Cyber Command Is in the Ransomware Game—Now What?

By Erica D. Lonergan, Lauren Zabierek
Thursday, December 16, 2021, 11:01 AM

At the Reagan National Defense Forum on Dec. 4, Gen. Paul Nakasone, commander of U.S. Cyber Command and director of the National Security Agency, publicly acknowledged for the first time that the U.S. military has taken measures to “impose costs” against ransomware groups. This acknowledgment reflects a shift in approach by the U.S. government, which no longer sees ransomware primarily as a law enforcement issue. Nakasone did not specify which ransomware groups were targeted, nor what types of costs were imposed—or how. But it seems that recent events, such as the Colonial Pipeline attack, helped to catalyze this policy shift within the government.

News that the U.S. government has leveraged the military to take action against ransomware groups is not surprising. Earlier this summer, we explored what a role for the military in this space might look like and outlined several questions for Cyber Command and policymakers to consider. Between our collective experience in the Department of Defense and the Cyberspace Solarium Commission (though our views are personal), we understand both the power of and the challenges faced by the military when confronting nontraditional targets. However, while it seems to be “game on” for the military in combating ransomware, it’s still not clear whether some of those key questions are any closer to being answered. Below, we reflect on what stands out to us as the most significant unresolved questions in light of this news.

First, one positive indication observers can glean from Nakasone’s remarks is that the military is not the only (or even the primary) locus of effort against ransomware groups. Nakasone repeatedly emphasized the importance of domestic and international as well as public and private partnerships, sharing information across stakeholders, and capitalizing on “a number of different levers within our government,” including not only law enforcement but also diplomacy. This is a good thing—while the military possesses unique authorities and capabilities, policymakers should not turn to it as the primary tool for solving every policy challenge in cyberspace (or any other domain). Moreover, the use of the military can pose more delicate issues when operations are conducted against non-state criminals, rather than traditional nation-state adversaries (especially given concerns of the militarization of cyberspace by key actors). Therefore, more clarity is needed on how the role of the military is conceptualized relative to other instruments of power and, importantly, the mechanism that enables coordination of different authorities and resources across the government toward a shared objective. Put simply, if countering ransomware is a whole-of-government effort, who is in charge and under what conditions? The answer to this question may change depending on the situation, such as the nature of the actors involved (the extent of their affiliation with adversary governments), the severity and scope of the incidents, and the broader geopolitical context. 

Second, where the public is finding out nine months after the fact—it’s not clear whether and when other groups within government may have been informed prior to the public statement—raises the issue of transparency. This includes not only the timing of public disclosure but also information about how a particular military cyber operation supports existing strategy and policy (the strategic justification for the use of military force), the authorities under which an operation is executed, the scope of the operation and its intended duration, the results of the operation, and the involvement of different government agencies or departments. All of this information could be communicated in a way that protects operational security and sources and methods. 

Transparency is important for several reasons. On a domestic level, secrecy can be in tension with democratic values that prioritize oversight of the use of military force. For instance, it’s not clear which authorities were relied upon to support the cost-imposition operations against ransomware groups and, as a result, the level at which they were approved and the extent of congressional oversight. In addition, given that the private sector is often the target of adversary behavior in cyberspace, including what could be retaliation for actions taken by the U.S. government, there should be greater transparency around what thresholds would trigger the use of military force for national security objectives. This would include providing specific information, in some cases, to private-sector stakeholders that may be directly or indirectly affected by U.S. operations. Finally, when law enforcement has driven anti-ransomware operations, the public is typically briefed on the outcomes and information is shared about how ransoms are recovered and infrastructure is shuttered, and which actors are targeted. The public benefits from these disclosures.

From a strategic perspective, Jason Healey and Robert Jervis point to the potential for a Rashomon effect in cyberspace stemming from overclassification, which may cause different actors to have wildly divergent understandings about the same situation. Beyond this concern, it is difficult for analysts to assess strategic outcomes absent basic information about the nature of military cyber operations. In other words, observers—including stakeholders in other parts of the government—can’t know whether cyber strategies are working if they can’t measure and collect data about critical variables. In the case of ransomware, groups such as REvil, DarkSide, BlackMatter, and others have emerged, disappeared, and reconstituted in various forms. To what extent are any of these dynamics a result of military (or law enforcement) actions taken by the U.S. government or its partners? What do these patterns reveal about the efficacy in the short or long term of cost-imposition approaches to addressing ransomware. Limited information also makes it difficult to assess the potential for unintended consequences or to understand how U.S. behavior shapes the dynamics of strategic interactions. For instance, while many scholars have found little evidence of escalation dynamics in cyberspace, we don’t know what new risks may be created by military operations against non-state criminal actors, nor do we have a basis for comparing these against other types of targets and operations.

Third, the public statement about the military’s operations to counter ransomware groups emphasized threats to critical infrastructure as an implicit justification for this approach. As we argued previously, there is a strong case to be made for the national security implications of significant cyber incidents targeting those critical functions and processes that underlie the American economy and way of life. However, a challenge with leveraging critical infrastructure as a mechanism to support the use of military force is that it’s something of a catchall category. By executive order, there are 16 critical infrastructure sectors in the United States, encompassing nearly every aspect of American society (and it’s worth noting that other nations’ perspectives on critical infrastructure differ, even among allies, which alters the perception of what should and shouldn’t be off limits). And the criteria for what truly “counts” as critical—defined in Section 9 of that order—remains opaque. Experts and policymakers have advocated for revising or even expanding how critical infrastructure sectors are designated, such as recent calls to define space as a separate sector or institutionalize the concept of “Systemically Important Critical Infrastructure.” Therefore, a threat to critical infrastructure as a trigger for military cyber operations risks becoming a slippery concept; it is important to more clearly define in advance what is actually critical and the conditions under which, as a result, it would be justifiable to use military authorities and resources.

Finally, over the summer we warned about the twin risks of mission creep and prioritization against a backdrop of finite resources and personnel to tackle the diverse and growing set of missions that have fallen within Cyber Command’s purview. How trade-offs will be made between new activities, like counter-ransomware operations, and existing missions remains underspecified. In fact, this issue was implicit in Nakasone’s remarks; at the same time that he discussed the military’s role in ransomware, he also highlighted its role in election defense and conveyed that Cyber Command was already preparing to defend the inevitable next round of election interference. This begs the question: What is being sacrificed or put on the backburner when the military is used to counter ransomware, and what is the process that governs decision-making around shifting prioritizations? 

As we argued in our previous post, there is a compelling case for the military to get involved in counter-ransomware operations that reach the threshold of significant risk to national security—and we stand by that argument. However, making this case demands greater transparency and clarity around how military authorities and resources are utilized, and how they relate to other governmental authorities and capabilities. As military cyber operations are possibly ongoing, as we brace for the likelihood of further attacks, and as the cyber force is likely to grow, now is the time to address these concerns.