Cyber Command’s Role in Tackling Ransomware

In May 2021, news broke of a DarkSide ransomware attack on Colonial Pipeline, a major U.S. fuel pipeline that supplies roughly 45% t of the East Coast’s diesel, gasoline, and jet fuel. The hackers had launched their attack in the early hours of May 7, exfiltrating roughly 100GB of data and encrypting back-office systems before issuing their ransom demands. In response to the attack, the company shut down its pipeline for several days, causing mass disruption in America.

The recent proliferation of ransomware attacks in the United States, including one that targeted critical infrastructure, as in the case of the Colonial Pipeline attack, raises issues about the role that the US Cyber Command plays in combating such malevolent behaviour.

The essence of the problem is determining how to define a suitable mission for using military powers, capabilities, and resources against ransomware gangs, which are typically criminal organisations rather than state adversaries.

Commentators have offered different perspectives on this issue. Although some mention the potential for military responses to ransomware only briefly, others choose to weigh in more comprehensively and warn against the potential negative impact of military involvement in cybercrime prevention on civilian-military relations. They also advise against providing the military with broad capabilities to combat cybercrime.

The Colonial Pipeline Attack Proves We Urgently Need Minimum IoT Cyber Security Thresholds for Our Nation's Infrastructure : Risk & Insurance — “The recent proliferation of ransomware attacks in the United States, including one that targeted critical infrastructure, as in the case of the Colonial Pipeline attack, raises issues about the role that the US Cyber Command plays in combating such malevolent behaviour.”

Both of these viewpoints provide valuable knowledge as the United States navigates the complexity of criminal and national security behaviour in cyberspace. Despite their differences on essential concerns, both sides believe that there is a role for the military in this space.

Ransomware is most often linked with profit-driven criminal organizations—an area in which law enforcement has a clear prerogative and function. Given the potential coercive power of ransomware—an area where the military generally takes the lead—states will likely begin to leverage it to achieve strategic objectives.

Furthermore, ransomware is falling rapidly into the hazy nexus where criminal and national security behaviour converge. This was the case with the attack on the Colonial Pipeline, which was carried out by Russian criminals but had national security implications due to the targeting of important infrastructure.

Criminal organisations with dubious links with governments use ransomware for a mix of financial gain and strategic motives, at various levels of control and direction from the government, at the junction of cybercrime and national security. Hence, the function of military cyber capabilities is ambiguous at this intersection of criminality and national security.

Thus, there is a strong case to be made for using Cyber Command to disrupt ransomware operations that have substantial national security implications or are linked to larger strategic campaigns carried out by nation-state opponents but originate outside of US boundaries. That said, critical questions still remain unanswered. Outlined below are some core considerations that policymakers should take into account.

The vast majority of ransomware now impacting the United States lies outside of the Department of Defense’s purview. As a result, when formulating a strategy for using military authority and capabilities to combat ransomware under specific circumstances, the US must consider how this will be integrated and deconflicted with concurrent federal government activities, as well as the repercussions for the private sector.

Even while Cyber Command may already be executing anti-ransomware activities, it’s unclear whether the US has such an integrated approach.

For instance, one major source of concern in the private sector is the recent news that the US government is considering the possibility of allowing the private sector to engage in “hacking back” in retaliation to ransomware attacks. There is a risk that uncoordinated actions will be duplicative, counterproductive, or even dangerous in the absence of explicit guidance about the allowable scope and parameters of a private-sector response to ransomware, or a clear process for deconflicting private actions with ongoing military or law enforcement operations. It is critical to guarantee that the responses of various government agencies and the private sector are coordinated and directed toward a common goal.

Any strategy that includes a military role in combating ransomware must also stipulate a process for sharing information and intelligence across the federal government, state and local governments, and the private sector, as well as legal considerations for how this information and intelligence is shared appropriately across different governmental entities. It is critical for policymakers to define success explicitly, devise methods for assessing outcomes, and identify a discernible goal. There are also key considerations in terms of how a military-led counter-ransomware policy would be conducted within Cyber Command.

First, because it is unclear how such a mission would fit into the current force organisation. Second, there are a number of targeting difficulties that must be resolved.

One question is whether anti-ransomware initiatives should target certain, well-known criminal organisations. Another is analysing the extent to which existing rules of engagement would need to be revised to meet concerns like command and control or constraints on the use of force, as well as establishing a targeting review procedure and identifying any collateral impacts from such disruptive operations. Finally, all of this raises issues pertaining to how the counter-ransomware mission would be prioritised in comparison to other existing operations in terms of resources among other things.

Furthermore, governments must carefully consider the hazards associated with using the military to combat ransomware. One concern is that by defining a role for the military in combatting ransomware, the US may accidentally set a precedent that encourages opponents to justify undertaking their own military-led campaigns against the US, which is responsible for a disproportionate amount of global ransomware. They should also examine how states could react if the US military is discovered in their networks. There are also tricky domestic problems to wade through. Contact with stolen U.S. persons’ data may be unavoidable when performing counter-ransomware operations. As a result, it will be critical to guarantee that oversight and mechanisms are in place to preserve this information and ensure that existing statutes and rules are followed.

Given the possibility that the military is already involved in anti-ransomware operations, politicians must meaningfully confront the complex subjects surrounding how military involvement might operate in practice. Failure to consider critical issues like how to integrate military efforts with other government actions, how to organise cyber forces to conduct counter-ransomware missions, and the trade-offs and challenges associated with using military authorities and resources to combat ransomware risks repeating previous policy blunders, such as terrorism.