The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Russia agrees to cyber rules and violates them at the same time

Placeholder while article actions load

with Aaron Schaffer

As President Biden prepares to go toe-to-toe with Vladimir Putin at a summit in Switzerland this week, the United States and its allies are facing a test over whether they will hold Russia accountable for continually violating rules of good behavior in cyberspace. 

Russia has readily agreed to many of those rules, including that nations shouldn’t hack each other’s critical infrastructure and shouldn’t harbor cyber criminals in their territory, as Ellen Nakashima and I report

But it has violated those rules just as readily. 

And the United States and its allies haven’t imposed sufficient consequences to change Russia’s bad behavior. 

“It certainly seems that states want others to behave well in cyberspace, and there are some key states that just aren’t. So you have to do something about it,” Michele Markoff, the State Department’s acting coordinator for cyber issues, told us.

Markoff was the U.S. delegate to a United Nations group of governmental experts that drafted a suite of voluntary “norms” last month laying out what nations should and shouldn’t do in cyberspace. The agreement essentially reaffirmed and expanded a set of commitments first made in 2015.

Russia endorsed those norms along with the United States and 23 other nations. But it has shown no intention of actually abiding by them. 

Specifically, the norms should bar Russia from allowing ransomware gangs to operate on its territory. 

And it should compel Russian law enforcement to extradite the criminals who lock up victims’ computers and demand payment to unlock them so they can face trial in the United States and elsewhere. 

But Russia has allowed those gangs to conduct their operations with impunity — including the DarkSide gang, which locked up computers at Colonial Pipeline last month, causing gas shortages in the southeastern United States.

It's widely believed those gangs are allowed to operate in Russia provided they don't attack Russian victims, as Isabelle Khurshudyan and Loveday Morris report

Pressed on the issue, Putin has played dumb

“I do hope that people would realize that there hasn’t been any malicious Russian activity whatsoever,” he said at a recent economic forum in St. Petersburg.

He also mused that Russia might hand over cyber criminals who operate on its territory if the United States would do the same. 

Biden said he’s “open” to such a deal, but national security adviser Jake Sullivan clarified that only meant that the United States already abides by international agreements about extraditing hackers. 

Bloomberg News's Jennifer Jacobs:

Indeed, the United States is a signatory to 2001 international agreement known as the Budapest Convention that requires nations to investigate cybercrimes on their territories and to extradite hackers. Russia is not. 

U.S. officials have sought to play down expectations of any progress in the Biden-Putin talks. 

They’ve noted that U.S.-Russia relations are at a low point and Sullivan warned not to expect a “light-switch moment” at the meeting. 

Analysts say there’s little hope of Russia changing its behavior unless it is consistently punished for violating cyber norms.

Sanctions imposed by the United States and Europe haven’t done the trick. The Justice Department also has indicted numerous Russian hackers but with little expectation that they’ll ever see a U.S. courtroom. 

Other options include more significant and joint economic punishment from the United States and its allies or some form of digital retaliation. 

Unless you hold these countries accountable, having nonbinding norms doesn’t fundamentally change our security situation,” said Dmitri Alperovitch, a cybersecurity expert and executive chairman of the Silverado Policy Accelerator think tank.  

“These norms have moral force, and if a country signs up to them, there’s a political commitment and an expectation that they’ll be observed. And other countries should hold them accountable when they’re not,” said Christopher Painter, who was the State Department’s top cyber official in the Obama administration.

U.S. officials and analysts, however, say there’s great value in the U.N. norms even if Russia isn’t eager to abide by them. 

They make it easier for countries that do abide by the norms to band together to punish those that don’t, for example. 

A key agreement from the Group of Seven meetings in England this weekend involved working collectively to combat ransomware. 

“The international community — both governments and private sector actors — must work together to ensure that critical infrastructure is resilient against this threat, that malicious cyber activity is investigated and prosecuted, that we bolster our collective cyber defenses, and that states address the criminal activity taking place within their borders,” the group agreed, according to a White House fact sheet

The norms also make it more likely that nations that are just developing their cyber capabilities will follow the model set by the United States and its allies rather than the Russian model. 

“The goal is to build consensus among developing countries like Brazil and Indonesia so that they will support actions against violators,” said James Lewis, a cyber policy expert at the Center for Strategic and International Studies who was an adviser to the U.N. group. 

“The norms don’t talk about how to hold countries accountable,” Lewis said. “That’s the next step.”

Chat room

Cybersecurity experts debated Putin's offer to exchange cybercriminals. Chris Painter, president of the Global Forum on Cyber Expertise:

Jack Rhysider, the host of the Darknet Diaries podcast, and Rendition Infosec Chief Technology Officer Jake Williams:

CNN senior global affairs analyst Bianna Golodryga:

The keys

NATO leaders plan to endorse a policy to defend and counter cyberattacks at a summit today.

NATO’s new Cyber Defense Policy will aim to make the alliance more resilient to cyberattacks such as ransomware targeting critical infrastructure, the Biden administration said in a fact sheet. The leaders will back the policy at a summit in Brussels today, days before Biden meets with Russian President Vladimir Putin in Switzerland.

The leaders also plan to “affirm the importance of defending our networks and ensuring allies rely on trustworthy providers for next-generation telecommunication networks.” That’s a reference to Huawei and other Chinese vendors of fifth-generation telecommunications equipment that the U.S. government says are insecure and could allow China to spy on sensitive communications.

A McDonalds data breach affected operations in the United States, South Korea and Taiwan.

Some customer and employee information was exposed in the breach, the world’s largest fast-food chain said. It was discovered by consultants investigating unauthorized activity on the company’s internal networks.

McDonald’s was able to “quickly identify and contain recent unauthorized activity on our network,” the company said in a statement. Some business contact and franchise information was exposed in the breach, but it was neither sensitive nor personal, the company told employees in an email, per the Wall Street Journal.

A major U.S. labor union refused to pay a ransom to hackers in 2019.

The Teamsters bargained down a $2.5 million ransom demand to $1.1 million but eventually decided not to pay at the urging of its insurance company, NBC News’s Jonathan Allen and Kevin Collier report. The FBI advised the organization to “just pay” the ransom and said it could not assist further, a person familiar with the cyberattack said.

The FBI, which did not respond to requests for comment, officially discourages organizations from paying ransoms to hackers.

Union officials were eventually able to rebuild and restore their computer systems, and members' personal information was not compromised, a union representative said.

Global cyberspace

China’s new power play: More control of tech companies’ troves of data (Wall Street Journal)

NATO leaders to discuss Russian disinformation, China - Merkel (Reuters)

Hill watch

Lawmakers press Biden to give Putin ultimatum on ransomware gangs (Politico)

Cyber insecurity

Bitcoin and Encryption: A Race Between Criminals and the F.B.I. (New York Times)

Puerto Rico’s power distributor suffered a cyberattack hours before a devastating fire (Wall Street Journal)

Burgeoning ransomware gang Avaddon appears to shut down, mysteriously - CyberScoop (CyberScoop)


  • Senate Intelligence Committee chairman Mark R. Warner (D-Va.) discusses cybersecurity and other issues at a Washington Post Live event today at 11 a.m.
  • House Homeland Security Committee panels hold a hearing on lessons learned from the U.S. government response to a ransomware attack on Colonial Pipeline on Tuesday at 2:30 p.m.
  • Dustin Moody, the head of the National Institute for Standards and Technology’s cryptographic technology group, discusses the future of cybersecurity and quantum technology at a Center for Strategic and International Studies event on Tuesday at 3 p.m.
  • Cisco CEO and chair Chuck Robbins discusses cybersecurity and other issues at a Washington Post Live event on Wednesday at 9 a.m. 
  • A Senate Homeland Security and Governmental Affairs Committee panel holds a hearing on cybersecurity threats to state and local governments on Thursday at 10:15 a.m.
  • The University of Southern California’s Election Cybersecurity Initiative will hold its final spring workshop on Thursday at 4:30 p.m. ET. 
  • Jeff Greene, the director of the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence who has been detailed to President Biden’s National Security Council, discusses Biden’s recent cybersecurity executive order at a National Security Institute event on Friday at 1 p.m.

Secure log off