Offensive Cyber Operations: A National Security Imperative
With ransomware attacks growing year after year and threatening critical infrastructure across nations, it is time for a coalition approach to take offensive action against criminal groups.
Organized criminal groups across the globe have focused on highly profitable cyber exploits as a new line of business. According to the Verizon 2022 Data Breach Investigations Report, the 13% growth in ransomware this year is as large an increase as the last five years combined. Targeted organizations in 2022 included school districts, universities, hospitals and utilities.
The worldwide targeting of critical infrastructure and essential services represents a growing threat to economic stability and national security. The DarkSide group, a Russian-based criminal enterprise, is responsible for the 2021 Colonial Pipeline Company ransomware attack and extorted over $90 million in just a nine-month period from victims worldwide. According to a January 26 press release by the U.S. Department of Justice, the Hive ransomware group, also likely based in Russia, extorted over $100 million in ransoms in the past 18 months. These events in part appear to be the drivers for the March 2023 U.S. National Cybersecurity Strategy.
The Colonial Pipeline case is one recent example of how impactful ransomware attacks have become. Debilitating ransomware attacks are not new; but perhaps the panicked fuel buying and resulting fuel shortage in the Northeastern United States garnered more media attention than other attacks. The Colonial attack prompted concern over the vulnerability of similar infrastructure. According to Greg Touhill, former U.S. federal chief information security officer and current director of Carnegie Mellon University’s Software Engineering Institute Computer Emergency Response Team Division, “Ransomware attacks continue to present one of the most serious threats to commerce and critical infrastructure in the immediate future.”
These ransomware events forced society to realize just how fragile infrastructure systems are to this type of attack. I contend that the worldwide growth of targeted cyber attacks and the disruption of essential services represent a real and growing national and international security threat.
Ransomware continues to plague both commercial and government systems across the globe. Historically, cybersecurity programs have been purely defensive, focused largely on user education, technical and administrative controls to address system vulnerabilities and manage enterprise risk. Despite this focus, a purely defensive approach does not appear to be making an impact against the growing criminal threat. The United States’ approach needs to change to make any positive impact. Current threat conditions beg for a different, more aggressive course of action to combat this growing threat from organized ransomware gangs.
Defense-in-Depth has been the de facto approach to securing government and commercial networks for over a decade. However, this focus on defense has led to an exponential growth in cybersecurity spending for defensive software, hardware and awareness training. The expanding threat continues to stimulate tremendous increases in security-related spending, which is consuming larger percentages of corporate resources. As outlined in Verizon’s 2022 Data Breach Investigations Report, ransomware and other cyber exploitation continue to grow rapidly despite the increased corporate spending on cyber defense. The current model is unsustainable. Increasing defensive cybersecurity spending is not curbing the growth in ransomware and other cyber crime.
The Colonial Pipeline attack may serve as the wake-up call for a global war on cyber crime. What is required is an offensive war on cyber crime like those campaigns against the global drug trade and terrorism. Nations with cyber forces will need to effectively coordinate active offensive measures to deny criminal groups access to computing resources.
It was only after DarkSide attacked a high-visibility target that their computer infrastructures were seized by authorities. Many nations have well-established cyber warfare elements that are quite capable of executing offensive cyber operations. Most of these international federal resources are exclusively focused on national security objectives. Collectively, these nations could apply the full range of their offensive cyber capabilities against criminal elements, just as has been done to thwart the drug trade and global terrorism. The growing threat to critical infrastructure sectors poses an international security threat, especially as essential services are targeted.
Today’s cyber adversary is generally well-organized and well-funded, possessing a wide assortment of state-of-the-art cyber weapons. These criminal groups have international reach with safe havens in some countries. I advocate that it is time to form a coalition of like-minded nations to take the battle to these criminal groups. The new National Cybersecurity Strategy may enable this type of international cooperation. Individual companies and nations cannot effectively combat this global threat through individual defensive methods alone and cannot spend their way out of the growing threat ahead. This global threat will require effective international public-private partnerships that produce a coherent approach that harnesses the full force, capability and cooperation of the respective governments and industries to aid in the common defense.
An approach that radically changes the cost/benefit model of cyber crime against organized criminal groups is needed. Outlined are a few recent examples of how effective offensive strategies can complement the collective approach to protecting systems, data and users.
The Justice Department has reported executing a multimonth program to disrupt the Hive ransomware group. According to the department’s website and the January 26, 2023 press release, the Justice Department seized control of servers and websites operated by the ransomware group and interrupted the attempted extortion of over $130 million. The FBI, in coordination with European law enforcement elements, stole the decryption keys from the ransomware group and distributed them to victims to restore their data. According to FBI Director Christopher Wray, “The FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American business and organizations.”
Over a four-year period from 2018 through 2022, two law enforcement operations yielded hundreds of arrests globally and the seizure of millions in illicit cash, demonstrating a new era for cyber operations.
Operation Trojan Shield involved law enforcement agencies from over 16 countries, collaborating with the FBI. According to the details in the Justice Department’s press release, the effort developed and distributed a “secure” messaging device, bought predominantly by criminal groups worldwide. The “ANOM” device advertised total privacy and was used by criminal groups to coordinate illegal activities. Law enforcement across the globe read all of the criminal exchanges. This effort led to nearly 1,000 arrests so far in over 100 countries. The effort continues yielding criminal indictments and raising the cost of criminal activity.
In a similar effort, Operation Venetic, executed by the United Kingdom’s National Crime Agency, broke the encryption of a secure messaging system called EncroChat. According to details on the National Crime Agency website, the operation yielded nearly 800 arrests and the seizure of over £54 million in cash. During the operation, law enforcement eavesdropped on criminals coordinating illegal activities. Criminal sentencing is currently ongoing. The operation, coordinated with Europol and other European law enforcement, is being described as the United Kingdom’s largest law enforcement operation.
These operations are excellent examples of what offensive cyber operations can bring to the fight against organized cyber crime and appear to exemplify what Pillar Two of the U.S. National Cybersecurity Strategy—Disrupt and Dismantle Threat Actors—will look like.
An approach that includes offensive operations is precisely what is needed to combat the growth of cyber crime. The United States must change the risk vs. gain calculus so the risks of cyber-crime activity are so great that any potential gain offers no attraction. This will require international coordination, as effectively demonstrated by the three operations highlighted. It will require nations to share cyber intelligence data, collectively identify criminal targets and eliminate all safe havens for these groups.
Continuing to pour increasing resources into more defensive tools and awareness programs is “only treating the symptom” of this global plague. A more effective and direct approach would be a coordinated international effort to seek out these groups, destroy their infrastructure and ability to operate as well as embargo any nations providing safe haven for such groups.
The community of users and like-minded nations need a more aggressive approach to combat cyber crime effectively. The United States and other nations must realize that the traditional education and defense approach is no longer enough. The full spectrum of cyber operations is needed to win this war on cyber crime. Equally strong offensive and defensive components are required to advance cybersecurity operations to safeguard national security and economic stability worldwide.
The new U.S. National Cybersecurity Strategy is an excellent step toward addressing the national security threat. It will take many years and extensive coordination and cooperation to fully implement the strategy. Bringing to bear the full weight and capability of the nation can and will begin to change the direction of the growing threat.
With over 36 years of service to the Central Intelligence Agency, Mark Spangler is an experienced cybersecurity leader who has provided a full spectrum of support to critical national security systems and missions. Spangler developed the Information Assurance program for the National Reconnaissance Office and served as its chief information security officer and director of cyber operations. He continues to provide cyber advisory services to government and industry, currently serves on AFCEA International’s Cyber Committee and is the senior cybersecurity advisor to the TriSept Corporation.
The opinions expressed in this article are not to be construed as official or reflecting the views of AFCEA International.
