澳门六合彩

While the behavior of state actors (and their proxies) in cyberspace is a pressing national security concern, the recent wave of high-profile ransomware attacks serve as a stark reminder of the importance of addressing a wide diversity of actors and the range of relationships they can have with states around the world.聽

What role can and/or should international cooperation play in addressing this spectrum of actors? How should the Biden administration respond to the rash of attacks originating in Russia? What form should engagement with Russian President Vladimir Putin take? Where have we made the most progress and what gaps remain?

Key Takeaways

1. Russia, China, and the U.S. all have different objectives in cyberspace; understanding those objectives is a critical first step in developing any deterrence strategy.
2. Deterring malign behavior in cyberspace is complex with many possible inadvertent consequences. Many of these deterrence tactics have been tried before, and so the question remains what options are on the table now鈥攁nd what will their impact be?
3. It's critical to understand how adversaries view threats and opportunities in cyberspace.

Selected Quotes

Dmitri Alperovitch

"When it comes to ransomware, I think we can make progress, precisely because this is not a critical issue for Putin. It is not his government that鈥檚 orchestrating these attacks or directing them. He doesn鈥檛 know who these criminals are. It鈥檚 quite likely that these criminals are getting some level of protection from Russian intelligence services, but very likely at a low level. [...] So, these are precisely the types of people he can absolutely take action on, either arrest, ideally, and prosecute, or even just send a message. 'Knock this off, get back to just stealing credit cards.' Obviously we wouldn鈥檛 like this either but it would be much more preferable to the ransomware attacks that we鈥檙e seeing now. So, that鈥檚 exactly where we can get progress from Putin, with a credible threat of severe sanctions that would have an enormous impact on his economy, in a way that existing sanctions we鈥檝e put in place since 2014 really have not."聽

"A lot of people told us after our op-ed that we are advocating for some very severe sanctions, some unprecedented sanctions on the oil and gas sector of the Russian government, which is supplying quite a bit of funding for the annual budget. We鈥檙e advocating for secondary sovereign debt sales, which would have an impact on their ability to raise funds overseas. And the reason we did that is to really send a strong message to Russia that this is beyond the pale. We have a lot of problems with what Russia has been doing both in cyber and in the physical world over the last really almost 20 years. On cyber alone, we鈥檝e had the election interference issues that we鈥檝e been dealing with since 2015, we鈥檝e had destructive attacks like NotPetya鈥� and a whole slew of other nefarious activities that we鈥檝e complained to the Russian about鈥攊ncluding the recent SolarWinds attacks. But in our opinion, ransomware eclipses all of those鈥� Ransomware hits the pocketbooks of the average Americans. It hits our small businesses鈥� It鈥檚 the small and medium businesses, it鈥檚 the dentist offices, it鈥檚 the libraries, it鈥檚 the school districts, it鈥檚 the fire departments all over this country that are actually not in a position to either pay the ransom or do the necessary steps to recover their network after a devastating attack."

"Aside from the merits of doing sanctions on the specifics of the exchange hacks or on SolarWinds, just in the broader scheme of things, we have sanctioned China, we have sanctioned Iran, we have sanctioned North Korea for a variety of nefarious cyber activities over the years. We have never sanctioned China for anything they have done on cyber. Surely there is something that they鈥檝e done over the years that deserves sanctions, including, in my opinion, the massive theft of intellectual property that they鈥檝e been conducting for the better part of two decades. And yet we鈥檝e never taken that step."

"I think we actually need to have a multi-pronged approach to this ransom problem鈥� One of the big concerns that I have personally is the North Koreans who have dabbled in ransomware in the past, would take up the void and would start conducting huge numbers of attacks going forward to try to fund their regime鈥� This can鈥檛 be the only answer鈥攖his threat of ultimatum vis-a-vis Russia. We absolutely need to use cyber command and other intelligence assets that we have to try to disrupt these groups, try to take money back like we did with the ransom for the part of the colonial hack, we need to be going after the infrastructure, and doing a variety of things to make it difficult for them to operate."

Matthew Rojansky聽

"One of the pressure points is the belief in Moscow that there are limits to what the United States can do because of what our principal European allies and trading partners, and some of our Asian allies and trading partners, need vis a vis access to the Russian market, ability to trade on secondary markets in Russian debt, ability to deal directly with Russian, state-owned firms, and not have to make a zero-sum choice of dealing with the United States or dealing with these Russian firms. All of this is a way of saying鈥hat鈥檚 a real pain. It鈥檚 either economic pain to American companies, diplomatic pain to the United States in terms of dealing with allies, or, it鈥檚 the pain of having to force uncomfortable choices that we haven鈥檛 done before. If we鈥檙e imagining that we can make this ultimatum clear without that pain, then we are not imagining the right ultimatum."聽

"This speaks to the core of who we are as a nation. This is people鈥檚 livelihoods, this is their life鈥檚 work. When thousands of small businesses and medium businesses, community institutions like schools, medical offices, et cetera, are affected, as in the Cassaya hack some two weeks ago, this speaks to the core of President Biden鈥檚 message of a foreign policy for the middle class. If you鈥檙e going to stand up for the American middle class, if you鈥檙e going to stand up for small businesses, if you鈥檙e going to stand up to the American people when they鈥檙e directly attacked by criminals, this is something you have to take very seriously."

"The value of sanctions is the recognition of what matters to us versus things we just say. And I think鈥� in this comment about red lines, critical infrastructure, versus whatever doesn鈥檛 fit into that, is the issue of a lot of stuff gets said. A lot of stuff gets said between Washington and Moscow, a lot of stuff gets said between Washington and Beijing, and a lot of stuff gets debated in public. And messages get really muddled. And I argue that this has been an enormous problem in communicating clearly between Washington and Moscow."

"What I can say with certainty without necessarily having any insight into what the war plans are, is in case of a war between the United States and the Russian Federation, of course the Russians will turn off the lights. They will do more than that. They will use every cyber tool in their arsenal just as we would do. And the reason that I know that is because they do do that. To Georgia in 2008. They have done things short of that to Estonia. And they continue to do that to Ukraine."

Congressman Jim Himes聽

"For three presidential administrations now, I鈥檝e tried to make the case, that particularly with Russia, we鈥檙e going to be having a very big problem, until we actually effectively establish a sense of deterrence. And I was terribly disappointed with the Obama response to 2016鈥he 鈥淧NG鈥漣ng of, whatever the number was, sixty plus so-called diplomats, the closure of the Maryland facility鈥hat鈥檚 a slap on the wrist for Vladimir Putin. And we鈥檝e seen that consistently. And even someone like me, who has fairly good insight into the operations that we take, I can say with some confidence that we have not, in any way, established the deterrence鈥攁 sense that these adventures will be met with very costly responses."

"Twelve years ago, honestly, in this [Congress], if you said cybersecurity most people would look at you quizzically. And even people with stars on their epaulettes would look a bit confused when you asked what the Pentagon鈥� was doing about cybersecurity. That has gradually changed鈥� in the last couple of months. And I think that sea change is attributable to a couple of things. Number one, Colonial Pipeline was different than the other stuff. When you are really worried about gasoline lines in eastern Virginia that鈥檚 very different than the thrill that comes from seeing a Sony executives email that probably should never have been sent. In a way, it鈥檚 much more abstract鈥� And then, when people came to realize, as I came to realize鈥� that the government鈥檚 interaction with the company was not even close to optimal."

"You鈥� can鈥檛 talk about cybersecurity and cyber attacks without really thinking about privacy issues. So, there鈥檚 a new focus here in the Congress on all of those issues, but in particular, around cybersecurity."

"We always forget to mention, and to really think hard enough about, the rather inelegantly named 鈥渃yber hygiene.鈥� If you talk to Gartner, if you talk to the experts, they will tell you that we rarely see a zero-day attack. And therefore, almost all of the nefarious stuff that succeeds succeeds because people are sloppy about updating their software, about sticking unknown memory cards into their devices, clicking on links鈥� We don鈥檛 spend enough time thinking about that but that is by far the lowest cost and lowest risk way of taking a huge problem and making it a smaller problem."

Meg King聽

"I鈥檓 the optimist here in the group. I do think that because we have so many companies that rely on selling goods and services to China that we have an opportunity here, and I think the administration is trying to explore that, at least on the Chinese side. [...] We have seen some behavior change after the threat of sanctions in the past, but we have more tools than just sanctions that will likely make the Chinese think twice. So I think there is a lot of opportunity ahead and I hope that we can begin a dialogue, and at this point, we have zero dialogue, so we can only go up. "

"I look at this as one size shouldn鈥檛 fit all, and every country looks at cyberspace in a different way. And our signals鈥� don鈥檛 necessarily match those of other countries. And so, just applying the same tool against each adversary isn鈥檛 going to work."

"We鈥檝e done a lot of talking about sanctions, there鈥檚 a lot of other creative deterrence tools we have [at our disposal]. 鈥� A lot of the tools being used by states and nonstate actors were originally obtained from the U.S."