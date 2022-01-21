Ever since last spring’s assaults on the systems of the 5,500-mile-long Colonial Pipeline and meat-processing juggernaut JBS, President Biden has been making a modest request of his counterpart in Moscow: Enforce the law. But while the Kremlin has been happy to police Jehovah’s Witnesses, dissidents and businesses executives who’ve found slightly too much success, officials are less eager to prevent criminals from wreaking havoc abroad by hacking servers and demanding money to restore them. These groups tend to operate with impunity in Russia, as long as they pick the right victims — whether authorities ask them to strike.
With the REvil arrests, Mr. Putin has proved Mr. Biden’s point. He does have the power to curb the incursions plaguing libraries, schools, hospitals and city halls. The rub is, he also has the power to do nothing. Russia sends this signal at the same time it is amassing troops, armor and aircraft along its border with Ukraine, and at the same time the United States is vowing to retaliate in the event of an invasion. The message is simple: Like seeing cybercriminals behind bars? Then don’t make us angry. Meanwhile, several Ukrainian government agencies have had their websites defaced and their data wiped in recent days. The attack, initially disguised as ransomware, hasn’t been attributed yet — but many suspect it originated in Russia or Belarus. The U.S. Cybersecurity and Infrastructure Security Agency has cautioned critical infrastructure organizations to stay on high alert.
The White House shouldn’t be cowed. Russia’s “ransomware diplomacy,” as one expert put it, should encourage the United States to consider cyber an essential component of its arsenal as well. That means more explicit threats about not only the economic consequences but also the cyber consequences Moscow will face for interfering with sensitive targets here, or for having hacking collectives do so at its behest. Defense is as important as offense; the administration is seeking to remedy decades of negligence, most recently in a memorandum directing national security agencies to secure themselves. CISA is trying to help the private sector stay safe, too.
So far, so slow — Wednesday’s memo, for instance, came six months later than a 60-day deadline imposed in May’s sweeping cybersecurity executive order. The Government Accountability Office reports also found agencies have been haphazard in implementing recommendations and requirements. A robust cybersecurity strategy is no longer a matter of preparing for the future; now, it’s a critical part of contending with the present.