Guest Post: Paul Rosenzweig on “Deterrence and Ransomware”
Worried about ransomware? You should be. In recent months we’ve seen a disturbing increase in both the severity and frequency of these assaults, to the point where they represent a serious national security threat.
Deterrence and Ransomware
by Paul Rosenzweig
The ransom for assault on America will continue unless and until someone changes the incentives that underlie the assault. Today, criminal gangs have no reason to forgo the ransomware program and President Putin has no reason to restrain their activities. Absent a strategy for changing this incentive structures nothing will change.
The benefits to Russia of the ransomware campaign
For Putin the benefits of the ransomware campaign are clear: The actions of the ransomware criminals enhance his stature on the world stage, by demonstrating his influence over international affairs. The attacks disrupt Western democracies by holding at risk their critical infrastructure and creating uncertainty about the stability of Western economies – disruptions that can only benefit Russia.
The continuing ransomware program allows Russian criminals to participate in an ongoing training program that, in effect, provides Russia with a readily available, well-trained cyber militia reserve force. This force can be called upon whenever Putin need assistance.
Finally, though perhaps more speculatively, one could suspect that Putin and his oligarch cronies may financially benefit from the ransomware program as they take a tithe or payoff from the criminals as an inducement to look the other way.
The criminals, likewise, have no incentive to change their behavior. They have found an effective business model that allows them to act with impunity, make a large profit, and then fade back into the security of anonymity and obscurity. To date, they have faced no appreciable consequences for their criminal behavior – at least none that anyone can discern. Why would they change?
Meanwhile, in the United States we suffer from a fundamental misalignment of incentives in our responses to ransomware. For businesses struck by a ransomware attack, the principal goal is to minimize business interruption and the loss of profits. This means that most enterprises under attack have every reason to pay the ransomware demands as quickly and as quietly as possible.
By contrast, the United States government faces a broader political problem. Their incentive is to reject negotiations with the criminals (much as it is with terrorists), so as not to embolden them. Good public policy is exactly the opposite of what good business instinct demands.
What then is the next step? The ransomware campaign is a significant test for President Biden’s foreign policy. He has, in effect, drawn a redline in the sand and now he must deliver. The recent retreat of REvil may be an indication of possible success. But one suspects that it is a tactical retreat and that it is too early to claim victory. How then should Biden respond to the ransomware conundrum?
Responding to the ransomware conundrum
To begin with, Biden must realize that Putin currently has absolutely no incentive to change his behavior. Public shaming has proven to be utterly ineffective in modifying his conduct. Hence, the US needs to adopt measures that approach the issue more aggressively.
Second, Biden has to understand that many of his possible responses are of relatively little practical value. For example, criminal prosecution for a crime is a fine theoretical idea but likely impractical. It is extremely unlikely that Russia will ever extradite any of the REvil criminals and thus it is unlikely that any of them will ever see the inside of an American court. So, the typical criminal justice response to what many would characterize as a crime is relatively meaningless.
Instead, President Biden needs to change Putin’s incentive structure and make his costs for supporting the ransomware criminals higher than the benefit of doing so. In seeking to do this, Biden has to hold at risk something of importance to Putin.
What to hold at risk?
Those more expert in Russian affairs than I, perhaps, can identify what it is that Putin holds most dear. For myself, I suspect that an effective pressure campaign will require the United States to deploy a wide-range of government resources.
Diplomatically, the Biden administration will need to build a coalition of allies to assist in its efforts. It is likely, though not essential, that some of the response will be economic in nature – and it is equally likely that the West will not necessarily have an easy consensus on, say for example, how the ransomware crisis should impact the pending construction of Nord Stream 2.
More fundamentally, Putin will not modify his behavior so long as his personal power is assured and his regime’s stability is maintained. Thus, a more appealing target might be something along the lines of an information/disinformation operation that enhances uncertainty about his longevity. My own personal favorite (though only an amusing possibility, not a reality) would be to find Putin’s personal Swiss bank account and hold it to ransomware.
Action against ransomware criminals
Perhaps a more promising approach would be for the United States to take action against the ransomware criminals. To be sure, some options are not on the table – we are not going to send a special operations team after them (even if we could identify and locate the individuals responsible, which itself is problematic)nor, as noted earlier, are any of them ever likely to face prosecution.
One possibility, already alluded to briefly by President Biden, is to target the ransomware criminals’ infrastructure. As he noted in one public statement, the servers that REvil uses can be subject to disruption using cyber means. That effort is problematic, however, on a number of levels. For one thing, it might involve actions taken within the jurisdiction of other nations. For another, as the Trickbot incident demonstrates, criminal cyber gangs can regenerate themselves – cyber disruption is part of the answer, but it is unlikely to be a complete solution.
The other weak point of ransomware as it is, is the funding stream. To paraphrase the Notorious B.I.G.: “no money, no problems.” Ransomware is especially enabled by the growth of anonymous crypto payment systems that allow payment to the criminals without the necessity of exposing themselves to capture (as is the case in the physical world). It is unclear if the American success in reclaiming the Colonial Pipeline bitcoin ransomware payment is repeatable and scalable. But efforts along those lines – combined with mandatory “know your customer” regulations – would put a severe crimp in the ransomware collection system.
More ambitiously, we might consider other efforts to disrupt the crypto currency system more generally – such as, for example, targeting the distributed server system or attempting to manipulate the valuation in the market. These aggressive efforts are likely to have a positive impact by draining the profit from ransomware. They are, however, controversial – cryptocurrency holders will see any program to affect the system as a threat to its storehouse of value.
Need for forward-leaning action
All that having been said, the bottom line is pretty clear: Right now, there is almost nothing that the West is doing that would successfully deter continued ransomware attacks. Given that reality, we can expect that the attacks will continue – they are profitable and successful and no criminal could ask for anything more. Only more forward-leaning action by the US government can change the deterrence calculus.
President Biden has, in effect, put himself on the clock now. The next few months will see if he can deliver.
About the author:
Paul Rosenzweig is the Founder of Red Branch Consulting and a Professorial Lecturer in Law at George Washington University School of Law. He formerly served as Deputy Assistant Secretary for Policy at the Department of Homeland Security from 2005-09.
The views expressed by guest authors do not necessarily reflect the views of the Center on Law, Ethics and National Security, or Duke University.
Remember what we like to say on Lawfire®: gather the facts, examine the law, evaluate the arguments – and then decide for yourself!