Should the U.S. government launch cyber military attacks against nation-state sponsored hackers? That debate is heating up.
Indeed, the general counsel for the U.S. Cyber Command is urging the Biden Administration to green light cyber military takedowns of nation-state sponsored hackers. Marine Lt. Col. Kurt Sanger warned that transnational cyber crimes “can surpass the capacity" of the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to immediately respond. His comments were in response to an earlier post by an academic on Lawfare, a national security-centric blog, detailing specific steps the White House should take before involving the U.S. military in cyber actions.
“Under ideal conditions, law enforcement organizations would address any type of criminal activity; however, in cyberspace, ideal conditions rarely prevail,” wrote Sanger and co-author Navy Cmdr. Peter Pascucci, a judge advocate. “With cybercrime’s precise scope and intent often uncertain, operational opportunities often must be seized immediately by whatever entity is best positioned to do so.”
Sanger and Pascucci aren't talking about bombs but rather deploying malware as justifiable weaponry. “Those contemplating such attacks would have to anticipate a victim’s potential use of force in self-defense, likely dissuading many from taking armed action,” they wrote. “Through cyberspace, criminals contemplating such action need not fear meaningful prosecution, much less a kinetic attack by the victim.”
Did U.S. Government Target REvil Ransomware Gang? The cyber debate is particularly timely. Within days of the comments from Sanger and Pascucci, the alleged hacker group REvil disappeared from the Internet on July 13, 2021 or so. Industry insiders wonder if the United States launched a cyber operation against REvil in response to REvil's alleged attack against Kaseya's VSA software on July 2, 2021. The VSA supply chain attack extended ransomware to roughly 50 MSPs and 1,500 downstream customers. The attack also caused thousands of MSPs to lose RMM (remote monitoring and management) services for more than a week.
U.S. Military Cyber Strikes: Five Considerations
Meanwhile, the cyber-strike debate has been swirling for quite some time. In an April, 2021 Lawfare blog, Jason Healey, a Senior Research Scholar and adjunct faculty at Columbia University’s School for International and Public Affairs and president of the Cyber Conflict Studies Association, argued that before involving the U.S. military to respond to a global criminal threat, the White House should check the boxes on the following five conditions:
- There is an upcoming national-security-relevant window of U.S. or allied vulnerability or Intelligence suggests the malware is about to be used in a far more dangerous manner.
- The targeted malware is particularly large or dangerous or likely to cause deaths and significant destruction of the kind normally associated with military weapons.
- The targeted malware is located largely overseas, not within the United States.
- The targeted malware is tied to a major adversary: China, Russia, North Korea or Iran.
- No one else taking effective action or military disruption can uniquely complement actions by others.
“Every one of these elements is crucial, and all must be satisfied before the U.S. military should act against a criminal cyber threat,” Healey wrote.
However, if Healey’s test were implemented before U.S. officials could decide how to respond, including taking military action, it would “significantly disadvantage” the nation and “take major assets out of the president’s hands,” Sanger and Pascucci wrote. “The self-restraint imposed by this test is ill fit given the nature of cybercrime, the nature of cyberspace targets, and the threats cybercrime poses to the nation and its interests," they said.” On the contrary, Healey’s test may be “exactly what U.S. adversaries hope for when committing lawfare and engaging in gray zone operations.”
U.S. Cybersecurity: Shifting From Defense to Offense?
Sanger and Pascucci are not the first among U.S. Cyber Command top brass to suggest deploying military action to push back on cyber offensives by U.S. adversaries. U.S. Cyber Command and National Security Agency chief General Paul Nakasone has repeatedly signaled that the command’s mission has by necessity turned from defensive to offensive.
Since Healey’s article, the number of high profile ransomware attacks on government agencies, hospitals, educational institutions, private businesses, and now critical infrastructure, have roiled the nation and given rise to a coordinated, federal-level effort to fight back. But that determination has yet to sanction military action.
“The Colonial Pipeline hack, in particular, highlights the broad and severe impacts criminals can inflict through cyberspace,” Sanger and Pascucci wrote. “Such malicious cyber events are geopolitical events with a clear criminal aspect, but this is not a determinative factor when assessing which federal organization is in the best position to take action. If the United States is to defeat these cyber threats, traditional notions regarding the division between criminal and national security matters must be reevaluated.”
The Colonial Pipeline ransomware attack shut down a major fuel distribution pipeline in May 2021. Pipeline operators ultimately paid $5 million to the attackers, though the U.S. government later recovered the majority of the money.
A spokesperson for Cyber Command told NBC News that "U.S. Cyber Command's roles are to enable our partners…with the best insights available and act when ordered to disrupt, degrade, or otherwise impose consequences on our adversaries. The command provides options…but does not set policy."
Sanger’s and Pascussi’s blog contains the standard disclaimer that their “opinions are the authors’ own and do not necessarily reflect official positions of the Department of Defense or any other U.S. Government organization.”
MSSPs: Monitoring Government Developments
MSSPs, meanwhile, would be wise to closely track evolving U.S. cybersecurity policies. President Biden’s executive order on cybersecurity — issued in May 2021 — specifically called out IT service provider security practices more than a dozen times.