During the US-Russia summit last month, President Biden delivered a message to President Putin about ransomware. After their private conversation, Biden described it this way:
I talked about the proposition that certain critical infrastructure should be off limits to attack — period — by cyber or any other means. I gave them a list, if I’m not mistaken — I don’t have it in front of me — 16 specific entities; 16 defined as critical infrastructure under U.S. policy, from the energy sector to our water systems.
Of course, the principle is one thing. It has to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory.
Asked during a Q&A how the US would measure success on ransomware, Biden said it would be “real easy.”
Well, it’s going to be real easy. They either — for example, on cybersecurity, are we going to work out where they take action against ransomware criminals on Russian territory? They didn’t do it. I don’t think they planned it, in this case. And they — are they going to act? We’ll find out.
Yesterday, the Washington Post’s editorial board said we’ve already found out the answer to that question. Russia is not going to act to stop ransomware hackers operating within their territory.
A massive attack by hacking group REvil struck up to 1,500 businesses in the United States, Europe and Asia late last week — reportedly the single largest such salvo in history, and only the latest in a series of encroachments by collectives based in or otherwise linked to Russia. Thankfully, the breach of IT software firm Kaseya appears to have caused less damage and disruption to critical industry than the recent compromises this spring of food processor JBS and oil transport network Colonial Pipeline. But that the incursion occurred at all is a troubling sign that Mr. Putin has not heeded Mr. Biden’s exhortation to stop the cybercriminals who currently operate in his country from wreaking havoc worldwide.
The editorial goes on to argue that no one operating this kind of scam in Russia is doing so without the tacit approval of the regime. If Putin wanted to eliminate this activity he could do so. The fact that he hasn’t tells you all you need to know. The Post has another report up today about an entire town in Maryland that has shut down because of the ransomware attack.
McKay, the town administrator for Leonardtown, Md., didn’t even have time to read the whole message before it disappeared and her computer froze.
“Everything shut down,” she said in an interview. “You couldn’t open any document, you’re completely locked from all your files.”…
“We can’t access any of our data right now, to be able to service our customers,” McKay said.
The staff had been preparing quarterly utility bills to send out to about 3,000 residents. The bills were being finalized Friday, but all of that data probably has been lost, McKay said, and the bills will be delayed.
So what’s the next step to prevent this happening again? Surprisingly, the Post isn’t being mealy-mouthed about the need to respond to this provocation. Stern letters from the State Department and new sanctions aren’t enough, the editorial board concludes. What’s needed is a counter-attack to disrupt the gangs where they are.
Mr. Putin won’t act in the absence of credible consequences for inaction, and now it’s on the White House to make clear what those consequences could be. These should include not merely the typical menu of sanctions, asset freezes or trade restrictions, and not merely attempts to incapacitate any criminal infrastructure, including cloud-based services, outside of Russia. The consequences must also include the aggressive disruption of these gangs where they are: in Russia, on its Internet, throughout the cyberspace over which it claims sovereignty — and where Mr. Putin would likely prefer U.S. authorities not prowl. The least acceptable answer is to wait longer to “find out” what everyone already knows.
For once I agree with the Post’s editorial board. Putin isn’t just allowing criminal activity to happen, he’s made a strategic choice to wink at constant, low-level economic harassment of the free world. These attacks aren’t happening against companies in Russia or China and if they were he’d put a stop to it quickly. Also, these attacks create an infrastructure, a kind of farm team, of Russian hackers Putin can rely on if needed and best of all (from his perspective) our companies are paying for it. Either the US does something to make it clear we won’t tolerate this or it will continue indefinitely.