Published by The Lawfare Institute
in Cooperation With
With the Treasury Department’s announcement of sanctions against the cryptocurrency exchange SUEX and the 30-nation summit led by the White House, the past few weeks have served as a reminder that in a particularly busy year for cybersecurity, important policy opportunities reside in work with international organizations and allies and partners.
The particular issue that has captivated such sustained attention is the harm caused by ransomware, which has reached critical levels both domestically and abroad. Broadly speaking, leaders are facing three interwoven challenges when dealing with ransomware. The first is the need to strengthen the resilience of digital infrastructure writ large. Basic business cyber hygiene can go a long way to addressing cyber vulnerabilities. For example, if hospitals, schools, police forces and municipal water authorities all implemented multi-factor authentication, ransomware would be far less of a problem. The second is disrupting criminals, for example, through arrests or inhibiting the financial flows that enable their operations. The third challenge is denying criminals a physical location from which they can conduct their operations, generally by empowering and pressuring governments to crack down on cybercrime emanating from within their borders. We point readers interested in building resilience to a robust body of analysis and work on the topic (including from the Cyberspace Solarium Commission, where the authors work). This post will focus on the second and third of these challenges, the success of which hinges on deliberate international engagement.
Today’s cybercrime, emanating largely from Russia, North Korea and China, has become “an escalating global security threat with serious economic and security consequences.” Solutions, too, must be global in nature, and they must go after not just the criminal networks themselves but also the safe havens from which they operate, which will certainly require international effort. We argue here that the Biden administration must further tailor its multilateral approach to work on two complementary but distinct tracks: working through established multilateral institutions, and developing the capacity to rapidly form flexible and agile coalitions of allies and partners to impose a cost on safe havens for illicit cyber activity. Articulating these two lines of effort helps to highlight possible improvements to the U.S. approach to combating ransomware.
Targeting the Crime Through Established Institutions
Cybersecurity is a team sport. Even though that saying borders on banality, it holds up. This is especially true in the multilateral fora, such as the United Nations, NATO, the EU and the G-7, which serve an integral role in building and sustaining a rules-based order in cyberspace. These bodies have created internationally agreed-upon norms of behavior for cyberspace, an enduring instrument for coordinating international law enforcement to combat cybercrime, and opportunities for dialogue on key issues. Working through such establishments is likely to yield the best results when focusing on building the kinds of international norms that are required to make a global system tick. It is because of this engagement that the international community has made clear that “States should not knowingly allow their territory to be used for internationally wrongful acts using [information and communication technologies].” To disrupt the criminal networks in cyberspace, policy leaders need to leverage broad support on the international stage, which is possible only when these widely accepted foundations are in place.
However, the structure and deliberation that make these bodies invaluable for building a widely accepted system are precisely what hampers their effectiveness in dealing quickly with politically charged issues such as coercion of safe havens. Consensus is hard to come by when a small number of states can bring the body’s work to a halt. In one-state, one-vote bodies, even a majority of votes can be beyond reach when success requires extensive outreach to swing states. As a result, and quite naturally, these bodies are a forum for codifying the most broadly shared opinions—what could be called the lowest common denominator—on the rules of the road for cyberspace. This is further complicated by the lack of trust in cyberspace, coupled with the lack of tools to verify compliance. For the U.S. and its allies, this makes the “trust but verify” axiom normally applied to agreements with authoritarian regimes difficult to implement. Finally, large multinational organizations are not the right tool for formulating an agile response to acute cybercrime incidents. For that, the United States needs a different kind of international outreach.
A Coalition Approach to Pressure Safe Havens
For the United States to act with flexibility and agility to disrupt cybercrime safe havens, it must rely on coalitions of like-minded allies and partners to construct a durable, proactive multilateral effort. This should not come at the expense of vigorous participation in the previously mentioned establishments; instead, the U.S. should work through an additional, agile multilateral task force model that is built around a shared vision for cyberspace and a shared commitment to action. Doing so offers the U.S. the ability to strike back decisively, rapidly and coherently in concert with its allies. This summer’s joint attributions of China in the Microsoft Exchange hack discovered in March serves as evidence that this work is already underway. This effort included multilateral organizations—namely the EU and NATO—but was not explicitly a product of those bodies. Rather, it was a broad coalition that also included many individual countries, an approach that provided a united front while not limiting action to the lowest common denominator of willingness to respond.
Working with coalitions of partners and allies is not a new idea in cyberspace strategy, but the Biden administration has an opportunity to improve its effectiveness. A first step is improving the capacity to form these coalitions quickly as—for better or worse—a matter of routine. While the China attribution was a remarkable step forward, it came four months after the primary attack it addresses (and longer, for some of the specific criminal incidents addressed). This is both a significant improvement over prior timelines and entirely too long. To achieve meaningful change, an attribution is only a necessary precursor to a more muscular response, and so delays only hamper an agile response. These examples predominantly focus on attributing an attack to a nation-state actor; calling out permissive attitudes toward perpetrators of ransomware is likely to be an even harder task.
Beyond simply increasing speed, the Biden administration can improve the effectiveness of a coalition approach by improving information sharing between trusted partners. Congress and the Cyberspace Solarium Commission have identified necessary changes to facilitate such a development. Whether as a function of policies that lead to rapid declassification, colocated personnel or improved attribution capacity, coalition members must be able to agree on basic facts. Based on those facts, individual governments can participate in cost-imposition activities to the extent they are willing, without undermining the widespread agreement on ground truth. More generally, all these steps require careful care and feeding by U.S. cyber diplomats. And in order to make a coalition model work, national leaders must ensure that the State Department has the capacity, personnel and organizational structures needed to build these coalitions quickly.
No matter how aligned the U.S. and its allies are, creating innovative multilateral solutions is a tall order. In developing and executing strategies to alter the calculus of safe haven states, we propose four guiding principles.
The first is to frame potential responses by focusing on the intended effect. That is to say, in determining how to respond to safe havens, such a coalition should begin by identifying the largest levers in the relevant environment that can be used to impose a cost on the host government. Such examples may include internet or cloud service providers in-country that host the malicious traffic. This recognizes the centrality of legitimate infrastructure in serving as a conduit for international cybercrime and aims to impose a cost on the crime-permissive government by inhibiting the infrastructure that carries ransomware while motivating change among business leaders with the power to influence policymakers.
This brings us to our second point: A creative solution must also be a feasible and sustainable solution. Too often, recommendations of sanctions against critical industries or actors fall flat because they are too drastic for the stated ends or they do not impact the incentives of the actors with the power to change the targeted behavior. The first point aims to ameliorate this dilemma by focusing on the largest attributable, legitimate actors in a state apparatus as the lever by which to apply pressure to the host government. The second recognizes that the points of leverage used to put pressure on a government playing host to cybercriminals may not always be directly connected to cyberspace policy, but they do need to be tailored to the appropriate actors. Issue linkages that pull across different facets of the relationship with foreign leaders—from creature comforts to domestic approval ratings to the support of local industry leaders—are a rich vein of leverage points. Rather than starting with the policymaker’s reflexive toolkit of sanctions and other tried-and-true responses, feasible and sustainable solutions to ransomware safe havens must consider what matters most to the actors the U.S. is attempting to influence and then draw on the policy tools available to viably tap into those leverage points.
The third point to consider in developing novel policy tools is to increase efforts of owning the narrative. As authoritarian governments strive to paint themselves as responsible and inclusive custodians of the internet, an increasingly viable point of leverage for the U.S. and its partners and allies is simply to pull back the curtain on such activities by highlighting both ongoing and prior violations of existing norms and the ulterior motives underwriting their posturing. Doing so has the potential to erode support for those governments’ cyberspace policy proposals domestically and—perhaps more importantly—internationally as governments around the world come to better understand what greater sovereign control over the internet would mean in practical terms. Coercive tools require careful crafting and even more precise public messaging.
Together, targeted and flexible multilateral coalitions may be able to find success in changing the calculus of states that currently do not do their part in taking action against domestic cybercriminals whose damage is felt internationally. Meanwhile, large multilateral institutions create a foundation for developing a consensus on what, exactly, that part is. The line between these two approaches is not always binary, and plenty of edge cases exist where multilateral organizations, especially those formed around shared viewpoints, can be an excellent forum to articulate that viewpoint without the need to cultivate global consensus. For example, the recent G-7 communique makes no bones about calling on Russia to “hold to account those within its borders who conduct ransomware attacks.” While recognizing that international engagement does not separate cleanly into two distinct approaches, distinguishing between them highlights the different advantages and weaknesses of each approach. In combating cybercrime, it is clear that both are necessary.
A fourth and final point is that the U.S. must always preserve its right to respond unilaterally in cyberspace if U.S. national security interests are put at risk. An international response is almost always preferable when dealing with malicious adversary behavior, but the U.S. must ensure it has a comprehensive capability, stretching across law enforcement, economic, diplomatic, and cyber and non-cyber military tools ready to respond if its national interests are jeopardized.
In responding to the recent wave of safe haven-launched ransomware attacks, the Biden administration has shown promise in its pivot to a mixture of diplomacy and creative sanctions, but more remains to be done. The response thus far has focused on disrupting individual actors, which is critical but insufficient in the long term without also pursuing actions meant to change the larger permissive environment from which they operate. The Biden administration, and like-minded leaders, can better leverage existing international institutions while also exploring alliances with the potential to coordinate outside of established institutions. By recognizing the limitations and opportunities that come with different approaches to international engagement, like-minded stakeholders can find a more successful means of multilateral action. To secure the United States from the scourge of rampant ransomware, the Biden administration must continue to take the fight to the source but must find a way to do so in concert with others.