Nation-states must bear responsibility for their cyber criminals

“They have a responsibility to deal with this.” With these words, President Biden effectively put Russia on notice for its presumed indirect role in allowing a Russian cyber criminal syndicate, called DarkSide, to disrupt one of the largest U.S. oil and gas pipeline companies, Colonial Pipeline. The president’s statement signals a new doctrine to the United States’s budding cybersecurity strategy: We will not allow nation-states to ignore or abet cyber criminals who operate within their territory. 

While the relationship between nation-states and cyber criminals is not new, the Colonial Pipeline hack underscores the need for the U.S. government to assess how its current policies fail to deter these acts and to hold both parties accountable. 

We know that all of America’s adversaries have loose, if not close, working relationships with non-state actors. While DarkSide is a relative newcomer, it is just one of many that operate in Russia with the “tacit approval of Russian intelligence and political leaders,” according to U.S. intelligence officials. The Treasury Department sanctioned Evil Corp, a notorious Russian-based group, because of its ties with the Russian government and for infecting hundreds of banks with malware. The North Koreans, as well, have close ties to criminal groups to prop up their regime with illicit finances. Iran relied on criminals to damage multiple U.S. websites to retaliate for the killing of Qassem Soleimani; the FBI alleged that the criminals targeted computers “sometimes at the behest of the government of Iran.” And China, too, is culpable. The Justice Department indicted two Chinese hackers on accusations that they worked with the Ministry of State Security to steal COVID-19 research from institutions.

Since at least 2012, the United States has utilized sanctions and indictments to punish individuals, organizations and nation-states for bad behavior in cyberspace. Our research at Third Way found that over 300 U.S. cyber sanctions have been issued since 2012. These sanctions are used for a multitude of reasons, including assigning blame (i.e., attribution), punishing the actor(s) for their deeds and, ultimately, deterring bad actors from doing it again. While it is easy to determine if the United States succeeded in achieving some of these outcomes (e.g., attribution is made when a sanction is levied), others (e.g., deterrence) are harder to assess. Indeed, we found that “[t]here are no publicly available assessments to indicate whether these sanctions are meeting these objectives.”

There is a robust debate among cybersecurity professionals on the utility of cybersecurity sanctions and corresponding indictments, but we know this much: U.S. efforts thus far to make nation-states bear responsibility for cyber crime emanating from their borders have failed. But sanctions, indictments and other consequences can be improved if the government implements the following steps. 

First, the U.S. government must conduct a holistic assessment of cyber sanctions. This assessment should answer a number of questions, such as: Are the goals of the cyber sanctions clearly defined inside the U.S. government? What is the administration’s view of how cyber sanctions fit into their overall strategic approach to dealing with malicious cyber threats? What role can these sanctions play in imposing consequences on cyber criminals, and should the U.S. government increase the use of sanctions on these criminals? The answers to these questions will be pivotal in determining when and how sanctions should be deployed and whether they are effective.

Second, the U.S. government must work with international allies to signal that they no longer will tolerate nation-states that ignore or abet malicious cyber activities stemming from their territory. Shortly after President Biden’s remarks, the United Kingdom’s foreign secretary followed suit, saying that Russia has a “responsibility to prosecute those gangs and individuals” and “can’t just wave their hands and say it’s nothing to do with them.” The U.S. government needs to couple this signaling with dedicated international support to partners and countries to bolster their law enforcement capacities to investigate, arrest and prosecute cyber criminals.

Third, the Director of National Intelligence should conduct a National Intelligence Estimate (NIE) that assesses the relationship between U.S. adversaries and criminal syndicates. This NIE should review the capabilities, scope, activities and impact of cyber criminals to understand the evolving ecosystem of their relationships with nation-state adversaries. By identifying the tactics, relationships and even identities of cyber criminals, the government can develop an effective strategy to disrupt the ecosystem that feeds malicious cyber activity at the source.

To be sure, these are not the sole solutions to holding nation-states accountable for the criminal groups that run amok within their borders. The U.S. government increasingly works with private and international partners to disrupt cyber criminal infrastructure, which will come in handy if other measures do not produce their intended outcomes. But, at the bare minimum, the United States needs to understand the usefulness of its current tools, get on the same page as its allies and support them, and comprehend the threat landscape. As the Colonial Pipeline hack illustrates, the stakes are too high to not get this right.  

Michael Garcia is a senior policy adviser in the National Security Program at Third Way, a center-left think tank, and a 2021 Shawn Brimley Next Generation National Security Fellow at the Center for a New American Security.