It’s a very welcome development that the FBI has managed to seize most of the ransom Colonial Pipeline paid to the hackers, believed to be Russia-based, in order to get its operations and fuel deliveries back on line. As the Wall Street Journal reports, based on a Justice Department announcement, investigators recovered approximately 64 bitcoin, valued at roughly $2.3 million.
Last month, the company told the Journal that it had paid about $4.4 million to satisfy the ransom demand by what the Bureau believes is a cyber-sabotage outfit known as “DarkSide.” The group develops malware which is used to breach company systems. Ransoms are demanded to unlock those systems.
Naturally, the default position of the FBI and our government generally is that companies should not pay ransom. But, as illustrated in the case of Colonial, which runs the main pipeline system for gasoline- and diesel-fuel deliveries to the East Coast, a paralyzing shutdown can wreak havoc on essential industrial activities. In individual instances, that can make the ransom seem a small price to pay.
Of course, cumulatively, that will not be the case.
As security officials have acknowledged in recent days, the web of grids that make up the U.S. power system could be vulnerable to cyberattacks. This is not just a challenge for industrial sectors; it is a profound national-security issue — so much so that, as Rich and I discuss in the latest episode of The McCarthy Report podcast, FBI director Chris Wray has compared it to international terrorism.
In invoking the example of the 9/11 attacks, Wray was not implying that any single ransomware attack has been a 9/11-level catastrophe. He was pointing out that cyber sabotage is a daunting challenge for law-enforcement and intelligence officials in the same way international terrorism is.
The hostiles conduct their operations outside the United States, and often under the implied if not explicit protection of rogue regimes — analogous to state sponsors of terrorism. The FBI and our other agencies have no investigative authority in the regions from which the attacks emanate. The writ of our courts does not run in such places. We cannot effectively repel the threat without the cooperation of foreign countries, many of which are less vexed by the attacks than we are and fear that helping us makes them more vulnerable. And like terrorism, cyber operations level the battlefield, neutralizing the might and economic advantages that make a superpower a superpower — indeed, that’s why the most pernicious terrorist organizations have long been cyber-adept.
While today’s development is to be cheered, it also highlights some of the challenges. Notice: U.S. authorities are announcing only the seizure of funds (in fact, of funds they did not want Colonial to pay in the first place); there is no announcement of arrests. In that sense, it is reminiscent of the Mueller investigation’s ballyhooed indictments of Russian hackers: The stark reality is that, even if our intel officials can identify members of DarkSide, the chance that any of them will ever see the inside of an American courtroom is remote, to say the least.
It is great that the Bureau had the capability, on this occasion, to track down proceeds of a crypto-currency arrangement of the kind that hackers orchestrate precisely because it is so hard to trace. But investigators have not been able to capture all of the funds involved in this ransom transaction, and the limited (but significant) success here will not necessarily translate into success in similar investigations.
There are more and more similar investigations. And the truly disturbing trends are that these attacks are increasing in frequency, and the ransom demands are getting much bigger.
Initially, ransomware tended to seek payoffs in the thousands of dollars — amounts big corporations regard as a nuisance, less costly to pay than to take expensive precautions against. Now, the amounts are well into the millions. That’s not a nuisance anymore. These are provocations by malefactors who have become increasingly confident. In part, that is because we do not yet have a good strategy to address this challenge. And in part, it is because the hackers feel they are insulated from prosecution or other comeuppance by such regimes as Putin’s Russia.
Ultimately, the solution here is going to involve making other governments see it as in their interests to join us in cracking down. Too often, that realization activates Washington’s naïve streak: The bipartisan delusion that Russia (like Iran . . . like China . . . ) has many mutual interests with us and could become a strategic partner — even an ally! — if we just do the hard work of establishing trust. The remorseless fact is that the regime in Moscow is incorrigibly execrable and anti-American. That doesn’t mean you can’t get Putin’s cooperation, but you have to get it by sticks, not carrots.
Russia is going to continue to be a state sponsor of cyber operations against the United States unless and until it is made convincingly clear that the penalties for doing so are more than the Kremlin is willing to bear.