When the United States launched Cyber Command twelve years ago, the word ‘ransomware’ was not in widespread use. Nor did countering the threat from computer-based racketeering feature in the lengthy deliberations leading up to the formation in the UK of the National Cyber Force, announced in November last year.
But in the course of a few short late spring weeks in 2021, ransomware has gone from a minority obsession of parts of the information security committee to a significant paragraph in a G7 communique and the headline item in the first summit between Presidents Biden and Putin. The US has categorised ransomware as a national security threat, thanks to the disruption of oil and meat supplies owing to attacks on Colonial Pipeline and the food producer JBS. Lest Europeans think this is solely an American problem, the wholesale (and horrific) disruption of Irish healthcare, repeated attacks on British educational institutions, and a range of incidents in France and Germany reminded us otherwise.
The ransomware model
Ransomware has exploded into a global problem because three different factors combine to favour the criminal against the defender, and criminals have begun to realise this. First, the Russian state (and some others, mostly bordering Russia) provide a safe haven from which the gangs can operate. Second, endemic weaknesses in Western cyber security are too easily exploited. Third, the business model works spectacularly well for the criminals: victims too often pay in desperation and cryptocurrencies provide an easy way to launder the loot. The British firm Elliptic has calculated that Darkside, the group responsible for the Colonial Pipelines hack, generated at least $90 million of revenue in just nine months. Moreover, the limitations on law enforcement activity cannot be overstated. Policing and intelligence capabilities against cyber criminals are good and improving, but unless a foolish cyber criminal takes a holiday to the West, he or she is out of reach.
Disrupting this racket means breaking at least part of this vicious, pro-criminal circle. But it is proving hard. Joe Biden has become the first Western leader to pressurise the Russians on the safe haven problem, and early signs are that Moscow is at least pretending to take it seriously. But progress here cannot be guaranteed (for example, there is little prospect of Russia overturning its constitutional prohibitions on extraditing Russian). Getting consensus on tackling the flow of money – either through banning the payment of ransoms or regulating cryptocurrencies more effectively – has proved fiendishly hard. And improving defences remains a long, hard slog. Some or all of these efforts may yield fruit over time, but for now, serious problems remain even in terms of containing the threat, never mind reducing it.
A role for offensive cyber?
Does this mean there is a role for offensive cyber? This much misunderstood set of nascent capabilities has, to date, struggled to prove its utility as a tool for protecting our cybersecurity. Indeed, despite the rhetoric, offensive cyber has mostly been pointed in other directions. The UK’s flagship, publicly disclosed offensive cyber operation targeted so-called Islamic State, degrading the group’s propaganda and operational capabilities ahead of the Mosul offensive in 2016. Other intended targets have included serious online child sex offenders, according to the Government.
What has been conspicuously absent is a contribution that protects UK cyberspace itself. Indeed, offensive cyber has proved singularly ineffective in contesting the threat from hostile nation-state capabilities. As I argued in a lecture at King’s College, London, last November, this is for various reasons. Disabling Russian or Chinese state-backed offensive cyber operational capabilities is much, much harder than disrupting the computer networks of an international terrorist group, a paedophile ring, or the Russian troll farm known as the Internet Research Agency, which Cyber Command is believed to have hit in 2018. It is likely to be as difficult as hitting the covert infrastructure of US Cyber Command.
Moreover, ‘hacking back’ will not ‘deter’ cyber espionage, which is generally accepted under international norms. And on the relatively rare occasions when those norms are crossed, the sorts of capabilities offensive cyber affords are generally not appropriate ones for pushback. We are not going to disrupt the lives of innocent citizens in Vladivostok because Russia has disrupted the opening ceremony of the Winter Olympics or leaked the medical details of athletes after hacking the World Anti-Doping Agency. And all the while, suspicion abounds that by stockpiling cyber weapons for offensive use, the West is not serious about the security of cyberspace.
The ransomware problem offers those developing offensive cyber capabilities an opportunity to show that such tools can make a useful contribution to a safer cyberspace. With few if any other interventions working, and with normal law enforcement mechanisms effectively nullified, disrupting the networks of the criminals, and the digital infrastructure they use, via offensive operations, could at least be of some significant tactical benefit in containing the problem.
Over the years, the FBI have led a number of operations to this effect. The Europol-led takedown of the so-called Emotet botnet, one of the most malignant pieces of digital infrastructure ever seen, in March of this year, provided further evidence of the utility of this type of operation. And technically, the sort of disruption involved lends itself to surgical interventions that reduce the risk of collateral disruption and other unintended consequences that worry sceptics of offensive cyber.
After what the American cybersecurity expert Alex Stamos has called “the craziest eight months in the history of infosec”, there is now a welcome realisation at the political level that securing our interests in cyberspace is a complex and nuanced problem that isn’t solved by belligerent rhetoric about ‘hitting back’ in an invisible digital contest with other states. If Governments are serious about demonstrating that their increasing focus on offensive capabilities will help our cyber security, disrupting ransomware operations would be the right place to focus.
Ciaran Martin is Professor of Practice at the Blavatnik School of Government, University of Oxford. From 2014 to 2020 he set up and then led the UK’s National Cyber Security Centre, part of GCHQ.