscent of the pirates of the 19th century, represents a rapidly growing threat that challenges national security. At scale, such attacks can cripple U.S. infrastructure and supply chains, but they also facilitate other espionage attacks by diverting the focus of security professionals, creating new blind spots and vulnerabilities. If the Biden administration does not develop a comprehensive and proactive strategy, the ransomware threat will continue to metastasize.
Sean Dack is a graduate student at the Johns Hopkins School of Advanced International Studies and a former ETI research intern.