By Ram Levi
During a briefing aboard Air Force One on Thursday while on the way from the U.S. to England, President Biden's national security advisor, Jake Sullivan, described the administration's position on ransomware attacks that was formed over the past few weeks and has developed into a concrete policy. "All ransomware attacks are crimes. They should be prosecuted to the full extent of the law and every responsible nation should take action against the criminals," he said.
The Biden administration is intensifying the war against ransomware attacks. The president defined the issue as a national priority and is planning to discuss the issue with the allies of the U.S. in NATO at the organization's summit on June 14 in Brussels.
It is a significant change in the U.S. perception of dealing with cyberattacks, both in the intensity of the response and the more rapid pace of taking steps, including imposing sanctions against countries to which cyberattacks are attributed. An example of the change being quickly promoted by the Biden administration is the operation this week in which 63.7 Bitcoin ($2.3 million) were captured from the virtual wallet belonging to the attackers of Colonial Pipeline.
The plan formulated by the White House for dealing with ransomware attacks has four stages: destruction of the infrastructure used for ransomware attacks while cooperating closely with the private sector; building an international coalition for the war against ransomware; expansion of the ability to analyze cryptocurrency exploited by attackers, including location and close tracking of suspicious financial transfers; and examination of the existing American policy on the issue of ransomware attacks and the response to them.
Over the past few months, even before plan was carried out, the Biden administration took many actions aimed at fighting the phenomenon. In April, a special task force was set up at the Justice Department to fight ransomware attacks and digital extortion. The aim of the task force is to establish an organized process for tracking ransomware attacks and to examine ties between attackers in order to disrupt their activities.
It seems that there has been an escalation following the attack on Colonial Pipeline. In May, Biden signed an Executive Order on the issue of protecting the nation's cybersecurity, especially federal networks. Last week, on June 3, the Justice Department set a new policy for dealing with cyber challenges, and announced that it was raising the priority for dealing with ransomware attacks to a level similar to that of terror.
The following day, the FBI announced that it was making the issue of ransomware attacks a top priority as well. On the same day, a Latvian woman was indicted on suspicion of participating in ransomware attacks by the Trickbot group. This week, using a court order, the FBI confiscated $2.3 million of the ransom paid by Colonial Pipeline to its attackers. It was the first operation of the special task force set up a month and a half ago at the Justice Department.
The intensification of the American action related to ransomware and cyber extortion could potentially be an effective means of dealing with the problem and stopping the growth of this kind of attacks. However, it may also make the attackers sophisticated, aggressive and less selective. It is possible that we will see a more careful process of selection of targets by the attack groups in order to avoid complications and unnecessary embarrassment. It means that ransomware attacks and extortion will be expanded to more fields and geographical locations.
However, some of the groups may increase their efforts to attack targets in the U.S., and may even sell remote access to American networks at a higher price. This may raise the level of sophistication of the attacks.
Following the success in confiscating part of the ransom paid by Colonial Pipeline to the Darkside group, more entities are expected to cooperate with law enforcement and report attacks in real time. There is also expected to be an increase in state-run offensive operations, including secret ones, that will make it difficult for hacker groups to take action. Besides the issuance of indictments, it is likely that more hackers in the field of ransomware will be arrested and put on trial.
There is also the political and strategic context. Clarification of the dispute over the issue with Russia and China may serve as a component of the U.S. relationship with them. An agreement to cooperate on this issue could be a confidence-building measure.
In the short term, it is possible that the American activism will exacerbate the threat. Some of the attack groups may avoid attacking American organizations, and instead attack other countries that are weaker in dealing with the issue. But the change in policy toward the threat of ransomware attacks is a step whose importance cannot be overstated.
The writer is founder and CEO of Konfidas