Conflict by other means: “Cyber is geopolitics.”

Courtesy of the Wilson Center, Kennan Institute Director Matthew Rojansky and Silverado Policy Accelerator Co-Founder Dmitri Alperovitch held a press briefing yesterday morning on the topic of Russian and Chinese cyber mischief and the Biden Administration’s response. 

Staging malware in the power grid; using ransomware with economic effect.

Alperovitch opened by noting the “striking” divergence between the Administration’s rejoinders to Holiday Bear’s targeted, restrained romp and Hafnium’s reckless, untargeted campaign, which left “everyone literally on the planet who was running a vulnerable Exchange Server” exposed. He called the tepid response to China a “glaring oversight” and a “clear double standard,” given past sanctions against Russia, North Korea, and Iran. 

Russia’s norm-violating behavior, in Alperovitch’s view, includes the following: 

1. ransomware
2. prepositioning malware in the energy grid
3. election interference
4. indiscriminate disruptive and destructive attacks
5. economic espionage

He considers grid staging “highly escalatory” since it lacks any apparent espionage function, but sees ransomware as the offense that has reached a “tipping point,” jeopardizing the US’ economic and national security. 

Rojansky added that ransomware merits concern as a “direct attack on the livelihood of ordinary Americans,” a pillar of President Biden’s platform. He fears ransomware will become entrenched as Moscow’s favored asymmetric weapon, and categorized Russia’s failure to crack down on the responsible gangs as an “active omission.” The attacks not only cause financial damage, but can be used for strategic political ends, undermining public confidence, for example.

Ask for restraint, quietly, but back diplomacy with credible consequences.

Looking back on the missteps and successes of the previous five Administrations, Alperovitch and Rojansky think the best approach to President Putin is quiet and direct, with a carefully tailored ask, backed up by a credible consequence. Past attempts have fallen short when the ask or consequence were unclear. 

The pair recommended in a recent Washington Post editorial a set of sanctions meeting the clarity and credibility criteria, but acknowledged that reasonable disagreement exists on the optimal path forward. Europe won’t like sanctions that hinder trade with Russia, for instance. What’s important is that the chosen measures are effective and believable. The US can’t and doesn’t expect to bring an end to all cyber mischief, but does need to keep a lid on norms-violating activity. 

While the disruptive cybercrime out of China is not yet on Russia’s level, Alperovitch said it’s a troubling trend that should be intercepted at the pass with unambiguous messaging. In addition to sanctioning the responsible parties, the US should impose cost on Chinese firms that profit from the CCP’s IP theft. 

Keeping the channels of communication open is also important for progress. With both China and Russia, there’s the temptation to demonstrate national displeasure with certain decisions by cutting off communication, but doing so can impede movement on other fronts.  

Difficulties of achieving strategic stability in cyberspace.

Alperovitch doesn’t have high hopes for the upcoming strategic stability dialogues with Moscow, given the wide chasm between US and Russian cyber demands. The Kremlin is concerned chiefly with internet governance and sovereignty topics, where Washington won’t give ground. The countries do need to address issues like putting nuclear systems off limits, and related questions around novel technology (that could otherwise undermine “arms control as we’ve known it,” in Rojansky’s words.) If the conversation strays too far beyond the basics, however, participants risk encountering a “stalemate” or “poison pill.” Rojansky stressed that different issues can be addressed at different levels, from plenary to technical and ministerial, and that both leaders have expressed a desire for advancing predictability. 

Ransomware, Rojansky and Alperovitch agreed, is both a unique concern and a test case for other stability topics. REvil’s disappearance may or may not signal progress. Since the gang appeared to dismantle its own infrastructure, the move doesn’t seem to be a result of direct US or allied efforts. That leaves two options: either REvil felt the heat, and decided to lay low for a while, or Moscow stepped in. If the latter alternative occurred, Alperovitch said that would represent an “important win” for the US, and one we’d keep quiet to allow President Putin to save face. Rojansky thinks we haven’t yet reached the point of active collaboration with Russia on cybercrime—since such collaboration requires robust agreement on terms and conditions—but left open the possibility of discrete, behind the scenes maneuvers.

Other gambits in cyber diplomacy.

On the question of Israeli spyware, Alperovitch thinks Jerusalem’s method of “cyber exploitation diplomacy,” in which the Government courts prospective allies with perilous tech, has gone off the rails and deserves greater oversight.  

As for what markers of success laypeople should watch for when trusting cyber diplomats to work their magic, Rojansky mentioned two: routine communication, and a significant downshift in ransomware attacks. He noted that other APTs could enter the vacuum, but said these would likely present less of a threat than nuclear-powered Russia, allowing greater latitude in Washington’s response. 

Alperovitch thinks the US shouldn’t look to cyber innovations for rescue, given their expense. Even should Federal and Fortune 500 stakeholders find a way to shield their assets, the vast “underbelly of vulnerability,” encompassing small businesses, schools, nonprofits, and local governments, could not scrape together the resources and human capital to implement effective defenses.  

Alperovitch concluded by reminding participants that “cyber is geopolitics.” Washington doesn’t face a cyber dilemma, but rather a Russia, China, Iran, and North Korea dilemma.