with Aaron Schaffer
But it has violated those rules just as readily.
And the United States and its allies haven’t imposed sufficient consequences to change Russia’s bad behavior.
“It certainly seems that states want others to behave well in cyberspace, and there are some key states that just aren’t. So you have to do something about it,” Michele Markoff, the State Department’s acting coordinator for cyber issues, told us.
Markoff was the U.S. delegate to a United Nations group of governmental experts that drafted a suite of voluntary “norms” last month laying out what nations should and shouldn’t do in cyberspace. The agreement essentially reaffirmed and expanded a set of commitments first made in 2015.
Russia endorsed those norms along with the United States and 23 other nations. But it has shown no intention of actually abiding by them.
Specifically, the norms should bar Russia from allowing ransomware gangs to operate on its territory.
And it should compel Russian law enforcement to extradite the criminals who lock up victims’ computers and demand payment to unlock them so they can face trial in the United States and elsewhere.
But Russia has allowed those gangs to conduct their operations with impunity — including the DarkSide gang, which locked up computers at Colonial Pipeline last month, causing gas shortages in the southeastern United States.
It's widely believed those gangs are allowed to operate in Russia provided they don't attack Russian victims, as Isabelle Khurshudyan and Loveday Morris report.
Pressed on the issue, Putin has played dumb.
“I do hope that people would realize that there hasn’t been any malicious Russian activity whatsoever,” he said at a recent economic forum in St. Petersburg.
He also mused that Russia might hand over cyber criminals who operate on its territory if the United States would do the same.
Biden said he’s “open” to such a deal, but national security adviser Jake Sullivan clarified that only meant that the United States already abides by international agreements about extraditing hackers.
Bloomberg News's Jennifer Jacobs:
Biden’s nat’l security adviser did some cleanup on Biden’s comment on cyber criminals—POTUS wasn’t saying he would do a criminal exchange with Russia; he was saying they’re already held to account in US. “I think that was overread or misread in the press,” @jakesullivan46 told us https://t.co/fL2TfUh5sQ— Jennifer Jacobs (@JenniferJJacobs) June 13, 2021
Indeed, the United States is a signatory to 2001 international agreement known as the Budapest Convention that requires nations to investigate cybercrimes on their territories and to extradite hackers. Russia is not.
U.S. officials have sought to play down expectations of any progress in the Biden-Putin talks.
They’ve noted that U.S.-Russia relations are at a low point and Sullivan warned not to expect a “light-switch moment” at the meeting.
Analysts say there’s little hope of Russia changing its behavior unless it is consistently punished for violating cyber norms.
Sanctions imposed by the United States and Europe haven’t done the trick. The Justice Department also has indicted numerous Russian hackers but with little expectation that they’ll ever see a U.S. courtroom.
Other options include more significant and joint economic punishment from the United States and its allies or some form of digital retaliation.
“Unless you hold these countries accountable, having nonbinding norms doesn’t fundamentally change our security situation,” said Dmitri Alperovitch, a cybersecurity expert and executive chairman of the Silverado Policy Accelerator think tank.
“These norms have moral force, and if a country signs up to them, there’s a political commitment and an expectation that they’ll be observed. And other countries should hold them accountable when they’re not,” said Christopher Painter, who was the State Department’s top cyber official in the Obama administration.
U.S. officials and analysts, however, say there’s great value in the U.N. norms even if Russia isn’t eager to abide by them.
They make it easier for countries that do abide by the norms to band together to punish those that don’t, for example.
A key agreement from the Group of Seven meetings in England this weekend involved working collectively to combat ransomware.
“The international community — both governments and private sector actors — must work together to ensure that critical infrastructure is resilient against this threat, that malicious cyber activity is investigated and prosecuted, that we bolster our collective cyber defenses, and that states address the criminal activity taking place within their borders,” the group agreed, according to a White House fact sheet.
The norms also make it more likely that nations that are just developing their cyber capabilities will follow the model set by the United States and its allies rather than the Russian model.
“The goal is to build consensus among developing countries like Brazil and Indonesia so that they will support actions against violators,” said James Lewis, a cyber policy expert at the Center for Strategic and International Studies who was an adviser to the U.N. group.
“The norms don’t talk about how to hold countries accountable,” Lewis said. “That’s the next step.”
Cybersecurity experts debated Putin's offer to exchange cybercriminals. Chris Painter, president of the Global Forum on Cyber Expertise:
Maybe I’m a pessimist, but I doubt this will happen: https://t.co/MOtyxzwSla. Russia never extradites its citizens. I know this fm my prosecutor & G8 days. I expect this is a savvy ploy that will result in “I will give you low level criminal if you give me CyberComm personnel.”— Chris Painter (@C_Painter) June 13, 2021
Jack Rhysider, the host of the Darknet Diaries podcast, and Rendition Infosec Chief Technology Officer Jake Williams:
Slippery slopes are slippery.— Jake Williams (@MalwareJake) June 13, 2021
CNN senior global affairs analyst Bianna Golodryga:
The point here isn’t that Biden will actually be naive enough to hand over someone just because Putin says they perpetrated cyber crimes against Russia. Rather it’s that Putin’s offer is not a serious one and it doesn’t merit much, if any, attention.— Bianna Golodryga (@biannagolodryga) June 13, 2021
NATO leaders plan to endorse a policy to defend and counter cyberattacks at a summit today.
NATO’s new Cyber Defense Policy will aim to make the alliance more resilient to cyberattacks such as ransomware targeting critical infrastructure, the Biden administration said in a fact sheet. The leaders will back the policy at a summit in Brussels today, days before Biden meets with Russian President Vladimir Putin in Switzerland.
The leaders also plan to “affirm the importance of defending our networks and ensuring allies rely on trustworthy providers for next-generation telecommunication networks.” That’s a reference to Huawei and other Chinese vendors of fifth-generation telecommunications equipment that the U.S. government says are insecure and could allow China to spy on sensitive communications.
A McDonalds data breach affected operations in the United States, South Korea and Taiwan.
Some customer and employee information was exposed in the breach, the world’s largest fast-food chain said. It was discovered by consultants investigating unauthorized activity on the company’s internal networks.
McDonald’s was able to “quickly identify and contain recent unauthorized activity on our network,” the company said in a statement. Some business contact and franchise information was exposed in the breach, but it was neither sensitive nor personal, the company told employees in an email, per the Wall Street Journal.
A major U.S. labor union refused to pay a ransom to hackers in 2019.
The Teamsters bargained down a $2.5 million ransom demand to $1.1 million but eventually decided not to pay at the urging of its insurance company, NBC News’s Jonathan Allen and Kevin Collier report. The FBI advised the organization to “just pay” the ransom and said it could not assist further, a person familiar with the cyberattack said.
The FBI, which did not respond to requests for comment, officially discourages organizations from paying ransoms to hackers.
Union officials were eventually able to rebuild and restore their computer systems, and members' personal information was not compromised, a union representative said.
- Senate Intelligence Committee chairman Mark R. Warner (D-Va.) discusses cybersecurity and other issues at a Washington Post Live event today at 11 a.m.
- House Homeland Security Committee panels hold a hearing on lessons learned from the U.S. government response to a ransomware attack on Colonial Pipeline on Tuesday at 2:30 p.m.
- Dustin Moody, the head of the National Institute for Standards and Technology’s cryptographic technology group, discusses the future of cybersecurity and quantum technology at a Center for Strategic and International Studies event on Tuesday at 3 p.m.
- Cisco CEO and chair Chuck Robbins discusses cybersecurity and other issues at a Washington Post Live event on Wednesday at 9 a.m.
- A Senate Homeland Security and Governmental Affairs Committee panel holds a hearing on cybersecurity threats to state and local governments on Thursday at 10:15 a.m.
- The University of Southern California’s Election Cybersecurity Initiative will hold its final spring workshop on Thursday at 4:30 p.m. ET.
- Jeff Greene, the director of the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence who has been detailed to President Biden’s National Security Council, discusses Biden’s recent cybersecurity executive order at a National Security Institute event on Friday at 1 p.m.