More Oversight Won’t Slow Down America’s Fight Against Ransomware
While it is crucial to clarify the extent of the Department of Defense’s authorities regarding cyber operations, maintaining an effective counter-ransomware strategy requires answering more urgent questions.
According to a Washington Post report, the Biden administration has refined National Security Presidential Memorandum 13 (NSPM-13), which was signed by President Donald Trump in 2018 and granted the secretary of defense the authority to conduct cyber operations without the need to receive authorization from the president and other federal agencies. The purpose of the classified memorandum was to shorten and simplify the decision-making process that governs the planning and execution procedures of time-sensitive cyberspace operations (as was set in the Presidential Policy Directive 20, which was signed by President Barack Obama in 2012).
According to officials, the refinement aimed to expand White House and State Department oversight on offensive cyber operations, prevent operations from accidentally interfering with other government-directed cyber activities, such as diplomatic efforts or cyber espionage, and prevent tensions with third-party countries on whose networks these operations usually take place.
The reports of NSPM 13’s revision prompted calls from legislators who had urged the White House to preserve the Department of Defense’s cyber authorities, claiming that altering them would curb the nation’s ability to signal its willingness to use cyber capabilities and thwart its ability to “persistently engage” its adversaries in cyberspace. The reports may also raise questions with regards to the Biden administration’s declared struggle against ransomware, which includes using offensive cyber capabilities to deter threat actors involved in ransomware and disrupt their infrastructure. In November 2021, Gen. Paul Nakasone, the director of U.S. Cyber Command and the National Security Agency, revealed that the command had conducted a surge of operations to address the threat of ransomware to U.S. interests.
While maintaining timely and relatively flexible planning and execution procedures for offensive cyber operations is crucial in order to disrupt adversarial activity in cyberspace, there are several reasons why the revision’s impact on the struggle against ransomware may not be as severe as some claim.
First, unlike operations in other domains, the vast majority of offensive cyber operations usually do not have broad strategic implications. These usually include operations against ransomware gangs and other cybercriminals, some of whom maintain an ambiguous relationship with foreign governments or are at least provided with a safe haven within a country’s territory. Harboring countries such as Russia have long been dismissive of claims about their relations with such criminals. Combined with the empirical evidence, according to which cyber operations are not necessarily escalatory in nature, it is unlikely that such anti-ransomware operations will have strategic implications that require presidential authority.
Second, given that the declared goals of these cyber operations are deterrence and disruption of ransomware operations, there is a need to question their effectiveness and overall contribution. For its part, an effective deterrence strategy depends on understanding the motives and risk tolerance of the adversary. As some ransomware groups conduct their operations for a mix of financial, political, or national motives, and their relationships with foreign governments remain ambiguous, adapting an effective military response based on understanding the attacker is challenging. While the military maintains the most advanced capabilities for targeting foreign cyberspace adversaries, the crucial challenge for an effective deterrence strategy may not be the decision-making process of cyber operations. Rather, it may be gaining an understanding of whether and to what extent employing military resources (or the mere threat of them) could change a threat actor’s calculus.
A similar argument could be made with regard to disruption, as past evidence from operations suggests that disruption of these activities is only limited and temporary. In October 2020, reports revealed that the U.S. Cyber Command had disrupted the Trickbot botnet by accessing its operators’ command and control server and sending all infected systems a command to disconnect. However, after a few months, Trickbot was up and running again. In July and November 2021, Cyber Command targeted infrastructure that belongs to the prominent Russian-speaking REvil ransomware gang. According to U.S. officials, the action “left its leaders too frightened of identification and arrest to stay in business.” However, in April 2022, the group reappeared, with some researchers pointing out that threat actors with affiliation to the group already started a new ransomware campaign as early as December 2021, barely a month after the shutdowns.
While it is crucial to clarify the extent of the Department of Defense’s authorities regarding cyber operations, maintaining an effective counter-ransomware strategy requires answering more urgent questions. It is also important to remember that employing military resources may not be the sole solution for counter ransomware efforts, nor the most effective one. For a counter ransomware strategy to be effective, a comprehensive discussion is needed in order to determine how to employ these means effectively, and more importantly, how to hurt the profitability of the ransomware market.
Omree Wechsler is a senior researcher for cyber policies and strategy at the Israeli think tank Yuval Ne’eman Workshop for Science, Technology and Security in Tel Aviv University. He is a graduate of the CISO & DPO training program of the Bar Ilan University and has previously served in the Israeli military intelligence branch.