Published by The Lawfare Institute
in Cooperation With
The recent spate of ransomware attacks in the United States, including against critical infrastructure in the case of the Colonial Pipeline attack, raises questions about U.S. Cyber Command’s role in responding to this type of malicious behavior. The crux of the issue is how to define an appropriate mission—if any at all—for employing military authorities, capabilities and resources against ransomware gangs, which are typically criminal organizations rather than nation-state adversaries. It’s an issue that will only take on increased relevance, and one for which many key questions remain unanswered.
Commentators and experts have offered different perspectives on this issue. For instance, the Institute for Security and Technology’s recently published Ransomware Task Force report, which has helped to inform the Biden administration’s approach to ransomware, has little to say about the military. The report mentions Cyber Command only once, in the context of listing the stakeholders that would be part of a Joint Ransomware Task Force, and it only briefly refers to the potential for military responses to ransomware. But other experts have weighed in more comprehensively. Jason Healey, for example, recently warned against giving the military far-reaching powers to address cybercrime, concerned about the potentially damaging effects of military involvement in cybercrime prevention on civil-military relations. Other authors came down on the other side; Peter Pascucci and Kurt Sanger argued that Healey’s approach would tie the president’s hands, noting that it’s often difficult for federal law enforcement to take immediate action to counter transnational cybercrime.
Both of these perspectives offer important insights as the U.S. navigates the complexities associated with the convergence of criminal and national security behavior in cyberspace. And despite disagreeing on core issues, the two sides generally concur that there is some potential role for the military in this space.
But it’s not easy to demarcate where that role might lie. A central challenge is that the definition of roles, responsibilities, and—importantly—allocation of resources and capabilities across the federal government does not perfectly map onto threat actor behavior and motivation. Ransomware is most commonly associated with criminal organizations operating for profit—an area where law enforcement has a clear prerogative and role (one exception is cybercrime that directly impacts the military or defense industrial base). But, as Jenny Jun argues, states will likely begin to leverage ransomware for strategic purposes, given the potential coercive power of this capability—an area where the military traditionally takes the lead.
And ransomware increasingly falls into the nebulous nexus where criminal and national security behavior overlap. This was the case with the Colonial Pipeline attack, which was perpetrated by Russian criminals but had the potential for national security effects given the targeting of critical infrastructure. In the intersection of cybercrime and national security, criminal organizations that have ambiguous relationships with governments carry out ransomware for a mix of financial gain and strategic motivations at varying levels of control and direction by the government. For example, the Biden administration’s recent statement attributing a range of malicious cyber activities to China specifically called out proxy actors linked to China’s Ministry of State Security who moonlight in cybercrime for personal profit. It is precisely in this intersection of crime and national security that the role of military cyber capabilities is most uncertain and vague.
Therefore, a compelling case is to be made for employing Cyber Command to disrupt ransomware operations for activities that have significant national security consequences or are linked to broader strategic campaigns carried out by nation-state adversaries but that emanate from outside of U.S. borders. Moreover, it is apparent that Cyber Command currently has authority to engage cybercriminals in some circumstances, seemingly beyond “hunt forward” and partnering operations. This was demonstrated by its reported fall 2020 campaign against the Trickbot botnet run by Russian criminals. Moreover, in June 2021, Deputy Assistant Secretary of Defense for Cyber Policy Mieke Eoyang testified in front of the Senate Armed Services Subcommittee on Cybersecurity, affirming the military’s role in countering ransomware attacks.
That said, critical questions remain unanswered. Below, we outline core considerations policymakers should take into account.
The vast majority of ransomware currently affecting the United States falls beyond the scope of the Defense Department’s prerogative. Therefore, in developing a strategy for employing military authorities and capabilities under certain conditions to counter ransomware, the United States needs to account for how this will be integrated and deconflicted with parallel efforts across the federal government, as well as the implications for the private sector. It’s not clear that the United States, at least based on what has been made public, has such an integrated strategy—even as Cyber Command may already be conducting counter-ransomware campaigns.
One salient concern with respect to the private sector, for instance, is the recent reporting that the U.S. government is exploring options for the private sector to be allowed to engage in “hacking back” in response to ransomware attacks. Absent explicit guidance about the allowable scope and parameters of a private-sector response to ransomware, or a clear process for deconflicting private actions with ongoing military or law enforcement operations, there is the risk that uncoordinated actions would be duplicative (at best) or counterproductive or even dangerous (at worst). This is just one hypothetical example, but it illustrates some of the broader organizational challenges associated with developing a coherent, multi-stakeholder response to ransomware. It is important to ensure that the responses of different arms of government and the private sector are coordinated and oriented toward a shared objective.
And any strategy that incorporates a role for the military in combating ransomware would also have to stipulate a process for how information and intelligence will be shared (and at what levels of classification) across the federal government, with state and local authorities (to include the National Guard, which governors have frequently mobilized for ransomware incident response), as well as with the private sector. This process would also have to take into account legal considerations associated with how various types of information is appropriately shared across different stakeholders.
Another concern, from a strategic perspective, is that a counter-ransomware strategy may fall into an operational cycle analogous to counterterrorism activities—where the military is successful at the tactical level in disrupting discrete operations or even dismantling some organizations but nevertheless finds strategic success elusive. Therefore, it is important for policymakers to clearly define what constitutes success and develop ways of measuring outcomes. For example, the Cyberspace Solarium Commission’s March 2020 report suggests metrics for how the Defense Department should assess outcomes for its “defend forward” strategy. A similar approach would be appropriate for a counter-ransomware strategy.
A crucial part of defining success also involves identifying a discernible end point. By way of comparison, Cyber Command’s role in defending U.S. elections began as an ad hoc interagency task force, known as the Russia Small Group, which later became permanent. The election protection project is important, but the potential for continual accrual of “enduring missions,” plus the organizational structures to support them, raises broader questions about mission creep and path dependence—and how policymakers match organizational structures and resources to address new versus long-term threats.
Moreover, a counter-ransomware strategy should articulate a compelling logic for how operational activities are meant to contribute to desired outcomes. Specifically, is employing military resources to disrupt groups conducting ransomware operations meant to function as part of a deterrence strategy, whereby imposing costs is aimed at changing an adversary’s calculus? Should policymakers expect that deterrence mechanisms that (sometimes) work for nation-state adversaries will also be successful when applied to proxy groups engaged in criminal activity?
Similarly, there is increasing pressure for the U.S. government to be more public about its offensive cyber operations and adopt a “declaratory policy” for cyberspace to make deterrence strategies more credible. Should it take a similar approach to counter-ransomware campaigns—publicly taking responsibility as a means of signaling? Are there conditions under which the U.S. should warn a host government in advance to provide an opportunity to take action to address the ransomware groups operating within their jurisdiction? These are difficult strategic questions—and far from the only ones. But it is nonetheless imperative for decision-makers to weigh them before the U.S. becomes fully committed to operational activities.
Implementation Within Cyber Command
There are also important considerations in terms of how a counter-ransomware strategy executed by the military would be implemented within Cyber Command
First, it’s not clear how a counter-ransomware mission would be integrated into the current force structure within the Cyber National Mission Force (CNMF), Cyber Command’s operational arm.
There are several potential models. One could be to stand up a new, separate counter-ransomware task force within the CNMF charged with executing a standing campaign plan. Another option could be to incorporate counter-ransomware operations into existing targeting conducted by current CNMF task forces. Finally, looking beyond the CNMF, another option would be to establish a dedicated joint task force, similar to Joint Task Force Ares (which is reportedly shifting from a counterterrorism mission to more of a focus on great power competition). Each of these models has different benefits, making the choice of a particular organizational structure significant. For instance, like Joint Task Force Ares, a dedicated joint task force for ransomware may have more senior leadership (that is, at the general/flag officer level) than a CNMF task force, while establishing a counter-ransomware task force within the CNMF could enable greater synchronization with other CNMF missions.
Second, several targeting issues need to be addressed. One is whether counter-ransomware campaigns should be oriented against specific, known criminal organizations. It’s a hard question, given that ransomware groups often dissolve and reconstitute in new forms. Another is determining the extent to which existing rules of engagement would need to be updated to address issues such as command and control or limitations on the use of force, as well as establishing a review process for targeting, covering questions like what may be targeted, and identifying any collateral effects from such disruptive operations, which may potentially raise intelligence thresholds to ensure operational activities are appropriately scoped and deconflicted.
Finally, from a resourcing perspective, all of this inevitably raises questions about how the counter-ransomware mission would be prioritized compared to existing missions—to put it bluntly, what current efforts would have to be put on the backburner to compensate. The Cyber Mission Force (CMF) is already operating with resources and capabilities that are mismatched to the scale of the threat and the scope of its mission set. This is why the Cyberspace Solarium Commission recommended and Congress enacted in the fiscal 2021 National Defense Authorization Act a force structure assessment as part of the quadrennial cyber review. As the Defense Department conducts this assessment, it should consider the resource impact that new mission areas, such as counter-ransomware, have on military cyber forces and relevant intelligence agencies that provide critical support to these campaigns.
Risks and Trade-Offs
Finally, policymakers must thoroughly examine the risks that come with applying the military to counter ransomware. One risk is that, in defining a role for the military in countering ransomware, the United States could inadvertently set a precedent that enables adversaries to justify conducting their own military-led campaigns against the United States—from which a nonnegligible proportion of global ransomware emanates. Relatedly, allowing for a greater and more aggressive military role in this space could help to confirm existing narratives promulgated by U.S. adversaries, such as Russia or China, about the threat posed by U.S. cyber power. Russia, for instance, could leverage this narrative for its own interests as it tries to push its cybercrime convention through the United Nations, citing incursion of its sovereign networks by the United States.
Policymakers should also consider how governments might respond upon discovering the U.S. military in their networks. Against such a backdrop, the role of informal diplomatic dialogues at the Track 1.5 or 2 levels, as well as direct private diplomatic communications (such as the ongoing expert consultations between the U.S. and Russia on cyber issues), becomes even more important to clarify respective positions on acceptable behavior, communicate responses, and understand intentions. There are thorny domestic questions to wade through as well. Of note, the military and the intelligence community are subject to statutes that limit their exposure to U.S. persons data. And in conducting counter-ransomware operations, contact with stolen U.S persons data may be inevitable. Therefore, it will be essential to ensure oversight and protocols are in place to protect this data and ensure adherence with existing statutes and policies, such as Executive Order 12333 and United States Signals Intelligence Directive 18, which, among other things, define guidelines and procedures for intelligence collection, retention, and dissemination of U.S. persons data.
Finally, there is also a potential issue of moral hazard with the private sector. It is logical to conclude that in anticipation of military (or law enforcement) intervention following a ransomware attack, companies may not be incentivized to invest proactively in implementing a strong cybersecurity posture and enhancing their resilience. Here, too, clear and transparent communication between government entities and the private sector is necessary to establish mutual expectations.
Given the reality that the military may already be engaged in counter-ransomware operations, it is imperative for policymakers to meaningfully address the thorny questions of how military involvement might work in practice. Failure to consider critical issues—such as how to integrate military efforts with other government actions, how to organize cyber forces to conduct counter-ransomware missions, and the trade-offs and challenges associated with employing military authorities and resources to tackle ransomware—risks repeating similar blunders made in response to previous policy challenges, like terrorism. And, in using the military, policymakers should be careful to keep the scope of involvement limited to the specific uses of ransomware that would justify the employment of military authorities and resources, rather than viewing the military as a convenient (and highly capable) tool to solve all the challenges posed by ransomware. Finally, recognizing that such activities will likely define new precedents, policymakers should be prepared to understand the short and long-term implications for the private sector and for cyber relations between states.