The Biden administration is moving to treat ransomware attacks as a national security threat, using intelligence agencies to spy on foreign criminals and contemplating offensive cyber operations against hackers inside Russia, U.S. officials and other sources familiar with the matter said.
Although using the military to take action against criminals wouldn't be without precedent, it's controversial in legal circles, and any American cyber action against targets in Russia would risk retaliation. But officials say criminal ransomware attacks from abroad, once a nuisance, have become a major source of economic damage, as the disruption of gasoline and meat supplies in recent weeks has illustrated.
"Right now, they are hair on fire," a former government official said of the Biden administration.
In an example of the new approach, the White House was unusually quick to point the finger at Russia for harboring the attackers, just one day after officials learned of the ransomware strike on the meat processor JBS. It's extremely unusual for a White House to publicly call out a foreign adversary over a single ransomware attack.
But momentum was building even before President Joe Biden took office. As the onslaught of ransomware attacks against hospitals and local governments increased, the National Security Agency began spying on certain foreign criminal hacker groups in the summer of 2019, according to a former official and three other sources familiar with the matter. Officials say the intelligence collection puts the U.S. in a better position to target the groups if the president orders a strike.
Because they're not carried out directly by governments, ransomware attacks like the ones that hit Colonial Pipeline and JBS have for years been treated as purely criminal matters, investigated by the FBI with an eye toward prosecution. Criminal accountability was rare, however, because most of the hackers live in Russia and other places outside the reach of U.S. law enforcement. Russia allows the hackers to operate without interference as long as they are attacking the West, U.S. officials say.
Even as the NSA began assembling data about ransomware groups, hospital systems were hit last fall by another wave of attacks. Sources said U.S. officials in charge of cyber policy became further convinced that it was time to focus more intelligence resources — and military cyberwarriors — on the problem.
"Sometime at the end of last year, everyone decided that this had risen to the level of a threat to national security," said James Lewis, a cyber expert at the Center for Strategic and International Studies who consults frequently with government officials.
Representatives of the NSA and U.S. Cyber Command declined to comment.
"While we won't comment on specific planned or ongoing operations, we provide options through the Department of Defense to the president," the Cyber Command spokesperson said.
The impact of ransomware attacks has grown since Biden took office, officials said. An attack on Colonial Pipeline last month led to gasoline shortages, and a strike against JBS threatened a quarter of America's meat processing capacity. Experts said Americans might have experienced significant meat shortages had JBS not gotten back online quickly — presumably by paying a ransom.
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, issued an open letter Thursday urging corporate leaders to improve their cyber defenses.
"The number and size of ransomware incidents have increased significantly," she said. "The U.S. government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility."
Neuberger also said the U.S. government was seeking to "disrupt" ransomware networks. She didn't say how.
In a typical ransomware attack, hackers break into a corporate network and lock up data, demanding payment to release it. Some also threaten to post business secrets on the internet if payment isn't made.
Cybersecurity experts say successful ransomware attacks often take advantage of companies with substandard cyber defenses.
But even if every company and local government had the best defensive technology, hackers with enough time and money would find ways to get through, experts said. That's why the Biden administration is contemplating ways to deter ransomware gangs and the countries that give them sanctuary, principally Russia.
The White House said Biden will tell Russian President Vladimir Putin at their summit June 16 that Russia must stop harboring criminal hackers. But Lewis and other experts don't expect Putin to cave in to U.S. demands.
If he doesn't, Biden will have some decisions to make, current and former officials said, including whether to order offensive action by U.S. Cyber Command, the military hackers based at Fort Meade, Maryland, who wield cyber weapons that can take down networks and turn computers into bricks.
The military would be careful to operate in a gray area, just short of the international law definition of an act of war, said Gary Brown, a former Pentagon cyberwarrior who is a professor of cyber law at the National Defense University. That's exactly what Russia has been doing to the U.S. over the last decade, he said, with a campaign of disinformation, election interference and hacking.
Among the things Cyber Command could do, he said, would be to disrupt the hackers' ability to access their own networks and tools, "infect their networks with modified tools that have our own little special gifts attached to them" and harass some of the key players.
Indictments by the Justice Department also serve a purpose, he said, by blocking the hackers from most travel and access to the U.S. financial system.
The U.S. could also impose further economic sanctions, but "we've kind of pressed the sanctions button pretty close to the max," Brown said. "In my opinion, we seem to have kind of run the course on how much you can do with that."
Whatever the U.S. response has been, it hasn't led Russia to stop harboring the criminal hackers, said Glenn Gerstell, who retired last year after five years as NSA general counsel.
"We're not going to shut off all the lights in Moscow," he said, but "whatever it is we're doing now is clearly not producing the desired effect. We need to do something different."
Some scholars have urged caution in using the military. Jason Healy, a former White House official who is a cyber expert at Columbia University, made that argument in an article for the Lawfare blog in April, saying the military should be used only against criminal groups as a last resort, in response to imminent threats.
Military force has been used against criminals before, in raids to free U.S. hostages, such as when Navy SEALs rescued merchant ship crew members from Somali pirates in 2009, an incident that was portrayed in the Tom Hanks movie "Captain Phillips."
And in August, current and former officials said, Cyber Command took down a Trickbot, a botnet used to deploy ransomware. That was the first known use of military force against criminal hackers, and it was justified as a measure to prevent election interference, because Trickbot also could have been repurposed to disrupt the 2020 elections.
Cyber Command's mission is to defend the U.S. in cyberspace, Gerstell said.
"If the country is experiencing malicious effects from a cyberattack, that to me creates a justification for U.S. Cyber Com to be more aggressive," he said.