- Russia has been fingered as being behind recent hacks, but the US’s response has been muted
By Peter Fabricius, Daily Maverick, 25 July 2021
Why does the US not retaliate in kind to the increasing number of cyberattacks against its political, commercial and infrastructure assets – allegedly by Russia but also, lately, by China?
Is this because of concerns about a digital version of Mutually Assured Destruction (MAD), the unwritten philosophy of nuclear-weapon use during the Cold War? That ultimate deterrent theory was that neither side would dare fire the first nuclear missile because everyone knew that the retaliation would be destructive to all. The strategy worked.
Likewise, there seems to be a fear that an all-out cyberwar between the US and Russia would inflict mutually devastating destruction because digital command and control systems are now so deeply embedded in infrastructure.
Some analysts believe the US is treading gingerly because it feels especially vulnerable to an unrestrained cyberwar because its systems have become more digitalised than Russia’s or China’s.
The attacks that the US attributes to Russia, especially, seemed originally to be more narrowly focused on disrupting the political system, notably the hacking of Democratic Party officials and leaders around the time of the 2016 presidential election.
These were apparently intended either to damage US democracy as a whole or to favour the presidential ambitions of the then Republican Party candidate, Donald Trump, on the assumption that he would be more sympathetic as president to Russian President Vladimir Putin. As he turned out to be.
But, since then, and possibly because Trump is no longer in office, cyberattacks mostly attributed to Russia have increasingly also targeted American infrastructure such as fuel supply lines, raising the alarming prospect of major damage to infrastructure.
The attacks on the Democratic National Committee in 2016 were believed to have been carried out by an outfit called APT 29 or Cozy Bear, which the US government links to Russia’s foreign intelligence service. This month Cozy Bear also attacked the Republican National Committee, according to US media.
It has also been accused of the supply chain cyberattack involving SolarWinds, an IT company that builds and manages business software. The hack infiltrated nine US government agencies and was disclosed in December 2020.
A major shot across the bows, exposing US infrastructure vulnerability, occurred in May when another Russian-based outfit called DarkSide conducted a ransomware attack on the US company Colonial Pipeline. The company had to shut down the pipeline that provides petrol and jet fuel to much of the East Coast after its computer network was breached.
The most recent culprit fingered by US security agencies is the Russian ransomware firm REvil, which attacked the software of Miami-based Kaseya Ltd, shutting down the IT systems of 1,000 to 1,500 of its direct or indirect clients. REvil then demanded millions of dollars to unlock their accounts.
American intelligence agencies identified REvil, short for “Ransomware evil”, as being responsible for the attack on one of the US’s largest beef producers, JBS.
Yet the response of the administration of US President Joe Biden seems to many observers and analysts to be strangely muted.
It responded this week to an alleged cyberattack by China on the Microsoft corporation as though it were reacting to a human rights abuse in a distant country- with a condemnatory statement, coordinated with fellow Nato countries- and no more.
Biden’s response to the recent Russian attacks has been more ambiguous, though. In a summit meeting with Putin on 16 June, Biden demanded that the Russian president call off his hackers.
Nothing happened. In fact, two weeks later, REvil took credit for a hack that affected thousands of businesses around the world on 4 July.
That intensified demands in the US for a stronger response by Biden. William Evalina, who had been a top cybersecurity official in the Trump administration, tweeted on 7 July, after the attack on the Republican Party: “Putin can stop this in five minutes. More egregious than the Russian ‘contractor’ REvil, this is an intelligence agency of the Russian Federation. Putin recognises strength and it is time for the US to proportionally respond.”
He also told the New York Times that it was time for Biden to be “bold” in his response.
The 4 July REvil attack – and perhaps the criticism at home – apparently prompted Biden’s ultimatum in a phone call to Putin a few days later to stop the hackers. Biden told White House reporters that “we expect them to act”, and when asked by a reporter later if he would take down the group’s servers if Putin did not, the president simply said, “Yes.” Biden met with agency heads to discuss what the White House called a “national security and economic security priority for the administration”.
A few days later REvil went offline, raising questions about whether Putin had responded positively to Biden’s demand. Other analysts speculated that Putin had ignored an ultimatum from Biden – and so the US Cyber Command had shut REvil down.
Cyber Command is believed by some to have proved last year that it could do just that, paralysing the Russian ransomware group DarkSide because it was concerned it might hack into voter registrations or other election data in the 2020 election.
But other experts believe DarkSide shut itself down. They also believe that REvil also terminated – or at least suspended – its operations to avoid getting caught in the crossfire between the US and Russia.
Since Putin’s big Achilles heel is kleptocracy, is money, and all that money is being held in the West by oligarch trustees, if we freeze all that money, that’s a way of getting him where it hurts. And he would have to think twice about executing these attacks or allowing these attacks to be executed under his protection.
The move left many companies stranded, because they were no longer able to access the online sites where victims negotiated with REvil over how much ransom they would pay to get their data unlocked. The infrastructure for making payments also disappeared.
Many of these experts are sceptical that the vanishing of REvil has really addressed the problem.
They suspect that after DarkSide shut down, its hackers merely migrated to other operations, including REvil. And they believe that, after REvil disappeared, those technicians will have migrated again to a different brand. Some believe REvil was a reincarnation or evolution of an earlier hacking operation called GandCrab.
If all of these groups are merely fronts for Russian intelligence, as US security agencies suspect, then they are probably the same operators just moving shop whenever the heat is on. And so there are still demands for a more coherent, forceful and far-reaching strategy against alleged Russian cyberwar.
The New York Times reported last week that Biden was expected to roll out a ransomware strategy in coming weeks, making the case that the Colonial Pipeline and other recent attacks show how crippling critical infrastructure constitutes a major national security threat.
“And it’s also why we’re elevating ransomware in our engagements with Russia,” it quoted Secretary of State Antony Blinken as saying. “Our message is clear: Countries that harbour cybercriminals have a responsibility to take action. If they don’t, we will.”
“This is a problem for Biden because, in cyber, there’s a temptation to be stealthy and send your message in a very quiet, targeted way, but now, having made the threat, he has to say to the American public and the world, ‘This is what we did’,” Paul Rosenzweig, a scholar at the free market advocacy group R Street Institute and a member of the American Bar Association’s Cybersecurity Legal Task Force told the New York Times.
US-born British financier Bill Browder, Putin’s bête noire, disagrees with the cyber hawks who are advocating an all-out cyberwar in response to Russia’s attacks. Browder had major investments in Russia through his Hermitage Fund but was deported in 2007 after he began probing major fraud in Russian corporations. His lawyer, Sergei Magnitsky, was imprisoned after investigating the illicit seizure of Hermitage assets. He died in a Russian prison and Browder accused Putin’s government of killing him. Browder persuaded the US Congress to pass the Magnitsky Act imposing financial sanctions on Putin and his cronies.
Browder told DM168 he did not know if the US was not reacting in kind to Russian attacks because of a fear of uncontrolled mutual destruction. “But I would speculate that the reason the US does not react in kind is the same way if terrorists are bombing civilians, America doesn’t go and bomb civilians in the country where terrorists are located.
“When it’s a war it’s military against military. We need to take a step back. What are Russia and China doing here?” he asked. “What they’re doing is that, in both cases, they can’t have a conventional confrontation, especially Russia, which has an incredibly small military budget compared to the United States and even smaller compared to Nato.
“And they can’t respond economically to any kind of confrontation. And so the only thing they can do is what’s effectively guerrilla warfare. That’s asymmetric. And this is guerrilla warfare/terrorism.
“And so it’s very hard to respond to terrorism with terrorism. For us to go and shut down Russia’s meat plants is terrorism.”
Instead, Browder said that the US should do what he and Gary Kasparov – the Russian grand chess master-turned-Putin critic – had advocated for years: go after Putin’s money.
“Since Putin’s big Achilles heel is kleptocracy, is money, and all that money is being held in the West by oligarch trustees, if we freeze all that money, that’s a way of getting him where it hurts. And he would have to think twice about executing these attacks or allowing these attacks to be executed under his protection.”
Browder said it was not necessary to use cyberattacks to shut down Putin’s bank accounts and other assets in the West, as some have advocated.
“They don’t have to do that. They could use the US court system. There’s a law in place that allows that to happen – the Magnitsky Act. The important thing is for the US to always maintain its higher moral ground and legitimacy but at the same time have the ability to hit them where it hurts, asymmetrically.”
Karen Allen, a cyber expert at the Institute for Security Studies in Pretoria, said she believed the US was exercising “strategic restraint” not only because of fears of provoking even bigger attacks on the US but also because it fears reputational damage globally if it engaged in all-out cyberwar. DM168
This story first appeared in Daily Maverick, https://www.dailymaverick.co.za/article/2021-07-25-cyber-cold-war-us-pussyfoots-around-alleged-cyberattacks-by-russia-and-china/