Cyberwarfare capabilities originally developed by the United States are being turned against it, threatening infrastructure and limiting the offensive options available for President Joe Biden, as retaliation runs the risk of exposing more tools within the digital U.S. arsenal.
“Technically, a lot of these tools that are being leveraged for ransomware are tools that were leaked from our own organization,” a cybersecurity official who spoke on the condition of anonymity told Newsweek.
“One of the challenges that I look at is, these tools are not tools that are generally created by other nations,” the official added. What’s funny is other nations are using the tools that were developed by us.”
At least two major ransomware attacks have struck U.S. infrastructure since Joe Biden took office in January vowing to shore up the nation’s cyber defenses against foreign foes. He particularly singled out those tied to Russia, which he has blamed for another massive hack involving software firm SolarWinds.
Two ransomware attacks, one which led to the temporary closing of the Colonial Pipeline, one of the country’s largest, which provides about 100 million gallons of gas a day to the southeastern U.S., and the second which led to the halting of production at all U.S. facilities of the world’s biggest beef producer, Brazil-based JBS, have proven to be a major headache for the new administration just a few months into its tenure.
While the Justice Department said Monday that the FBI was ultimately able to recover much of the $4.5 million dollar ransom paid in Bitcoin to DarkSide, an Eastern Europe-based hacker group that claimed responsibility for the Colonial Pipeline, the risks associated with retaliation limited the president’s choices of response.
According to the cybersecurity official with whom Newsweek spoke, part of the problem in mounting such an operation is that utilizing such weapons allows them to be more easily manipulated against the U.S.
“It’s that challenge where anytime a tool or capability is used, it’s pretty much considered burned,” the official said. “Because, for an offensive portion, you have to deploy processes and technologies to adversarial systems to be able to reach out and touch somebody, right? So, once they’re uncovered, they can reverse-engineer it.”
While some groups like the Russia-based Kaspersky Lab have opted to leak to the general public such programs as those belonging to the so-called “Equation Group,” which was widely suspected to have been tied to the NSA’s own global cyberespionage and warfare operations, others “can keep it close held, and just reverse-engineer it, turning it against us,” the cybersecurity official said.
J.D. Cook, a former senior CIA official, said the proliferation of ransomware using U.S. software served as a lesson to carefully guard U.S. cyber tools.
“Sometimes it gets used against you,” Cook told Newsweek. “That’s why you have to protect your stuff, and there’s a point that I think people should really make about that. It’s true. A lot of things get repurposed, whether it’s an American cyber tool, France, British, Russian, Chinese, etcetera, and that sucks, because some of these tools have gotten out. There have been security issues.”
And while it wasn’t only the U.S. experiencing this dilemma, the recent focus on major targets stateside has highlighted the vulnerability the country faces from programs it created, along with the difficulty in identifying the perpetrators behind them.
Among the more infamous organizations is Shadow Brokers, which also targeted the allegedly NSA-linked Equation Group. While it’s never been established conclusively if Russia itself was behind Shadow Brokers, Cook said the result is that “those are tool sets that were exposed.”
“You start trying to target cybercriminals in Russia, you have to be careful of the kind of infrastructure you use, the tools you use,” he said. “Because the Russians they’re going to be trying to watch to see who’s going after the cybercriminals more so from the intelligence perspective of, ‘Hey, can we unravel some more of their kits, some more of their tools?’—and so there’s a kind of intelligence aspect if you’re going to target those groups.”
A sloppy operation, he warned, could prove a major boon for U.S. rivals.
“You have to think about what you use, think about what your signature looks like,” Cook said. “And if you just do it ham-fisted, you may be giving a gift to the Russians that may hit you in some of your other technical operations, that you may be doing as well.”
But experts agreed that something had to be done, even if it meant the U.S. essentially taking on its own tools.
“Adversarial groups have access to U.S. tools and put them into the public domain,” Shawn Henry, president and chief security officer of cybersecurity company CrowdStrike, told Newsweek. “Are they being repurposed or are they being re-engineered? The answer is yes.”
“I think that the government has a responsibility to protect its citizens. And if the government creates a tool that’s being used to exploit U.S. companies, then that needs to be remediated,” Henry, a former FBI executive assistant director added. “If somebody stole a tank off an Army base, then the U.S. military needs to go back and get the tank.”
The Biden administration has not directly accused the Russian government of sponsoring the Colonial Pipeline or JBS ransomware attacks, the latter of which the FBI blamed on REvil, another suspected Russia-based hacking group using similar techniques to those of DarkSide. At the same time, the White House has said the Kremlin bears responsibility for not cracking down on such activity allegedly conducted on Russian soil.
White House Press Secretary Jen Psaki told reporters Monday that the issues of cybersecurity and ransomware specifically would be among the topics to come up when Biden met for the first time in his presidency with his Russian counterpart Vladimir Putin next week in Geneva.
At that same press conference, Biden’s national security adviser, Jake Sullivan, accused Russia of “harboring or permitting cybercriminals to operate from their territory,” and said he considered the issue of ransomware to be “a national security priority, particularly as it relates to ransomware attacks on critical infrastructure in the United States.”
Putin and his administration have rejected any responsibility for the attacks. Instead, they have stressed the need for stronger cybersecurity cooperation between the two nations.
Reached for comment on whether Moscow might act on Washington’s call to crack down on alleged cyber attacks emanating from the country, the Russian embassy in Washington referred Newsweek to a statement issued by Putin in September in which he appealed to the U.S. “to agree on a comprehensive program of practical measures to reboot our relations in the field of security in the use of information and communication technologies (ICTs).”
The four-point plan involved proposals to restore a regular full-scale bilateral interagency high-level dialogue regarding international information security (IIS), fostering bilateral communication between the two countries’ Nuclear Risk Reduction Centers, Computer Emergency Readiness Teams and high-level national security officials in charge of information security matters, the signing of bilateral intergovernmental agreement on preventing incidents in the information space such as that reached nearly five decades on the high seas, and a mutual pledge of non-intervention into one another’s internal affairs, “including into electoral processes, inter alia, by means of the ICTs and high-tech methods,” as Putin relayed at the time.
“We call on the US to greenlight the Russian-American professional expert dialogue on IIS without making it a hostage to our political disagreements,” Putin said.
Such measures, he argued, “are aimed at building up trust between our States, promoting security and prosperity of our people,” and “will significantly contribute to ensuring global peace in the information space.”
The Russian leader also suggested reaching a “global agreement on a political commitment of States on no-first-strike with the use of ICTs against each other.”
On Tuesday, Russian Foreign Ministry International Information Security Department Director Andrey Krutskikh reiterated this appeal in an interview with the International Affairs magazine, to which he conveyed growing calls to develop “transparent and understandable ‘rules of the game’ in the digital space.”
The absence of such treaties on the cyber front leaves the world dangerously exposed to a slippery slope toward an unbridled series of escalations—and miscalculations—especially as the U.S. considers its next moves.
For this reason, Henry echoed the need for international talks—something for which he’s been advocating for years.
“We need to find what the red lines are, this continues to escalate, and we can’t allow it to escalate,” he said. “It’s the exact reason we had nuclear arms talks, because we realized things couldn’t continue to escalate, they couldn’t spiral out of control.”
It’s been decades since the U.S. and Russia began to invest in their cyberespionage and warfare capabilities, but the digital battlefield remains a murky one when compared to the use of more traditional weapons of mass destruction. With the domain becoming increasingly popular today and multiple threat actors multiplying, there are still no clear rules of engagement.
Resilience CEO Vishaal Hariprasad said the debate on the use of nuclear weapons was relatively “easy” as compared to the current challenge to define the boundaries of cyberwarfare.
“You could understand the red lines in your warfare, and it was easy to have deterrence theory against that,” Hariprasad, who previously conducted cyber operations in the U.S. Air Force, told Newsweek. “With cyber, there is no red line and it’s amorphous at best, so you can’t even have deterrence without the red line versus establishing the red line.”
He does, however, see signs of progress. Hariprasad praised the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency for its engagement with the private sector in order to shore up the shield against such attacks, which CISA Executive Assistant Director of Cybersecurity Eric Goldstein said “must serve as a wake up call for every American.”
“The threat of ransomware continues to be severe and can impact any organization across all sectors of the economy,” Goldstein said in a statement sent to Newsweek. “Organizations should urgently review our available resources and implement best practices to protect their networks from these types of threats. Regardless of the ransomware actor or strain, good cyber hygiene is highly effective in reducing the impacts of an intrusion.”
Even with cultural improvements, though, Hariprasad sees a need “to make it more expensive for the bad guys to operate.” This has begun to take form with the relatively recent emergence of concepts such as “defend forward” and “persistent engagement,” two proactive strategies adopted by the U.S. Cyber Command in order to detect and degrade hostile capabilities.
“U.S. Cyber Command’s role in the Defend Forward strategy is the employment of the persistent engagement methodology. We enable and act,” a U.S. Cyber Command spokesperson told Newsweek. “Persistent engagement guides our operations, allows us to lean forward, enables partners with unique insights, and when authorized we act against adversaries in cyberspace.”
“We view every mission as an opportunity to contest our adversaries in cyberspace,” the spokesperson added. “With that focus on ‘persistent,’ we acknowledge that with a single action, we do not degrade our adversaries’ cyber tools and tactics.”
But assessing how far to go when acting—preemptively or in retaliation—remains a key component of establishing a solid deterrence.
Identifying and pursuing the right level of response comes down to “proportionality,” Raj Shah, chairman of cybersecurity insurance firm Resilience, told Newsweek. “What is proportionality in the cyber domain? I think we’re still figuring that out as a nation.”
As it appears is Biden himself, who has sought a “stable, predictable relationship” with Russia, but has so far experienced anything but. To make sense of things, Shah produced four points of his own.
“One, this should be taken very seriously, it will affect the American way of life and free nations around the world; Two, the private sector is not going to be able to do it by itself, certainly not just security people, it will take government support; Three, we do have to understand the economic side of this, and how do you put cost down; [and Four], we have to find the right tools of protection, of security, the right financial protections of risk transfer insurance, we need to find the right level of law enforcement to prosecute, and then the right amount of information-sharing from our intelligence agencies to help companies be aware of what’s coming down,” Shah said.
He added that “each case will have a slightly different mix of those four,” but emphasized that the current approach was clearly not working. “The status quo of our pipelines going down every week is not tenable.”
“If we just do what we’re doing,” Shah said, “the ransomware epidemic is going to just get worse and worse.”