Ransomware was once the domain of mostly small-time hackers encrypting files in order to extort a few hundred dollars from random people. Today, it is a critical national security issue.
For years, cybercriminals have been escalating their attacks, locking up police stations, city governments, and hospitals’ computer systems. However, the ransomware attack in May on the operator of the country’s largest petroleum pipeline, which disrupted gasoline supplies across much of the country, is just one of many cyberattacks that are edging closer to becoming an act of war.
After Colonial Pipeline paid $4.4 million in bitcoin, DarkSide, a hacker-for-hire believed to be based in Russia, vanished from view. Cybercriminal organisations, on the other hand, frequently reorganise and rebrand. This summer, new artists like Haron and BlackMatter have emerged. The FBI announced recently that it was tracking over 100 active ransomware groups.
To combat ransomware attacks, the United States must shift the risk-reward balance for hackers and the countries that harbour or support them. A national deterrence strategy like this would make networks more difficult to breach, give hackers a harder time, and claw back gains from those who succeed.
Despite repeated warnings, many corporations and other private-sector organisations have not sufficiently hardened their own defences. This is partly due to the fact that they have paid far too little for their carelessness. Target experienced the largest-ever data breach in 2013, compromising the financial information of 40 million customers.In 2017, a data breach at Equifax, a credit-monitoring company, exposed the sensitive financial records of over 140 million people.
Over time, neither this company nor many others like it were punished by their shareholders or customers.
That could change if businesses are held legally liable for damage caused by lax security in addition to government fines.For example, 11,000 gas station owners have filed a class-action lawsuit seeking damages for sales lost as a result of the Colonial Pipeline shutdown.
Their allegations of negligence could be true.The Cybersecurity and Infrastructure Security Agency of Department of Homeland Security had warned Colonial and other pipeline operators about ransomware threats months before the attack. Despite this, DarkSide was able to easily gain access to Colonial’s networks by exploiting an inactive Virtual Private Network log-in that was discovered among many stolen passwords on the dark web.
Basic internet hygiene practises such as deactivating old accounts, requiring frequent password updates and two-factor user authentication, and practising running company operations from backup data could have prevented the intrusion.
Even so, cyberattacks are becoming increasingly sophisticated, and hardening network defences will no longer suffice.In 2020, a hack of developer SolarWinds corrupted a routine update of its widely used IT management tool, while the Microsoft Exchange breach in March exploited four vulnerabilities in the email software that were exploited before a patch could be issued.
Any deterrence strategy relies on retaliation as its cornerstone. The question is who to retaliate against and how hard to retaliate.
Because so many hackers operate outside the reach of US law enforcement, charging them with crimes rarely works. Eastern European governments, in particular, have been adamant about not allowing cybercriminals to operate within their borders. Another tool is economic sanctions, but they have yet to force Russia to deal with local ransomware groups like DarkSide and REvil.Other countries actively support such criminal activity; North Korea, for example, is well-known for employing a cybercriminal army to raise funds for its totalitarian regime.
The US could launch online counterattacks on a hacking group or its host country to raise the stakes for its adversaries.When ransomware threatens public safety or basic necessities like healthcare, food, and gasoline, retaliation measures may become more severe. This appeared to be the message Biden was trying to get across during his June meeting with Russian President Vladimir Putin, when he handed Putin a list of 16 critical infrastructure sectors he declared off-limits.
More than words are required to back up such resolve. To be credible, the US must send clear signals that it is ready to retaliate proportionately if state-sponsored hackers take down a power grid or disrupt dam operations.Such actions are considered “use of force” against another country under international law, triggering a military response.
Private companies, according to some experts, should have the right to counterattack as well.Reviving congressionally issued letters of marque, a permit given to merchant ships in the 18th century to search for pirates and take back stolen assets by force, is one of the more provocative ideas. In a modern version, corporations would be rewarded for acting as “cyber scouts” and sharing information with US agencies in exchange for immunity from fines and lawsuits.A bill introduced in Congress in 2019 that would have allowed the private sector for using hacking tools in contradiction of cybercriminals in the name of “active defence” would have gone even further.
However, these policies may end up causing more harm than they prevent. In the days after a ransomware attack goes public, it’s common for it to be misattributed.Unintentionally, private parties could start an international conflict or exacerbate existing tensions. However, the fact that these ideas are being seriously considered demonstrates how recent approaches have failed.
Another way ofdeteringransomware attacks is to prevent hackers from profiting from their exploits. Backups and recovery exercises should be done on a regular basis, but they are not foolproof.Although the FBI guides against remunerating ransoms, there happens not to be any consensus on whether outright prohibition is necessary.
When ransoms are paid, the same blockchain technology that powers bitcoin, ethereum, and other cryptocurrencies can help track down the money.The FBI, for example, observed DarkSide transferring its Colonial ransom haul across digital accounts before moving in to seize roughly half of the ransom, or $2.3 million. Law enforcement agencies can also try to make it more difficult to use cryptocurrencies to launder money or buy illegal goods.
Only two months after the Colonial Pipeline was shut down, another group of hackers attempted to extort $50 million from Saudi Aramco, the world’s largest oil company. That reflects the problem’s pernicious nature: if left unchecked, the scourge of ransomware will extract ever-increasing costs and cause wider disruptions, endangering our economic and national security.
The US can no longer rely on a defensive, passive strategy. To deter ransomware, it will be necessary to undermine everything that makes it appealing to hackers by making it more difficult for them to profit and quickly retaliating against those who try