Ransomware and International Politics

Ransomware has seized the public’s attention after a number of dramatic incidents, from Colonial Pipelines to Kaseya, highlighted its rapid growth in scope, scale, and cost. This is a resilient and profitable criminal enterprise and unlikely to shrink absent firm action by the United States and policy change by Russia.

The future of ransomware will be determined largely by progress (or lack thereof) in cyber talks between the United States and Russia. President Biden made it clear to Putin the ransomware crisis is the United States’ priority for cyber talks, not the Russian proposals for a series of meetings on recycled ideas for cyber arms control. This usefully prioritizes the discussion, but these talks will be difficult as there are only a few incentives the United States can offer Russia in exchange for moving against ransomware (and cybercrime in general). The natural instinct in Moscow will be to offer token concessions and seek drawn-out talks that confirm Russian parity with the United States as a superpower.

The only audience that counts for ransomware providers is the Kremlin. Moscow’s approval, tacit or otherwise, is the key to their continued operations. These are criminal groups; they do not seek public approval, nor does public condemnation faze them. Despite any opprobrium attached to the perpetrators, as long as ransomware providers remain in Moscow’s good graces and avoid trips outside of Russia, they are untouchable. The Kremlin is similarly hardened against Western criticism. Condemnation by the international community is unlikely to sway a government that openly poisons opponents and attacks neighbors. Ransomware providers are useful to the Russian government and will not be lightly discarded, and there may even be a degree of satisfaction in Moscow over their successes and the resultant Western fright.

Ransomware is a business. Ransomware providers do market surveys, conduct analysis to determine price points, and often rely on third-party cloud and financial services to carry out their operations. These are not amateurs. While this business model suggests some avenues for action by the United States and its partners against ransomware providers, it also suggests these providers possess a high degree of resilience. They can be inventive and opportunistic when needed, as shown by the innovation of pressuring victims by adding threats to release embarrassing stolen data in addition to encrypting their data and holding it hostage. Bans on cryptocurrency or ransom payments are not a panacea as they will only drive the operations of these criminal entrepreneurs deeper underground without any significant reduction in crime. Relying on such bans would be largely symbolic unless made part of a strategy to dismantle the criminals’ command and financial networks.

The future of ransomware will also be determined by the progress made in improving security and resiliency in the United States and foreign networks. Ransomware takes advantage of basic security and coding failures. These should be straightforward to remedy. Additionally, and until recently, few companies had put in place the necessary safeguards and redundancies to protect against ransomware (understandably, as the threat was underappreciated, and these steps add cost without providing a return). How much progress the United States makes in improving domestic cybersecurity by following the path laid out in the May 2021 Executive Order will also shape the future of ransomware.

But more secure coding and better cyber hygiene practices domestically will only shrink, but not eliminate, the opportunities for cybercrime and ransomware. Shrink but not eliminate, because social engineering will remain effective, users have been resistant to adopting better cyber hygiene practices or using multifactor authentication or encrypting data, and exploitable coding errors remain common in many commercial products.

It is possible that the Kremlin, for negotiating purposes, may suppress in the future some of the dramatic, large-scale ransomware episodes involving disruption of critical infrastructure or hundreds of targets. This could happen if Moscow sees an opportunity to use bilateral cyber talks to achieve its long-term, global information and cyber diplomacy goals. It is equally reasonable to expect that given the continued success of phishing, the slow rate of improvement in secure coding and cyber hygiene, and the vulnerable legacy code used in many businesses and critical infrastructures, the United States should not expect a decline in the number of incidents or the costs of ransomware unless there is action by Moscow.

James Andrew Lewis is senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2021 by the Center for Strategic and International Studies. All rights reserved.

James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program