OPINION

Big Stick Cyber Policy.

Joe Biden must reverse his “speak harshly, carry a small stick” approach to Russia.

When Theodore Roosevelt popularized the West African proverb, “Speak softly and carry a big stick; you will go far,” he envisioned a large navy build-up for the United States. At that time, naval superiority was a highly effective way to assert power in both war and peacetime. Still to this day, America requires a strong navy as it is “flanked by vast oceans” and must cross these watery boundaries to access other nations. Controlling the Earth’s waterways has also allowed the U.S. to expand its military might past its land border and keep “war and devastation away from American shores.”

In response to Russia’s diplomatic aggression, it is imperative that the Biden administration decisively put Russia in its place, especially through its policy in cyberspace.

International waters account for 71% of the Earth’s surface, an unavoidable fact when evaluating how best to secure peace globally. As we transition into the 21st century, however, a new kind of territory has arisen out of the technological age, and it has the potential to rival even the world’s oceans when it comes to strategic importance. The internet, commonly misconstrued by its users as the web browser that allows access to email and streaming services, should properly be thought of as another domain where nations conduct trade, interact, and apply pressure to affect diplomatic objectives. Unlike traditional territorial domains, however, the boundaries are much less distinct online, making us vulnerable in unprecedented ways. Not only that, every American business and household is seamlessly hooked up to the system, allowing almost instantaneous connection with any other device across the globe—and putting every single one of these endpoints at risk of attack by foreign adversaries. This is something that our adversaries recognize.

On May 31st, Sergei Ryabkov, Russia’s deputy foreign minister, made comments ahead of the much-anticipated Biden-Putin summit in mid-June—their first face-to-face summit since the President took office. Ryabkov retaliated to a statement by President Biden that he would use the meeting to press Russia on human rights by saying that Russia would send an array of “unpleasant” signals to the United States in the coming days. In April, it was discovered that Russia had amassed over 100,000 troops on their border with Ukraine, the largest build-up to date, which signaled not only a rise in tensions between Russia and Ukraine, but with the U.S. as well. But the most specific context here is the mounting evidence that Russia has and is continuing to escalate its use of high-profile infrastructure ransomware attacks against the United States.

In response to Russia’s diplomatic aggression, it is imperative that the Biden administration decisively put Russia in its place, especially through its policy in cyberspace. To be effective, President Biden should pursue a “Big Stick” strategy: the United States’ cyber capabilities (both offensive and defensive) should be built up and readied for use, while hot-headed accusations and bone-headed verbal miscalculations are tamped down.

President Biden meets Russia's Vladimir Putin.

President Biden meets Russia’s Vladimir Putin.

RUSSIA’S CYBER THREAT

The shrinking effect that the internet has on global interactions has reared its ugly head with the recent spate of ransomware attacks involving fuel pipelines, health systems, and the meatpacking industry. Even more discouraging is that the recent high-profile supply chain attacks have been undertaken by Russian-based criminal organizations. In the case of the Colonial Pipeline ransomware attack, the perpetrator was a Russian-speaking group called DarkSide. As for JBS, the world’s largest meat processor, the group behind the attack has been identified by the FBI as REvil (also known as Sodinokibi). There is also some indication—such as the ransom notes, file encryption details, and hacker forum used—DarkSide members may have been affiliates of REvil at some point. If this intergroup coordination is truly happening, along with potential support from the Russian government, then the threat of these groups increases drastically.

Adversaries of the United States typically will test the incoming administration with provocations such as these, and the cyberattacks coming from within Russia fit the bill.

While there are currently no definitive ties from either DarkSide or REvil to the Russian government, it is not hard to deduce that they are familiar with each other, perhaps even cordial. Inspection of the ransomware used in the Colonial Pipeline and JBS hacking incidents, along with most other strains, reveals that the malware will run a check on the targeted system to see if it has a language installed that indicates it is a “principal [member] of the Commonwealth of Independent States (CIS)—former Soviet satellites that mostly have favorable relations with the Kremlin.” If the malware strains detect the presence of one of these languages on the system, the malware will exit and fail to install. Here is the full exclusion list in the DarkSide ransomware, which was published by Cybereason:

According to Brian Krebs, criminal organizations program in checks like these to avoid garnering the attention of local law enforcement—in this case, local law enforcement in former Soviet satellites and Russia. He writes that:

“In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country’s borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies.”

Compounding this implicit toleration of hackers that threaten foreign governments, the Russian government even has hacking outfits acting on its behalf, one of which is called Cozy Bear. This group, which is considered by CrowdStrike, a leading cybersecurity technology company, as being either part of the Russian Foreign Intelligence Service or working as a quasi contractor, has been accused of being behind the SolarWinds breach (a cyberattack in which a popular network management software used by thousands of businesses and the U.S. government was infected with malware).

Adversaries of the United States typically will test the incoming administration with provocations such as these, and the cyberattacks coming from within Russia fit the bill.

Computer code.

Computer code.

DEALING WITH THE KREMLIN’S TEST

During a June 2nd press conference, White House Press Secretary Jen Psaki was asked about the recent cyberattacks and whether the “President believe[s] that Vladimir Putin is testing him.” She reiterated the same passive response given to a similar question just before, that there is a “potential role” for the Russian government to play in stopping these attacks and that it would be a “topic of discussion” at the June 16th summit. When the time came to confront President Putin on his role in stopping these attacks, however, President Biden failed to put any real weight behind his demand.

Instead of asserting that any hacking activity targeting the United States is off-limits, Biden came off weak and ineffectual…

In a surprising concession, the President gave Putin a list of 16 critical infrastructure entities that should be off-limits from future attacks. The blatant implication being that any target that is not on the list is fair game. Instead of asserting that any hacking activity targeting the United States is off-limits, Biden came off weak and ineffectual, putting the power in Putin’s hands to have mercy on Americans. President Biden also tried to pressure Putin to hold cybercriminals in Russia accountable, but this, too, was without any concrete threats or potential consequence for failing to do so. Besides making vague proclamations of America’s cyber capabilities, the President implied no consequence should Russian law enforcement refuse. Biden simply asked Putin, “How would you feel if ransomware took on the pipelines from your oil fields?” Reflecting on the meeting afterward, the President said that “There were no threats, just simple assertions made” and that the meeting was “good, positive.”

It quickly became obvious that President Putin felt neither intimidation nor urgency around the issue of American cybersecurity. At a separate press conference the same day, Putin claimed that the majority of cyberattacks are actually coming from the United States and the West, not Russia. He also denied any involvement in the recent well-publicized hacks.

The two agreed to future follow up discussions between officials from each side. If these future discussions are as productive as this initial one, however, the prospect of reducing cyberattacks originating from within Russia is grim.

Colonial Pipeline cyberattack.

Colonial Pipeline cyberattack.

TAKE HEED OF TEDDY

How does President Biden’s approach to Russian meddling stack up against Roosevelt’s Big Stick policy? It seems that he is going with the opposite approach: speaking harshly and carrying a small stick.

On March 17th, the President went so far as to call Putin a ‘killer’ during an interview…

While campaigning, Biden made it a point to highlight Russia as an “opponent,” so much so that commentators noted how, “When he talks about Russia, Joe Biden has sounded like Ronald Reagan all summer, setting up a potential Day 1 confrontation with Russian President Vladimir Putin if Biden were to win.” Last year, he promised that under his administration, pressure would be placed on Russia in response to allegations of previous election interference and (dubious) bounty payments put on American troops in Afghanistan.

The bellicose language continued after he took office. In comments made to the State Department on February 4th, the President said, “I made it clear to President Putin, in a manner very different from my predecessor, that the days of the United States rolling over in the face of Russia’s aggressive actions—interfering with our election, cyber-attacks, poisoning its citizens—are over,” and that, “We will not hesitate to raise the cost on Russia and defend our vital interests and our people.” On March 17th, the President went so far as to call Putin a “killer” during an interview with George Stephanopoulos—a move that led the Kremlin to describe their relationship with the U.S. as “very bad.”

Despite all the strategic mistakes they’ve so far made to advance national cybersecurity, however, the Biden administration could still turn things around if they act decisively.

Piling onto this mess was the self-defeating decision made by the administration to lift sanctions from the executive behind the Nord Stream 2 pipeline project between Russia and Germany. When completed, this pipeline will funnel gas from the Russian arctic into Germany, providing more leverage over Europe for Putin—a major geopolitical prize for the Kremlin. Understandably, this decision was seen by some congressional Republicans—like the top Republican on the Senate Foreign Relations Committee, Jim Risch—as “a gift to Putin.” The decision is even ironic when viewing it in light of the recent Russian-sourced Colonial Pipeline hack that resulted in a domestic fuel pipeline catastrophe.

President Biden’s policy since before taking office has been to position Russia as an existential threat to American democracy and national security, while failing to back any of it up with shows of real strength. Instead, he’s maintained his position with verbal threats that raise the relations’ temperature. Victor Davis Hanson, classicist and historian at the Hoover Institution, articulated in April in a piece for National Review called “How to Start a War,” how self-defeating this strategy is. Appearing weak while being brash can invite unnecessary conflict, Hanson explained:

“When strong countries appear weak, truly weaker ones take risks they otherwise would not. Sloppy braggadocio and serial promises of restraint can trigger wars, too. Empty tough talk can needlessly egg on aggressors. But mouthing utopian bromides convinces bullies that their targets are too sophisticated to counter aggression.”

Despite all the strategic mistakes they’ve so far made to advance national cybersecurity, however, the Biden administration could still turn things around if they act decisively.

If President Biden genuinely wants to implement sound diplomatic pressure on Russia, he must embrace the Big Stick policy…

In a “Fact Sheet” posted on April 15th, the White House highlighted the actions taken by the administration to “impose costs” on Russia for “Harmful Foreign Activities.” Through executive order, the President expanded its authority for debt sanctions on Russia and explicitly identified Cozy Bear as the threat actor behind the SolarWinds breach. “The Biden administration has been clear that the United States desires a relationship with Russia that is stable and predictable,” the White House said. “We do not think that we need to continue on a negative trajectory.”

Additionally, an announcement made on June 7th by the Department of Justice stated that the  $2.3 million worth of bitcoin from the ransom payment made by Colonial Pipeline to DarkSide was confiscated following authorization of a seizure warrant. Included in the disclosure were strong statements made by Department of Justice Deputy Attorney General Lisa O. Monaco:

“Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”

These developments, along with certain elements of the Colonial Pipeline hack response that have real promise, point to a more serious approach that can be taken by the Biden administration in regards to the recent Russian ransomware fallout.

Ultimately, however, if President Biden genuinely wants to implement sound diplomatic pressure on Russia, he must embrace the Big Stick policy: reverse course, tamper down his outsized verbal braggadocio, aggressively target cybercriminal groups, and hold Russia’s feet to the fire for harboring these organizations that are ransoming the livelihoods of American citizens.

Written By:

Caleb Larson is an information security engineer in the financial services industry and a member of InfraGard, a partnership between the FBI and private U.S. critical infrastructure organizations.