I Wrote This Article About Ransomware Attacks and Now I Can't Sleep at Night
PLUS: A review of Steven Soderbergh's "No Sudden Move"
Ransomware hackers were at it again last week, this time targeting the software company Kaseya, which serves businesses that have outsourced their IT departments. The hackers, a group calling itself REvil, locked up Kaseya’s systems and then demanded $70 million to unlock it. The effect of this hack was mainly felt by hundreds of small businesses in the United States but also rendered inoperable the cash registers of a large grocery store chain in Sweden and knocked a number of schools offline in New Zealand.
It isn’t clear who REvil is or where they’re operating from, but they communicate in Russian and apparently write their code so it can’t infect computers in Russia, so maybe Russia is a pretty good guess? Or maybe they’re just your friendly new neighbors who brought you brownies as a housewarming gift…nah, it couldn’t be them. Anyway, whoever they are, it’s probably fair to say they’re not too much of nuisance to Vladimir Putin.
Now the big question is what President Biden is going to do about it. These ransomware attacks are becoming more and more common—recall the Colonial Pipeline Company hack perpetrated by an Eastern European group that caused a rush on gasoline along the east coast this past spring, as well as the hack of the DC Police Department by a Russian-speaking group, which resulted in the release of confidential personnel files and secret intelligence reports onto the dark web—so there’s increasing pressure on the administration to crackdown before a bolder attack does some real damage. When he met with Putin in Geneva last month, Biden demanded Putin intervene to end the ransomware attacks and laid out sixteen red lines that, if crossed, would result in retaliation from the American government. Consequently, the latest attack doesn’t look great for Biden. House Minority Leader Kevin McCarthy called Biden “weak on Putin,” which, like, whatevs Kev, but there are calls from both sides of the aisle for a strong and proportionate response that lets the Russian strongman know we’re fed up with these shenanigans.
The problem here is that it is very difficult to precisely calibrate a response, and there is great risk that an act of retaliation could escalate into something disastrous. Cyber security and cyber warfare are topics the American public has not given a lot of consideration to, and for a country that figures the size of its bombs and the might of its army are more than enough to crush a would-be foe and keep them from our shores, a cyber conflict might result in a rude, humbling, and humiliating awakening for the American people. The United States is not good at waging unconventional war, and a cyber war would be the most unconventional conflict we have yet to enter.
The Russian government has been the source of much online mischief over the past few years. Sensing an opportunity to inflame political divisions in the United States, a pro-Russia troll farm in St. Petersburg inundated American social media systems at the height of the 2016 presidential campaign with pro-Trump/anti-Clinton messages and fabricated news stories; similar actions were undertaken during European elections. More egregiously, Russian military intelligence hacked the DNC and Hillary Clinton’s presidential campaign and released files and emails that proved embarrassing to Clinton during the 2016 election. Last week we also learned Russian hackers infiltrated the computer systems of a contractor for the RNC. In December 2020, cybersecurity officials discovered a massive hack of government databases and tech firms in what many regard as the greatest act of cyber-espionage yet. US intelligence traced that breach—known as the SolarWinds Hack, so named for the IT firm that was compromised—back to Russian hackers with connections to the Russian government.
Democratic Senator Dick Durbin of Illinois described the SolarWinds Hack as “virtually a declaration of war,” to which I say, hold your horses. In the first place, we’re probably attempting a lot of the same right now. It’s what spies do. And secondly, maybe we should take a step back and try to find a way to put this all into perspective before we go throwing around words like “war” in relation to a nation whose government possesses nuclear weapons and a highly developed cyber arsenal of its own.
I admit I have a lot to learn when it comes to the issue of cyber security. It’s also hard for regular-old civilians like me to determine just how serious a lot of these breaches are given the secrecy that inherently surrounds encrypted data. (For example, did hackers get ahold of a DoD NOC list or a Pentagon parking permit registry? There are good reasons why both lists would be hidden behind a password and my rule of thumb is if you need a password to look at something and you don’t have that password, don’t go snooping, but the Russians getting their hands on one of those lists worries me a bit more than the other.) But from what I’ve read, here are three things I hope the higher-ups are thinking about when they’re evaluating these cases and formulating responses.
First, what’s the purpose of the hack? The SolarWinds hack was an act of espionage carried out to gain intelligence. The purpose of a ransomware attack is monetary gain. Other hacks may be more instrumental in nature and designed to achieve a physical result, such as shutting down a power plant or the public water supply. As loathsome as espionage or ransomware may be, these last examples are probably more malicious as they threaten public safety.
Secondly, and following on from above, what’s the target of the hack? The Kaseya hack inconvenienced a bunch of mostly small businesses. SolarWinds targeted government databases. But what if the hack targeted the nation’s physical infrastructure? The Colonial Pipeline hack was problematic because it basically shut down a pipeline that supplied fuel to much of the eastern seaboard. How would our responses to hacks that target information differ from hacks that target finances? What about hacks that target physical plants and operations?
(Now, if you think hacks that result in some sort of physical consequence are the most serious, consider that the country widely believed to be the first to develop such an attack was the United States, which, with Israel’s assistance, used malware called Stuxnet to cause the centrifuges in Iran’s nuclear facility in Natanz to spin out of control and self-destruct. Whether by accident or not, Stuxnet soon began popping up on computers around the world. Since that time, the U.S. has been developing cyber weapons that could shut down Iran’s infrastructure in the event of war, although Iran also learned from the experience and is presumed to be developing similar cyber weapons that could be used against us. The terrifying implications of this for national security are explored in the documentary Zero Days, currently streaming on HBO Max and available to rent for only $2.99 on Amazon.)
Finally, who orchestrated the hack? Was it an official government agency? Or was it an independent group of hackers? If it was an independent group of hackers, do they have ties to a government or not? If they do, how deep are their ties? Perhaps the government tolerates their activities so long as they aim at targets within the borders of geopolitical adversaries.
The major issue right now is how closely groups like REvil are affiliated with the Russian government. It’s hard to believe Putin would allow rogue hackers to operate with impunity in Russia since they could easily turn the cyber weapons at their disposal against Putin’s regime. If Putin does want to meddle with the West’s red lines, it may be easiest for him to do so behind the plausible cover of non-governmental free agents who earn their keep in foreign-sourced cyber-currency. Consequently, when Biden tells Putin to rein these hackers in, he’s probably really telling Putin to cut it out and agree that these transnational ransomware incidents need to stop before things go too far and get out of hand.
If Biden can’t convince Putin to do that, it’s easy to imagine how this all escalates. One option at Biden’s disposal would be to identify and target the hackers with a retaliatory cyber attack. Such an attack might go after a hacker’s bank account or hardware. It’s unclear if that would be a real deterrent, though, since whatever was lost could probably be replaced fairly easily. It would also require the United States government to target individuals within Putin’s zone of protection, although the strike could be justified as limited in scope and not unprecedented.
Alternately, Biden could retaliate in kind if he believed the Kremlin was either behind a hacker group’s actions or tolerating their activity. This might mean the US government would (for example) respond to a ransomware attack on a pipeline by shutting down a pipeline somewhere in Russia. The risk here is that a cyber attack of this nature could have real world physical consequences that go beyond the inconvenience of having to clean a computer of some meddlesome malware. Putin might also regard an official government response like this to a “rogue” hacker group as excessive and respond in kind, leading to escalation and, potentially, catastrophe.
How catastrophic? Some say the worst case scenario would be a cyber attack that targeted the power grid in the middle of winter. That seems almost too obvious, though. A worse scenario occurred this past February when someone hacked a Florida water treatment plant and directed the facility to increase the level of lye in the water to dangerous levels. Lye, for the record, is one of the main ingredients in Drano. Thankfully, that attack was spotted before any damage could be done. Would Putin go that far? Would someone else? Do we have any idea what the rules of cyber warfare permit or forbid? The bottom line is that anything that runs on a computer system—a banking system, air traffic control towers, nuclear power plants—is potentially vulnerable, so, um…sweet dreams.
Finally, Biden could target Putin himself by going after the personal finances of Putin and his allies. It’s hard to know how Putin would respond to that or if it would really hurt him all that much, although it seems Putin probably wouldn’t hesitate to send some fake news about Hunter Biden and his dealings in Ukraine to the folks at FOX News in retaliation.
I have no idea how all this will work itself out. Ideally, the solution would entail convincing Putin that cyber weapons, like nuclear weapons, have tremendous destructive potential for all involved and should only be developed as a deterrent. At the moment, however, Putin seems determined to continue poking at the West’s soft spots in an effort to destabilize it, so he’ll probably keep it up. Even if Putin has a sense for how far he can push the U.S. before we punch back , I worry free agent hackers in other nations (or even in our own) will start stealing from his playbook and take things too far, at which point we go too far, too, and…well, here’s to keeping the lights on for the next ten years.
Photo credit: PixelPrivacy.com
—
Vincent’s Picks: No Sudden Move
(Vincent’s Picks theme song here.)
Set in 1954 Detroit, Steven Soderbergh’s latest film No Sudden Move (streaming on HBO Max) starts off as just another day on the job. Gangsters Curt Goynes (Don Cheadle) and Ronald Russo (Benecio del Toro) are hired by Doug Jones (Brendan Fraser, in a role that will leave a lot of people saying, “So that’s what’s happened to that guy”) to “babysit” a family while a third gangster (Kieran Culkin) takes the husband (David Harbour, destined to be this decade’s premier character actor) to his place of work so he can retrieve a file from his boss’s safe. No one’s supposed to get hurt, but you know how that works in films like this.
No use revealing any more here about the events of this film since it gets nice and twisty. While the plot turns a bit murky in the middle, you remain in good hands throughout. Soderbergh is a master of the crime and caper genre (think Out of Sight [1998], Ocean’s Eleven [2001], and Logan Lucky [2017]) and is confident enough as a filmmaker to know if a story is told with style that the audience will hang around to find out how it all comes together in the end even if we miss a few plot points along the way. (And if you’re into style, dig the score by David Holmes.)
Of course, crime and caper films also inevitably involve people trying to relieve others of their money and valuables, and that allows Soderbergh to indulge a favorite theme of his: The conditions of life in a capitalist society. The three previously mentioned films all involve the little guy outwitting a deep-pocketed target who either deserves to be separated from his wealth or who can spare a few bucks. Sometimes Soderbergh’s disdain for irresponsible capitalists is front and center (Erin Brockovich [2000] and The Informant! [2009]); at other times, Soderbergh steps back to let us witness the wheels of the market turning and driving the choices of his characters (Traffic [2000], The Girlfriend Experience [2009], and Magic Mike [2012]). No Sudden Move begins as one of these latter films before the revelations contained in the aforementioned file drops us into one of the former. This is a McGuffin that can’t be written off as a plot device.
Any film that takes place in 1950s Detroit will traffic in that ultimate symbol of American capitalism, the car. That product turned Detroit into a corporate metropolis with a thriving middle class; it also played a major role in shaping the racial geography and the environmental degradation of American cities, as this film in both subtle and not-so-subtle ways demonstrates. Those are two side effects of American capitalism Soderbergh wants us to note.
More significantly, however, No Sudden Move argues that in a capitalist society, the rich and powerful have the luxury of being able to play the long game. In this film, in one way or another, every character is scheming and in possession of a secret that would terribly inconvenience someone else if revealed. But the sort of leverage that comes with that isn’t made equally. As one character tells two others who, “against all laws of history, nature, [and] class—no caste,” have managed to arrange a meeting with him, “You do not make rules. You follow them….You are playing by [my rules] now, even if you walk out of here with my money.” Opportunity and quick thinking—a sudden move—have brought these two characters to this point. The system is stacked against them in the long run, though. Mere survival is all the system will allow as their consolation prize.
Thanks for reading.
If you like what you’ve read, feel free to share with others and invite them to subscribe. And thank you to everyone who has subscribed already!
Exit music: “What Have I Done to Deserve This?” by Pet Shop Boys (1987, Actually)