Vantage Point: Release the Hounds?
There has been a good deal of chatter in the security press lately about the need to have government agencies take an aggressive and offensive approach to defending our nation's critical infrastructure. On the surface, this feels good: our nation is being attacked and we should do something about it, not just talk.
This sentiment is sometimes expressed as a need to "release the hounds," a phrase that evokes images of ferocious dogs being released from their leashes so they can hunt and kill an intruder. While I am sure there are people in government arguing for this approach, we should be careful about what we wish for.
Here are a few factors policy makers should consider as they determine the appropriate response to ransomware:
There are limits to the reach of national power, including cyber power. Even the most advanced capabilities may only be used a handful of times before they are detected and blocked by an adversary. They may even be turned against their creators -- used to attack our own unprepared infrastructure.
Every action on the international stage has consequences. Just as a ransomware attack on a fuel pipeline impacts our national security and our pocketbooks, an attack back against a ransomware crew might impact important infrastructure in another country. That country is likely to respond in a way that it believes advances its own interests. There is a real risk that this becomes a recurring cycle of escalations that can get out of control. Whenever acting on the world stage, our leaders need to ask themselves whether our adversaries have options to respond in ways that do not humiliate them with their own populations. When these leaders feel like they are cornered, they may respond in ways we do not like.
There will be unexpected consequences. Perhaps an action that strikes back at ransomware infrastructure will result in a systems outage for a hospital that is unlucky enough to have its data on the same set of shared cloud infrastructure as the attackers.
Cyber criminals are not going to stand idly by while their operations are disrupted. If the criminals are motivated by money, they will find other ways to attack American resources to satisfy their greed. If they are motivated by a sense of patriotic duty to their countries, they will be even more motivated after a successful strike against their country.
Ransomware is one of many international issues the United States cares about. Getting everything we want on this topic might require an undesired change in policy in other areas like climate change, international trade, refugees, Ukraine, Taiwan, etc.
As a country that is highly dependent on the internet for our economy, security, and social structures, we have a very large attack surface and would be more impacted by an escalating cyber war than many of our international adversaries.
Our government exists in a world governed by the rule of law, including international law. Government actions must be designed so that they comply with our domestic, international, and treaty obligations.
US actions often have better results when they are part of a coordinated effort by a group of nations with shared interests, rather than when we decide to go it alone. Efforts like last month's 30-nation virtual cyber summit help ensure that our international partners and other "like-minded" nations work to combat ransomware as a united front.
Although ransomware is a serious threat to our economy and potentially to our national security, it is essential that the government response is to do the right thing, not just to do something. Choosing the right response requires that leaders understand all of these factors and choose a set of actions that are likely to achieve our goals in a way that is consistent with our laws and values as a nation.