Prior to the late ’90s, terrorist groups were most often viewed through the lens of law enforcement and crime, not as a national security priority. Their pursuit was led by the FBI and international police efforts, with input from dedicated units sprinkled around the intelligence community.
The Sept. 11 attacks changed everything. Terrorism was elevated to a significant national security threat, and this new status brought with it an unprecedented package of measures: new strategies, tactics, resources, technologies and legislation.
Today, we are seeing a similar shift in the way the government is treating cybercrime. The Department of Justice has declared that ransomware will now be treated with the same level of vigilance as terrorism. FBI Director Christopher Wray recently compared the current cyber-threat landscape to the challenge posed by the 9/11 aftermath, and several officials have followed suit in their declarations.
During his confirmation hearing for the new position of National Cyber Director, Chris Inglis — arguably the most senior individual for combatting state and non-state cyber actors — said the U.S. government must “seize back the initiative that has too long been ceded to criminals and rogue nations … and bring to bear consequences on those who hold us at risk.”
This novel sense of urgency extends across all national security power centers, particularly the intelligence community. In turn, it will change the risk calculations made by cybercriminals, as well as their ability to operate freely.
As for the strategic approach, the counterterrorism playbook fits well: Go after the money, infiltrate and influence communications and finally put pressure on any and all safe havens, both online and geographic.
It is hoped that ransomware gangs will be disrupted in three key ways:
- They will start to lose confidence in their payment mechanisms and/or will require more steps and administration, which will divert attention from conducting their operations.
- They will start to distrust their networks or believe they have been infiltrated, and subsequently spend more time vetting contacts and swapping out communications rather than conducting operations.
- They will regularly have to change physical locations or rebuild confiscated infrastructure, making it harder to conduct operations.
However, the full force of the Department of Justice is not enough to dismantle cybercrime. The intelligence collection and analysis required for these investigations cannot be turned on in an instant and will come at a cost — intelligence officers, experts and technical resources are already spread too thin. Determining where non-state cyber actors now rank within the “highest priorities” of government will be a major challenge for the Biden administration.
Instead, it will take a broader effort to stop ransomware and its future iterations. A campaign of pursuit must be coupled with an even greater defensive effort by public and private sectors to rob ransomware actors of the operational wins that fund their activity. Director Wray recently made this point when he stressed there is “a shared responsibility” to combat cybercrime. While offensive actions and intelligence operations can put pressure on ransomware groups, advantage in this battle is truly won on defense.
Perimeter breaches are inevitable. The organizations that are tackling ransomware well are those that recognize they will be infiltrated and instead focus their efforts on understanding behavior in their own systems. The difference between becoming a ransomware victim and disrupting an attack is the capability to immediately detect and respond to malicious actions internal to the corporate environment. Artificial intelligence-driven security technology has shown itself to be effective in this regard, by interrupting threats in a targeted way and avoiding costly system shutdowns.
It is encouraging to see the U.S. administration elevate cybercrime to a national security priority, but they cannot tackle it alone. As the intelligence community starves these gangs of resources, better defenses will make it more difficult to extort payments in the first place. We need all parties to step up their collective defense, stopping these groups from inflicting meaningful damage — even when they manage to break in.