During the U.S.-Russia June 2021 Geneva presidential summit, US President Joseph Biden handed Russian President Vladimir Putin a list of critical infrastructure inside the United States he wishes Russian criminal groups and the state of Russia not attack.[1] This is cringe-worthy national security diplomacy.
Any cyberspace attack on any US business, person, or infrastructure — any cyberspace attack anywhere — is already illegal under international law, a violation of sovereignty, and justifies a proportional response under the right of self-defense. President Putin knows this. Ransomware is a cyberspace attack, unequivocally — an act that creates denial effects. It does not matter if Russians attack a neighborhood lemonade stand excel spreadsheet via cyberspace or the Los Angeles Airport’s air traffic system; it is a cyberspace attack. If such attacks create physically destructive denial effects, such as changing the network’s information, permanent function denial, or hard drive destruction, they rise to the legal definition of armed attack. A proportional response and subsequent preemptive acts of self-defense to cyberspace attack are legal and appropriate. No state has any right to attack anything.
Framing ransomware as only ‘criminal activity’ (and not a national security concern) is fatally flawed, which ultimately corrupts the response. (Which is why Biden’s policy will fail, if it hasn’t already.) It is a sovereignty/self-defense issue, in addition to being a crime. Treating it as a criminal issue only will never proffer a solution. That is why it continues.
Since Putin claims he knows nothing about the activity of these criminal groups, why did Biden bother to give Putin such a list? Because, of course, Biden knows that Putin’s government communicates (if not coordinates) with these groups.
The Russian Government allows certain Russian criminal groups to operate internationally, as long as they do not target Russian entities, share intelligence with the Russian Government, and not provoke an American counter cyberattack on Russian targets. The Biden Administration’s list simply clarified which targets are off-limits for Russian criminal groups. President Putin can now share the list (which Americans were not permitted to see) with Russian criminal groups (who are allowed to see it) to allow them to operate with impunity inside Russia in order to steal millions from Americans, so long as they avoid Biden’s list of targets.
Remember: Putin said he doesn’t know about these groups. So why give Putin a list of anything?
The issue wasn’t ambiguous previously; Russia knows perfectly well that ransomware is a cyberspace attack and is an outrageous, illegal activity, worthy of state response. (That’s why Putin claims he knows nothing about it.) The Biden Administration is simply reluctant to muster the necessary and legal punishment against these groups and against states that countenance their existence.
The real issue here has nothing to do with cyberspace, infrastructure, or international law. The issue here, like with all national security issues under this Administration, it is about resolve, perception, and redlines.
Democrat national security officials are simply terrified of responding to provocations. They fear escalation and so cave to all competitors. Since all responses risk escalation, the Biden Administration has signaled that it will likely never inflict substantial or sustainable costs on states that permit criminal groups to operate in cyberspace, as long as they don’t attack US critical infrastructure. President Biden threw Americans, allies, friends of law-abiding liberal democracies, and emerging states all under the authoritarian cyberspace bus.
Since cyberspace attack on all US targets was already illegal, the list moves US redlines higher, to allow for more criminal activity, since the list implies *other than these targets,* the United States won’t even consider inflicting unacceptable costs for illegal Russian attack on US territory. Toothless indictments – yes; counter cyberspace attack — no. By not defending them, President Biden and his national security advisors are erasing these international norms and redlines. Under international law, you defend norms and sovereignty by *physically defending them,* not by abandoning them.
Who cannot see this? In an effort to ‘protect’ US critical infrastructure, the President and his advisors are saying, ‘as long as you don’t hit these targets, you can be assured the United States won’t do anything about other cyberspace attack.’ Imagine a burglar who is targeting a specific town and the Mayor sends the burglar a list of government buildings he does not want breached.
Is the Biden Administration likely to defend Australia, Canada, Taiwan, Ukraine, the Baltics States, Japan, the Republic of Korea or any other ally or partner now from Chinese or Russian cyberspace or ransomware attack (other than assist with cybersecurity practices)? Our allies must have been more than a little bit unnerved by this diplomatic move.
Regardless of how the media portrayed his Administration, under President Trump, states knew he was willing to inflict punishment on aggressors who violated international norms or threatened attack. Under President Biden, adversary states see the opposite: norms are being abandoned; the United States is in retreat.
Cyberspace will continue to favor authoritarian states that violate sovereignty, law, and international norms in peacetime as long as the United States does not successfully engage the malicious actors.
President Putin’s claim that his Government has nothing to do with the cyber activity of these Russian criminal groups should have been America’s achievement from the summit. While it is true that the extent to which states are responsible for third party attacks planned, launched, or transited through their sovereign territory is unresolved (many international legal issues wallow in endless ambiguity), the 2001 United Nations Draft Articles on the Responsibility of States for Internationally Wrongful Acts states:
“Article 8. Conduct Directed or Controlled by a State. The conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.”
Even more compelling legally, in the terrorism context, the United States shifted from a ‘direct’ to an ‘indirect responsibility’ threshold that allows victim states to use force in response to non-state actor-attacks, when such force would otherwise constitute a legitimate act of self-defense and where the state from which the non-state actor staged or launched the attack is either unwilling or unable to take preventive or responsive action.
This lower evidentiary burden was used to justify the US invasion of Afghanistan in late 2001 as well as the May 2011 assault against the bin Laden compound in Pakistan. The United States asked the Taliban to surrender al Qa`ida; the Taliban said no; the United States invaded to effect self-defense. Pakistan claimed it knew nothing about bin Laden’s whereabouts; the United States conducted a precision attack well inside Pakistan’s borders without asking permission. Criminal groups do not need to be state actors to merit a US cyberspace attack response.
Cyberspace attacks and ransomware can be dramatically reduced with this simple formula:
- Penalize businesses that pay ransomware with huge fines.
- Sanction states that are sponsors of ransomware (the Sanction and Stop Ransomware Act).
- Do not, under any circumstances, have the US government start paying for business’s cybersecurity (the moral hazard would be endless).
- Allow businesses attacked to take back whatever was stolen from them (issue Letters of Marque and Reprisal).
- Have the Department of Defense (US Cyber Command) conduct cyberspace attack (below the level of armed conflict) against the computer networks of such criminal groups wherever they exist: freeze their hard drives; steal their money; publish their names. Nothing prohibits such defensive activities below armed attack today.
Sadly, such a formula risks political escalation and thus is a non-starter for this administration. Our cyber adversaries know this. Thus, cyberspace will continue to remain the dumpster fire domain it has become.
James Van de Velde, Ph.D., is an Associate Professor at the US National Intelligence University and Adjunct Faculty Member at Johns Hopkins University. The views expressed in this article are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.
[1] Although Russian President Putin is allowed to see the list and Americans are not, the list of sectors *not be attacked,* presumably, is the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency’s list of 16 critical US infrastructures: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater Systems.
