A massive ransomware attack last week has intensified pressure on the Biden administration to demonstrate it is working to curb the threat, with top national security officials set to brief the president Wednesday on how the government can counter the costly and increasingly brazen assaults by Russia-based hackers.
While intelligence officials have not publicly attributed the latest attack, a group known as REvil, which U.S. officials say privately operates largely from Russia, has taken responsibility for striking up to 1,500 companies in the United States, Europe and Asia. It was, experts say, the single largest such cyberattack to date.
White House officials next week are to resume talks with Russian officials about the threat, a dialogue that began after President Joe Biden warned Russian President Vladimir Putin that the United States would hold Moscow responsible for cyberattacks originating from Russia even if they cannot be directly linked to the Kremlin.
“If the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own,” White House press secretary Jen Psaki said Tuesday.
Although last week’s attack on the Miami-based IT software firm Kaseya appears to have caused what Biden called “minimal damage” to U.S. businesses, it rattled national security officials, and personnel at key federal agencies worked through the July 4 holiday weekend to assess the damage—work that is ongoing, the president added.
Such disruptive cyberattacks that have been locking up the networks relied on by hospitals, schools and industry—with hackers demanding large sums of money to unlock them—are seen as a more pressing threat today than traditional limited espionage carried out by governments against other governments, political parties and other targets.
Wednesday’s briefing will include top officials from the departments of State, Justice, Homeland Security and the intelligence community. The White House hopes to build a multifaceted strategy focused on hardening cyberdefenses, diplomatic outreach to American allies and potentially targeted offensive responses, including the disruption of computer infrastructure used by hackers, officials said.
“No one thing is going to work alone,” said one senior administration official, who like others spoke on the condition of anonymity because of the issue’s sensitivity. “We’re pushing everybody on all of these angles, whether it involves building resilience, using diplomacy or disrupting networks, because we believe only together will we significantly impact the threat.”
While Biden was in Europe last month, he and other Group of Seven leaders committed their nations to jointly holding accountable countries like Russia that shelter ransomware criminals. The G-7 also called on states to enforce anti-money laundering standards to discourage ransomware attacks.
The Biden administration is considering whether to require victims of ransomware attacks to report to the government when they’ve paid a ransom. Without such information, the government is hard-pressed to understand the scope of the problem.
The White House called for options after a ransomware attack in May that led Colonial Pipeline—the largest refined fuel pipeline in the United States—to temporarily shut down its operations, leading to gasoline shortages in much of the Southeast.
Administration officials have sought to calibrate expectations, with Biden himself suggesting that results from bilateral discussions with Russia, several of which have already taken place, might not be immediate.
“We’ll find out within the next six months to a year whether or not we actually have a strategic dialogue that matters,” Biden said in Geneva last month.
Some policy experts are urging the White House to put more pressure on the Kremlin now.
“Before such devastating ransomware attacks become a routine occurrence, President Biden must deliver a quiet but forceful demand: Russian President Vladimir Putin must put an immediate stop to this activity or Washington will tighten the squeeze of sanctions on the Russian economy,” said Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, and Matthew Rojansky, director of the Wilson Center’s Kennan Institute, writing in an op-ed published by The Washington Post on Tuesday.
The U.S. government last month recovered more than $2 million of cryptocurrency that Colonial Pipeline paid in ransom to the Russia-based hacker ring DarkSide after authorities were able to locate the private key that unlocked a digital “wallet” holding the ransom payment, the FBI said. Finding the key was not the result of a sophisticated operation or an informant—nor is it easily repeatable, said people familiar with the matter, who spoke on the condition of anonymity because the methods are not public. “It’s not like a trick that works every time,” one person said.
Some lawmakers are urging the Biden administration to use military cyber-capabilities more aggressively against criminal hackers overseas. Rep. Michael Waltz, R-Fla., is among them.
“At the end of the day, I don’t think the American people really make these legalistic distinctions” between criminal and state-sponsored attacks, said Waltz, a member of the House Armed Services Committee. “An attack on our oil infrastructure or food supply is an attack, period, whether it’s from a saboteur planting a bomb, a plane dropping a bomb or a cyberattack.”
The federal government’s counter-ransomware efforts predate the Colonial Pipeline incident.
In January, for instance, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency launched a campaign to prod private-sector organizations to adopt measures to reduce their risk of being victimized by ransomware attacks. And in 2019, the Department of Homeland Security’s cybersecurity division launched a similar initiative to encourage state and local officials to secure election infrastructure against ransomware attacks.
The Justice Department in April created a ransomware and digital extortion task force with a mission to investigate, disrupt and prosecute ransomware and digital extortion activity.