As a presidential candidate in 2020, Joe Biden never mentioned ransomware. As president, however, he must craft a solution to a burgeoning economic and national-security threat that may now rank as dangerous as terrorism.
Ransomware attacks, perpetrated by hackers who paralyze an organization’s computer network and demand a ransom payment to unlock it, aren’t new. They date back to at least 2006 as a kind of side gig for enterprising hackers. What is new is the corporatization of ransomware attacks and the use of cryptocurrency as an untraceable form of payment, which has led to an explosion in the number of attacks. Known attacks rose by at least 150% in 2020, while the average ransom paid soared by 171%, to $312,000. As Yahoo Finance’s Dan Howley recently reported, the worst is probably yet to come.
Ransomware emerged from the shadows with the May attack on Colonial Pipeline, which disrupted gasoline supplies on the East Coast and caused temporary price hikes. Colonial paid a $4.4 million ransom in bitcoin and got back online within a week. The DarkSide hacking group, which operated the ransomware tools — mostly likely out of Russia — said it didn’t mean to attack U.S. infrastructure, and was shutting down. But that probably just means it will rebrand and emerge in a different form.
The public impact of the Colonial Pipeline hack has drawn more attention to other ransomware attacks, including recent ones on meatpacking giant JBS and a Martha’s Vineyard ferry operator. Many ransomware attacks aren't publicized, however, because there’s no requirement to report them and disruptions aren’t always apparent.
Ransomware hackers are typically non-government groups solely seeking to make money. While many operate in Russia and former Soviet-bloc nations in Eastern Europe, they’re not the same as the Russian government hackers who perpetrated attacks such as the 2020 SolarWinds hack, which penetrated numerous U.S. government agency systems, and the 2016 election interference also linked with the Russian government. Ransomware perpetrators, by contrast, prefer to avoid sensitive targets likely to trigger a law-enforcement or national security response.
This focus on private-sector entities that may still have national significance is part of the thorny problem Biden faces. "The challenge here in the United States is we have a system where regulators want to protect infrastructure, but much of it is owned and operated by private companies,” says Safa Shahwan Edwards, deputy director of the Atlantic Council’s cyber program. “Government can respond but to be effective, they have to collaborate with private companies.”
Biden has promised to address the whole range of cybersecurity threats, and in May he signed an executive order aiming to strengthen cybersecurity throughout the government and the economy. Biden and his top officials have suggested they may retaliate against Russia for hacks by government operatives or private citizens operating inside Russia. The issue seems certain to surface in Biden’s upcoming summit meeting with Russian president Vladimir Putin in Geneva on June 16.
But there’s no template for responding to ransomware attacks, and it’s now Biden’s job to develop one. The government discourages hacked companies from paying ransoms, since that makes the business lucrative and only encourages more of it. Businesses may feel they have no choice, however, if the alternative is building a new network from scratch, staying offline for weeks and sacrificing valuable data. Cost may not be a barrier for companies that have ransomware insurance. And some businesses, such as hospitals, could endanger lives if they held out against ransomers.
WASHINGTON, DC - MAY 13: U.S. President Joe Biden delivers remarks on the Colonial Pipeline incident in the Roosevelt Room of the White House May 13, 2021 in Washington, DC. President Biden said his administration doesn’t believe the Russian government was behind the pipeline attack and the fuel shortages should end by this weekend or next week. (Photo by T.J. Kirkpatrick-Pool/Getty Images) ·Pool via Getty Images
In April, an industry group called the Ransomware Task Force published a report laying out the problem and proposing solutions. Among the top recommendations: Tougher regulation of cryptocurrency to make it more easily traceable, required reporting of attacks and ransom payments, published standards for preventing and addressing attacks, and added pressure on governments such as Russia’s that provide safe haven to hackers. The Biden administration is moving toward some of these reforms. But the Senate still hasn’t confirmed Biden’s nominees for two top cybersecurity jobs, and other key slots are unfilled as well.
On June 2, the White House circulated guidance for business leaders from Anne Neuberger, the top cybersecurity official on the National Security Council. They include regular testing of backup systems, exercises simulating response to a hack, hiring third-party experts to probe for weaknesses and segmenting networks so one breach can’t take down a whole system. More is likely going on behind the scenes.
Republicans hoping to retake one or both houses of Congress in the 2022 midterm elections are probing for Biden’s weaknesses. Biden obviously bears no blame for attacks that have disabled private businesses, but unforeseen tail risks can loom large in politics, including the sinking of Jimmy Carter’s presidency after one term and transforming that of George W. Bush. U.S. officials have worried for decades about attacks on critical infrastructure from hostile nations and terrorists. Criminal profiteers are now part of the threat matrix, as well. How Biden addresses that could shape his own presidency.
