General Paul Nakasone, head of U.S. Cyber Command and the National Security Agency, finally confirmed what many had long speculated, the U.S. military directly intervened to shut down criminal cyber hackers after the attacks on the Colonial gas pipeline and the meat supplier JBS during the summer of 2021.
The threat of ransomware is precarious and a challenge to the stability of the nation during the ongoing pandemic. Yet, threats to digital connectivity do not require the blurring of the boundary between domestic security and international security. Leveraging military assets to handle criminal problems that are not directly related to national security represents the continued reliance of offensive maneuvers and the U.S. military to maintain primacy in cyberspace.
While ransomware is clearly a modern security challenge, it is but one of many security challenges the information technology industry has faced, from the Y2K bug, to election attacks, to the recent exploitation of our email and print servers. There will be a new challenge next month and the United States requires a proper whole-of-nation strategy to counter these threats without depending on the blunt force that is the military.
Cyber security is a spectrum of operations long in search of guideposts. It represents a field of digital interaction where there exists little clarity. What is more troubling is efforts to provide coherence through the crutch of military where there is already domestic law that provides guidance for such actions. The Posse Comitatus Act makes it very clear that the U.S. military is not to be leveraged for domestic challenges. As a RAND study notes, the exceptions involve the National Guard operating under state authority, to quell domestic violence, search and surveillance, for use in the war on drugs, and the Coast Guard. Now is not the time to make changes to practice due to the threat of ransomware, a lesson that should be known to all after the military became embroiled in protests near the White House in the summer of 2020.
Ransomware is certainly a scourge that is increasing due to new digital dependencies created by the pandemic and the wide availability of cryptocurrency. Yet, there is no evidence that this threat is escalating or becoming more intense, nor is it clearly a national security challenge. We must not confuse low-level threats to information technology with critical national security challenges. The nation is in danger of degrading its own capabilities by losing focus on protecting the homeland.
Using the U.S. military to handle criminal problems represents a classic example of mission creep, the dependence on the military for all problems and challenges that might be wholly inappropriate. For one, ransomware operations typically provoke a reaction long after they are launched and there is little intelligence on where the next attack will emanate. Two, reactions by the military must be in the last resort, a high bar in cyber security since the government and industry overall have done little to protect the homeland. As Erica Borghard notes, we know how to stop ransomware but that requires that the targets themselves prevent exploitation and a series of policy changes.
Ransomware has been endemic in cyber security operations since at least 1989 with the AIDS Trojan being the first operation. Ransomware is so common, major cyber operations from foreign states have mimicked them to try to avoid attribution with the Sony Hack and NotPetya being examples of foreign state attacks being masked as ransomware. States are typically not in the business of creating ransomware since their goals are coercive while ransomware is generally the purview of criminal organizations or North Korea which typically operates like a criminal state.
As Pascucci and Sanger note, “cybersecurity is national security”, yet it’s not clear that ransomware is national security. The goals are criminal in nature. There is no grand strategy at play to suppress or “pin down” America’s collective cyber defenses, instead criminal actors operating in adversary states are preying on the lack of resiliency in the target and conflicting views on how to update the Budapest Convention on Cybercrime. Russia and China are pushing for a new convention that defends their version of sovereignty and have little interest in enforcing current agreements.
When leveraging military power, there are only two questions that need to be asked, is it legal and is it in the interest of national security? The reality is that many cyber security missions meet neither bar and therefore domestic actors like the Federal Bureau of Investigation and Department of Homeland Security, in collaboration with international judicial processes and conventions, are the real means counter to ransomware.