“I’ll never forget. It was the 27th of June when I was woken up at four o’clock in the morning. A call came from the office that we had suffered a cyber attack,” Jim Hagemann Snabe, the chairman of A. P. Moeller Maersk, said at a World Economic Forum event in January 2018. Maersk, the world’s largest container-shipping company, had been hit by NotPetya, a virus subsequently traced to Russia. Yesterday the US government indicted six of NotPetya’s perpetrators. In cyber warfare, the traditional deterrence of punishing a country doesn’t work. Holding individuals accountable, as the US government is increasingly doing, has far more potential.
For days after that fateful morning in June 2017, Maersk was crippled; its eventual losses amounted to some $300 million. NotPetya was a devastating blow not just to Maersk and its customers but to Denmark; Maersk is its largest company. US pharmaceutical giant Merck was similarly stricken, as were snack behemoth Mondelez (think Oreos and Nabisco), FedEx, and a range of other multinationals. NotPetya’s original target, Ukraine, likewise found itself crippled when government agencies, banks, power companies, and hospitals were laid low by the virus. Months later, the US and UK governments announced the Russian government was behind the attack. If Russia had launched a military attack against Denmark, the response would have been straightforward. But a cyber attack? The response amounted to a wagging finger and undoubtedly some menacing cyber-posturing by US and other NATO cyber warriors.
Now the US Department of Justice, via a federal jury in Pennsylvania, has indicted six officers in Russia’s military intelligence agency the GRU for the attack, which, as it states, also hit “hospitals and other medical facilities in the Heritage Valley Health System (Heritage Valley) in the Western District of Pennsylvania”. According to the US Department of Justice, the six GRU officers also participated in the devastating cyber attacks that hit Ukraine in 2015 and 2016, attacks on Emmanuel Macron’s presidential campaign in 2017, attacks on the 2018 PyeongChang Winter Olympics, and attacks on the investigation into the poisoning of Sergey and Yulia Skripal in 2018.
At the same time as the Americans made their announcement, the UK government declared that the GRU had also been behind cyber attacks on not just the PyeongChang Olympics but the PyeongChang Paralympics as well. “The GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers,” the UK statement said.
Attribution of cyber attacks is difficult; the experts who manage to trace a virus’s trail to a government entity can only be applauded. The British government also implicated Russia in several other cyber attacks, including ones on COVID-19 vaccine research in the UK. But what if a government isn’t bothered by being named and shamed? Resounding criticism of Russian and Chinese battery of subversive activities towards the West has made no noticeable difference.
The US government’s approach of holding individuals accountable may instead be the most promising strategy. Last month, for example, the US government charged five Chinese hackers over cyber attacks on more than 100 US companies, and in July it charged two Chinese intelligence officers as perpetrators of COVID-19 research hacks. The US has also indicted Iranian hackers; indeed, this is one nascent Obama administration strategy that the Trump administration has expanded. This summer, the European Union imposed its first-ever travel bans related to cyber attacks; two Chinese and four Russian hackers are now prohibited from visiting Rome, Paris, and, indeed, the rest of the EU. And during the 2018 US election campaign, US Cyber Command operatives, as part of the US Government’s Defend Forward strategy, tried another technique: signaling to would-be perpetrators of cyber attacks on the election that they had been identified. I call this the horse’s-head-in-the-bed strategy, after the scene in The Godfather.
Mafia tactics clearly do not behove liberal democracies — but informing individual perpetrators that they will be held accountable does. As I explained in a RUSI Journal article with Gary Brown of the National Defense University in Washington earlier this year, criminal law holds great potential for cyber deterrence. A targeted country’s traditional deterrent — military force against the attacking country — is so disproportionate in response to cyber attacks as to not be credible. Sure, the hackers charged by the US government and the European Union are safe as long as they stay home. But the indictments mean they won’t even be able to visit countries they most likely consider appealing, let alone live there. That’s a heavy price to pay. Most of us rightly feel loyal to our home countries, but would we keep hacking other countries in its behalf if it meant forfeiting a great deal of what constitutes life in the 21st century? Unlikely.
This article first appeared in 2020 on the AEI Ideas blog.