Over the past month, the Biden Administration has achieved some needed momentum in the fight against ransomware. As attention to ransomware grows, however, policymakers must avoid the temptation to overmilitarize the U.S. response. Investment in anti-ransomware operations at the Department of Defense’s Cyber Command should be balanced with investment that develops the capabilities of other federal law enforcement agencies, which have already carried out vital anti-ransomware activities.
U.S. law enforcement agencies—in collaboration with European partners—were at the forefront of recent operations to expose and apprehend hackers and their facilitators, infiltrate and disrupt their networks, and seize some of their pilfered gains. These efforts were accompanied by sanctions targeting the illicit digital currency exchanges used for ransom payments, bounties on ransomware affiliates, and a diplomatic press for an international coalition to “meaningfully reduce safe havens” for offenders. Not long thereafter, citing “pressure” from unspecified authorities, the ransomware outfit BlackMatter—which U.S. law enforcement agencies had announced as a high priority target—called it quits (at least for now). Russia’s recent detention of a fugitive credit card scammer even offered the faintest glimmer of hope that talks with Moscow on cybercrime might somehow bear fruit.
These are small, reversible gains, to be sure, and ransomware is likely to be an enduring threat. But they may still have a durable effect. Law enforcement has long relied upon such methods to counter organized crime: limiting freedom of movement, association, anonymity, trust, and access to finances until the risks of the illicit activity start to outweigh the potential rewards. The same focus on cross-jurisdictional investigation, infiltration, and disruption that ultimately broke Cosa Nostra in the U.S. could, if properly resourced, be applied to weaken both the networks and incentives that foster cybercrime internationally. While resource and time intensive, such choreography among the interagency and international partners has set a standard to be repeated and enhanced.
Ransomware is not a new phenomenon, and the Colonial Pipeline hack, in which a ransomware attack resulted in the shutdown of a crucial U.S. oil pipeline system, made clear that U.S. critical infrastructure could be at risk. That prospect can make a military response—or at least military involvement—seem sensible. However, using the scourge of ransomware as a pretext to centralize the military’s role in U.S. cybersecurity is a misguided reflex. We should instead consider that the ransomware threat has become so acute, at least in part, due to a relative overinvestment in military cyber capacities—at the expense of those for civil defense, law enforcement, and diplomacy. If the DOD’s Cyber Command is made the operational, budgetary, and political centerpiece of a counter-ransomware strategy, we risk doubling down on the sclerotic pace of U.S. investment in other areas, including those most at risk from cybercrime.
In cybersecurity policy more generally, the issue is less that the national security consensus might benefit one parochial departmental interest over another, or that a militarized response might be a conscious policy choice. In this regard, the determination has largely been made by default—militarization is already a fact—and now requires a concerted effort to rectify. Columbia University’s Jason Healey documents the striking disparity between policy rhetoric and budgetary reality on bolstering U.S. cyber capacity: “We cannot ignore what the money is telling us…the budget clearly shows that the Defense Department is the government’s main priority.”
Most concerning is the fact that DOD’s cyber operations budget is higher than those for the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the DOJ’s National Security Division put together. That issue is compounded by congressional gridlock that essentially renders the National Defense Authorization Act—the Pentagon’s annual funding bill—the sole budgetary vehicle to service every other agency’s cyber priorities.
Some of this overemphasis can be attributed to an entrenched narrative that amalgamates every kind of cyber-enabled illicit behavior—including the routine and ubiquitous digital espionage conducted by nation-states—into one relentless “cyber attack.” This drumbeat, repeated to both the public and policymakers by the media and the cyber threat-industrial complex, mischaracterizes the threat of cyberattacks as a nail for which the Pentagon is the only hammer. It also plays right into the notion of a militarized “information war” into which the United States’ most formidable cyber adversaries, including Russia and China, hope to draw it.
Left unchecked, the fetishization of offensive cyber power risks becoming a self-reinforcing fixture of U.S. cybersecurity policy and international deliberation on norms. If the gauntlet is thrown down for military cyber units to conduct offensive operations against non-state entities abroad—particularly in retaliation for damages that are primarily financial and criminal in scope—the issue becomes as much about which behaviors the United States is endorsing as those it seeks to curb.
The hazards are not all external to Cyber Command, which has primary remit over safeguarding U.S. military networks and warfighting in cyberspace to defend against foreign adversary operations—from electronic eavesdropping to destructive attacks. To militarize the ransomware problem is to flirt with strategic distraction—self-imposed, or worse, by design of these adversaries. While most of Cyber Command’s operations are, for good reason, not publicized, those that are risk sending a concerning signal to Moscow: that the focus of the United States’ limited military cyber resources can be occupied by online trolls and cybercriminals. Without downplaying the seriousness of those threats, which are often deployed in coordination with state actors, it is still crucial to get an accounting of where they rank on Cyber Command’s priority and resourcing spectrum relative to more critical activity by more sophisticated nation-state actors. It is also crucial to understand where other instruments, like multilateral law enforcement actions, might simply be more effective. Dr. Erica Lonergan and Lauren Zabierek of the Carnegie Endowment and Harvard’s Belfer Center, respectively, examined these questions earlier this year, noting that “the Cyber Mission Force is already operating with resources and capabilities that are mismatched to the scale of the threat and the scope of its mission set.”
Equally important to understand, as Healey recommends, are what rules of the road exist to bound such operations and ensure they are complementary to a broader ransomware strategy—ideally as overseen by new National Cyber Director Chris Inglis. From a “psychology of the aggressor” perspective—which Inglis recently argued should guide the U.S. response—those who should be made to fear the specter of Cyber Command frequent the hallways of the Kremlin, not the messaging boards of the dark web. Lonergan and Zabierek astutely inquire, “Should policymakers expect that deterrence mechanisms that (sometimes) work for nation-state adversaries will also be successful when applied to proxy groups engaged in criminal activity?” Judging by the events of the past month—and recent commentary from Cyber Command General Paul Nakasone—likely not.
As the American public—and an increasingly loud chorus in DC—call for a rethink of our militarized foreign policy, there is ample reason to extend this scrutiny to the role of the military in our ransomware policy, as well. If the strategically dubious Global War on Terror and its heavy reliance on counterinsurgency demonstrated nothing else in the aftermath of the Afghanistan debacle, it is this: statecraft must be the substrate to military operations—not vice versa. If the Biden Administration and Capitol Hill are as serious as they claim to be about ransomware, the question is less how many more arrows Cyber Command needs in its quiver and more why CISA, FBI, DOJ, Treasury, and State are consistently left with so few by comparison.