At a glance.
- Policy implications of the Kaseya ransomware attack.
- International norms in cyberspace as a topic of negotiation.
Policy implications of the Kaseya ransomware attack.
Amid an ongoing ransomware attack of suspected Russian profiteer origin, software vendor Kaseya expects to restore services today, following yesterday’s meeting with CISA and the FBI about necessary cybersecurity precautions for customers. Deputy National Security Adviser for Cyber Anne Neuberger, Reuters reports, said CISA and the FBI are offering direct support to downstream victims as well. The FBI has asked victims to share “as much information as possible” with the Bureau via the Internet Crime Complaint Center, according to BankInfoSecurity, noting that “all information we receive will be useful in countering this threat.” The Australian Broadcasting Corporation notes increased urgency surrounding supply chain attacks in the wake of Holiday Bear’s gambit.
Reuters has an account of the Biden Administration’s response to Moscow thus far. Huntress Labs attributed the attack to Russian gang REvil, which hit meat supplier JBS last month. President Biden commented over the holiday weekend that “initial thinking was it was not the Russian Government, but we're not sure yet.” The Intelligence Community is investigating, and if they determine that “it is either with the knowledge of and/or a consequence of Russia,” President Biden said, “then I told Putin [at last month’s Geneva summit] we will respond.” There’s been no further elaboration on what “a consequence of Russia” means, or whether Kaseya’s offerings fall into one of the sixteen forbidden critical infrastructure sectors, such as the IT sector. The Straits Times recalls President Biden’s Geneva warning that continued Russia-sanctioned cyberattacks on US critical infrastructure would not go unpunished.
Emailed comments from Meg King, Director of the Science and Technology Innovation Program at The Wilson Center in Washington, DC, sees a US response as probable. “If reports about the ransomware attack on Kaseya are accurate," she wrote, "this is a huge, bold step up for criminal actors. No longer are complex, expensive attack methods only the focus of nation-states. That the entry point was a zero-day exploit demonstrates the expertise of criminal hacking groups is growing. Expect the Biden Administration to respond.”
It is, of course, unlikely that REvil represents a purely criminal organization. It seems likely that the gang would fall into Talos's new category: "privateer." CBS News reports today that White House press secretary Psaki said that the US had been in touch with Russian officials about the REvil operation, and that if Russia doesn't take action against its ransomware gangs, "we will." How that might be done is unspecified, but the spectrum of response in cases like this runs from a stern press release to the vertical insertion of a Ranger battalion. Any response is likely to fall somewhere in between these two extremes, but will probably include a strong economic bite against the hoods and their enablers.
Cyber behavior as a topic of international negotiation.
NPR considers the likelihood of an arms control-esque cybersecurity treaty that spells out rules and penalties slim in light of past failures as well as asymmetry, attribution, and enforcement challenges. "We're dealing with computer code. So this is radically different from some nuclear weapons,” explained Council on Foreign Relations scholar Thomas Graham. A 2015 US-China pact fell flat, while Russia, Iran, North Korea, and China declined to join the 2001 Budapest Convention on Cybercrime. Some see establishing informal cyber norms through conversations and costs as more feasible.