On Friday, news broke about yet another devastating ransomware attack, reportedly carried out by the group REvil, believed to be operating in Russia, on an IT operations tool used by around 40,000 companies worldwide. Early estimates suggested that the number of impacted organizations is over 1,000, some of them smaller businesses that can ill afford to pay either the ransom or the significant IT costs associated with recovering their data and restoring their networks.
Before such devastating ransomware attacks become a routine occurrence, President Joe Biden must deliver a quiet but forceful demand: Russian President Vladimir Putin must put an immediate stop to this activity or Washington will tighten the squeeze of sanctions on the Russian economy.
This year has already seen a string of major cyber breaches: ransomware attacks on the Colonial gas pipeline and JBS meat processing facilities; the SolarWinds hack; and a major email server breach by, reportedly, Chinese government-sponsored hackers. Unlike many previous attacks, which often impacted high-profile companies, this new campaign targeted small organizations all over the world who lack a dedicated IT staff and instead hire managed service providers to run their networks. According to reports, a Swedish supermarket chain had to shut down 800 stores and 11 New Zealand schools had their data impacted. The culprits demanded as much as of $70 million dollars for across-the-board data restoration.
While we won't know about the full scope of the attack for some time, its nature and timing make it significant for the Biden administration. Because smaller and medium-size businesses and organizations have been targeted, it represents a chance for Biden to make good on his promise of "a foreign policy for the middle class" and his pledge that "economic security is national security." It is also an important test for his evolving approach of tough engagement with Russia. In remarks immediately following his June summit with Putin, Biden said: "Responsible countries need to take action against criminals who conduct ransomware activities on their territory." If this latest attack was indeed launched at least in part from Russia, then Biden's own strategy demands he take action.
In contemplating his response, Biden should take into account the potential connections between the Russian security services and REvil hackers. Although it is quite plausible that top Russian officials neither directed nor even had prior knowledge of REvil's latest attack, it is certainly conceivable that lower and midlevel officials are aware of the hackers and their activities. If Putin chose to take the problem seriously, as Biden demands, Russian security officials could quickly identify and interdict the attackers and force them to unlock the data to stop the damage to businesses worldwide, including in the United States.
Moscow's typical practice is to deny any responsibility for such attacks and to avoid taking action unless it is in its own perceived interest. In this case, Putin may see an advantage in allowing the ransomware problem to fester, since it has already created potentially valuable negotiating leverage. Putin may think that the more these ransomware attacks create disruption, the more Washington will give up to secure Moscow's cooperation against ransomware criminals. This view may underestimate American resolve to resist such pressure and to retaliate for the increasing economic pain these attacks are causing, but in the absence of credible consequences for inaction, Putin is unlikely to expend any resources to stop ransomware attacks that principally harm Western businesses and citizens.
Biden, however, cannot allow Putin to drag his feet. He should present Putin with a clear message, proffered privately and directly: Moscow must immediately identify the responsible individuals operating in its territory or subject to its control, produce the encryption keys necessary to unlock the victims' data and put a halt to potential future ransomware attacks from within its borders. If not, Washington — the Biden administration along with, hopefully, bipartisan support from Congress — should hit Russia where it hurts by sanctioning its largest gas and oil companies, which are responsible for a significant portion of the Russian government's revenue. Biden can expand sovereign debt sanctions already in place that would make it harder for Russia to raise funds from international creditors. And Biden should insist that the response from Russia comes within days, not weeks or months. U.S. businesses and consumers cannot afford to wait.
Clearly, even faced with such a threat, Putin may still choose not to cooperate. He may think Biden is bluffing, since some U.S. allies, who've become increasingly reliant on Russia-supplied energy, would be hurt by the sanctions. Putin may also hope to extract concessions from the U.S. in exchange for cooperation — for instance, acquiescence to Russia's domestic Internet censorship as a cybersecurity issue, a long-standing Russian priority. He might not try merely to avoid future sanctions, which Putin likely considers an inevitable and even acceptable cost of forcing Washington to deal with Moscow as a great power. Putin also faces an assortment of domestic political challenges, including a new wave of coronavirus cases, potential inflation and upcoming elections in the Duma, the lower house of Russia's legislature, in September. He may hope to delay any serious negotiations with Washington until he is in a stronger position at home.
Putin's possible reluctance to make concessions means that Biden will have to be prepared to follow through, including by working urgently to reassure and assist European and Asian allies whose economic interests would be impacted by future sanctions. Since Moscow has long anticipated new sanctions, the Russians have contingency plans in place, such as the announcement, last week, by Russia's finance minister, that the country's National Wealth Fund will "reduce investments" "in dollar assets." Trading partners in Europe and Asia — which import considerable amounts of Russian energy — could face a painful choice of winding down energy contracts impacted by sanctions, and losing access to Russia as an export market, or else lose access to U.S. markets and currency.
Some might argue that instead of or in addition to threatening sanctions, Biden should pull out of cybersecurity talks he and Putin agreed to last month. That would be a mistake. Five American presidents have negotiated with Putin. Their experience demonstrates that success comes from adopting a focused agenda, clear conditionality and direct, private communication — not public chest-thumping.
Stopping ransomware attacks is an urgent problem with consequences for all Americans, not just big companies and tech interests. Biden was right to raise the issue with Putin in Geneva. Now, he has an opportunity to set the future tone by delivering a quiet but clear ultimatum and, if necessary, follow through on it. If this opportunity to draw a bright line is missed, these attacks risk becoming Russia's asymmetric weapon of choice against the United States.
Opinions expressed by Dmitri Alperovitch and Matthew Rojansky are their own. Alperovitch is chairman of the Silverado Policy Accelerator, and Rojansky is director of the Wilson Center's Kennan Institute. They wrote this for The Washington Post.