Lawmakers of both parties want President Joe Biden to deliver a tough message when he meets face-to-face this week with Russian President Vladimir Putin: Stop the ransomware gangs, or we will.
After two recent attacks that disrupted key parts of Americans’ lives — against a major gasoline pipeline and a large meatpacking conglomerate — there’s a growing bipartisan consensus that the traditional U.S. strategy of strengthening defenses isn’t enough. It’s time, lawmakers say, for the U.S. to start flexing some muscle, including hacking back against criminal networks operating out of the former Cold War rival’s territory.
“I equate it to a common burglar. We put locks on our house … but you also want to make sure you’re catching the burglar and punishing the burglar,” said Senate Homeland Security Chair Gary Peters (D-Mich.). He called the Kremlin’s laissez-faire attitude about criminal networks working in its own backyard “unacceptable.”
The big question is whether Putin can be pressured — or trusted — to rein in his country’s cyber criminals.
Biden and his appointees have issued not-so-veiled warnings at the Kremlin, starting last month after U.S. officials blamed the attack on Colonial Pipeline on the Russia-based ransomware gang DarkSide. Biden said Moscow has “some responsibility to deal with this.” He also said, without elaborating, that he will raise the issue of the cyberattacks with Putin.
Lawmakers want Biden to put some steel behind those words by making it clear the U.S. and its NATO allies are willing to take the fight to these digital pirates. That kind of message might be enough to raise the alarm in Moscow both politically and inside its intelligence apparatus, they said.
“There’s a lot of interplay between cyber criminals and the government” in Russia, said Sen. Marco Rubio (R-Fla.), the Intelligence Committee’s vice chair.
That’s because Russian intelligence officers sometimes moonlight or perform freelance work in malign digital activities with the official blessing of the state, U.S. national security and law enforcement officials say. Ties between the two camps can run deep, FBI Director Christopher Wray said at a House Judiciary hearing Thursday — even with gangs like DarkSide that claim complete independence.
“The degree of nexus between those cyber criminals, and the Russian government is not something I can discuss in an open hearing,” Wray said. “I will say that the most recent actors — the so-called DarkSide actors involved in the Colonial Pipeline attack — are individuals who, perhaps not coincidentally, specifically target English-speaking victims.”
Some lawmakers expressed doubts that such aggressive international hacks are occurring without the knowledge of the authoritarian regime in Moscow.
“It’s my opinion that nothing happens in Russia without the government’s approval,” said Sen. Mike Rounds of South Dakota, the top Republican on the Armed Services Committee’s cyber subpanel.
But many lawmakers drew one bright line, saying the U.S. should avoid striking the Russian government or its state infrastructure.
“We have to be careful about those sorts of nation-state to nation-state engagement,” Rubio said, warning of escalation that could lead to traditional, real-world military conflict.
Instead, they said, start by going after the criminal hackers based in Russia — a move that might be less likely to create political blowback.
“The first objective is to get after the gangs because that avoids a great deal of complicated issues about sovereignty and competition with another nation,” said Senate Armed Services Committee Chair Jack Reed (D-R.I.).
The Biden administration has not spelled out any concrete steps it’s prepared to take against Russia over its cyber activities, beyond national security adviser Jake Sullivan’s promises in February that the U.S. response would include actions “seen and unseen.”
A U.S. official familiar with the issue said U.S. options for penalties against Russia included more sanctions as well as exposing unsavory aspects of Putin’s wealth.
But Senate Intelligence Chair Mark Warner (D-Va.) said Biden can make a point of reminding Putin at the meeting that the U.S. can and does deploy its cyber weapons when threatened. “The Russians are very well aware of our capabilities,” he said.
As one example, Warner pointed to a first-of-its-kind offensive digital strike that the U.S. military’s Cyber Command launched on an infamous Russian propaganda factory, the Internet Research Agency, knocking it offline during and after the 2018 midterms. The operation prevented the troll farm from spreading disinformation as Americans went to the polls.
Cyber Command launched a similar attack last year on a network of malware-infected computers run by Russian-speaking hackers to thwart ransomware attacks and efforts to disrupt the November election.
Rubio noted the Justice Department’s announcement last week that it had seized much of Colonial’s ransom from a digital wallet used by the DarkSide hackers. He said such operations can get the ransomware underworld worrying about what kind of access the federal government possesses — and send a message that their networks are vulnerable to penetration and even counter-theft.
But it’s hard to say whether Putin will play ball, the U.S. official said. “‘The Sopranos’ and the ‘Godfather’ movies are instructive on dealing with these folks,” said the official, who spoke on condition of anonymity because they weren’t authorized to talk to the media.
One other option that would avoid dealing with Russia altogether: Nabbing cybercriminals when they happen to visit a third country, the U.S. official said.
One example is Alexander Vinnik, who worked at BTC-e, a Russian cryptocurrency exchange. He was arrested in Greece in 2017 in an operation assisted by the FBI. He is awaiting trial in France on charges of money laundering and extortion.
Asked about potential retaliation following the JBS attack, White House spokesperson Jen Psaki said that “we’re not taking any options off the table.”
Another question is what arm of the U.S. government would take the lead in any attack on ransomware enterprises — a debate that could allow for a hodgepodge of responses from various agencies, none with enough might to deter cybercriminals.
A similar policy debate has raged for months among lawmakers about how the U.S. should respond to last year’s massive SolarWinds intrusion, an espionage effort in which hackers for a Russian intelligence agency rented U.S.-based servers to breach at least nine federal agencies and roughly 100 private companies.
One option is for Cyber Command to lead any reprisals. But having a military organization in the lead could create headaches around legality and sovereignty.
Plus, Cyber Command’s own chief isn’t sold on the idea. Army Gen. Paul Nakasone, who also helms the NSA, has said the FBI and DHS should be in the driver’s seat as part of a “whole of government” approach to ransomware.
"This is the area right now that the administration is working towards, in terms of understanding who’s going to have the lead and how are we going to deal with this," he told a House Armed Services subcommittee on Friday.
Rep. Jim Langevin (D-R.I.), the chair of the Armed Services cybersecurity subpanel, argued that Cyber Command is busy enough with its existing missions and that offense should run through traditional law enforcement and diplomatic routes.
He said a new joint cyber planning office in DHS’ Cybersecurity and Infrastructure Security Agency should be the hub for such efforts. That office, created by last year’s defense policy bill, could “focus on improving defenses, taking down infrastructure, bots and going after payments, criminal investigations and international coordination,” said Langevin, who also serves on the House Homeland Security Committee.
The key for any strategy, argued Sen. Angus King (I-Maine), a member of the Intelligence and Armed Services panels and co-chair of the congressionally chartered Cyberspace Solarium Commission, is forcing Russia out into the open with its look-the-other-way approach to the gangs.
“They can’t allow international criminals to operate with impunity within their borders,” King said. “If we had a gang of international bank robbers living in Richmond, Va., I think we’d go after them.”
Nahal Toosi contributed to this report.
Read more: politico.com