Argument

An expert's point of view on a current event.

Make Russia Take Responsibility for Its Cybercriminals

The United States needs a new legal doctrine to handle state-tolerated attacks.

By , an associate professor of international affairs at Syracuse University’s Maxwell School of Citizenship and Public Affairs.
A law enforcement official listens as U.S. and U.K. officials announce warrants for the arrests of Maksim Viktorovich Yakubets and Igor Olegovich Turashev, two Russian hackers associated with a group called Evil Corp, at the U.S. Justice Department in Washington on Dec. 5, 2019.
A law enforcement official listens as U.S. and U.K. officials announce warrants for the arrests of Maksim Viktorovich Yakubets and Igor Olegovich Turashev, two Russian hackers associated with a group called Evil Corp, at the U.S. Justice Department in Washington on Dec. 5, 2019. Samuel Corum/Getty Images

Last week, CIA Director William Burns met with Russian President Vladimir Putin’s top national security advisor in Moscow in an effort to reduce U.S.-Russian tensions. The meeting was a good idea—but failed, again, to establish credible red lines when it comes to Russia’s newest form of state-tolerated organized crime—cyberattacks.

Three successive U.S. administrations have failed to develop any form of doctrine to adequately address increasingly problematic cyberattacks from unattributable sources that plague U.S. businesses and can even endanger lives. Instead, the private sector has been left to deal with ever more destructive and dangerous ransomware attacks unassisted, and Russia continues to do nothing about cyberattacks originating from Russian territory. The U.S. government has been loath to get involved, but existing international law and history offer us compelling arguments for the U.S. government and its NATO allies to issue a doctrine of cyber-responsibility that takes the fight to the Kremlin, rather than allowing Russia and other actors such as North Korea and Iran to walk all over the United States and its allies.

Cyberattacks, broadly defined, are efforts to steal, alter, expose, disable, or destroy information via unauthorized access to a computer or a wider computer network. They can be individual mischief—or concerted efforts by a state. Attacks range in scope and type. One of the most common, familiar to most readers, is phishing, where the scam uses a fake hyperlink presenting as a known entity to the target to steal credentials such as credit card data. More sophisticated operations include denial-of-service attacks, which flood a system’s resources and cause it to crash, and malware strikes that render a system inoperable.

Last week, CIA Director William Burns met with Russian President Vladimir Putin’s top national security advisor in Moscow in an effort to reduce U.S.-Russian tensions. The meeting was a good idea—but failed, again, to establish credible red lines when it comes to Russia’s newest form of state-tolerated organized crime—cyberattacks.

Three successive U.S. administrations have failed to develop any form of doctrine to adequately address increasingly problematic cyberattacks from unattributable sources that plague U.S. businesses and can even endanger lives. Instead, the private sector has been left to deal with ever more destructive and dangerous ransomware attacks unassisted, and Russia continues to do nothing about cyberattacks originating from Russian territory. The U.S. government has been loath to get involved, but existing international law and history offer us compelling arguments for the U.S. government and its NATO allies to issue a doctrine of cyber-responsibility that takes the fight to the Kremlin, rather than allowing Russia and other actors such as North Korea and Iran to walk all over the United States and its allies.

Cyberattacks, broadly defined, are efforts to steal, alter, expose, disable, or destroy information via unauthorized access to a computer or a wider computer network. They can be individual mischief—or concerted efforts by a state. Attacks range in scope and type. One of the most common, familiar to most readers, is phishing, where the scam uses a fake hyperlink presenting as a known entity to the target to steal credentials such as credit card data. More sophisticated operations include denial-of-service attacks, which flood a system’s resources and cause it to crash, and malware strikes that render a system inoperable.

An increasingly common, and dangerous, form of attack is ransomware, which uses highly sophisticated malware to hold critical data hostage or break down the entire system until a ransom is paid. According to the Harvard Business Review, ransomware attacks have changed in recent years, with an emphasis away from just freezing a system toward exfiltration of data with the threat to post it on the dark web if the ransom is not paid—raising the stakes for targets and their clients.

Most cyberattacks using ransomware are unattributable to governments but can be traced to specific locations. Generally, these attacks are perpetrated by individuals who are part of a syndicates such as the Lazarus Group, believed to be linked to North Korea, and the Cobalt Group, which has attacked more than 100 financial institutions in 40 countries, with an average score of $11 million.

In 2020, ransomware attacks were up 150 percent over the previous year, and the total amount paid by targets in 2020 increased a massive 311 percent. Microsoft’s Digital Defense Report attributes 58 percent of cyberattacks to actors in Russia. It is impossible to establish that the Russian government controls these actors, but it is next to certain that the Kremlin allows them to engage in their malicious pursuits. As former Russian hacker Dmitry Smilyanets explains, attacking Russian targets or Moscow’s allies invites prosecution by the Russian government, whereas attacking Western targets is tolerated and is technically not illegal under Russian law.

There are far fewer hacker syndicates based in places such as Japan, Australia, and Canada holding data hostage because those countries—and many others, including the United States—enforce domestic laws that prevent such activity at home or against targets abroad. Russia tolerates these activities for a couple reasons. First, any and all attacks against Western targets sow discord in the United States and Europe, discord that the Kremlin finds beneficial to Russian interests. It creates animosity toward democratically elected governments and causes citizens to lose faith in their financial system. Second, allowing these hackers to cultivate skills and technologies provides an asset that the Kremlin could utilize when necessary.

The Kremlin hides behind the obscurity of the internet and the effective control doctrine that states currently apply to determine culpability for cyberattacks. The doctrine stems from the 1984 International Court of Justice ruling pertaining to paramilitary groups in Nicaragua that recognizes state control over nonstate actors only when those actors perform in complete dependence on the state. This burden of proof is impossible to meet online.

The effective control doctrine has been applied to Russia in the past, such as during the Russian invasion of Georgia, but the Kremlin successfully countered that it was not in control of so-called Russian patriots. Similarly, the ransomware attacks on the Colonial Pipeline originated in Russia but were not at the direction or under the control of the Russian state.

This status quo cannot continue. Instead, the United States should espouse, and codify into domestic and formal international law, an overall control doctrine for cyberspace. This would be rooted in international law originating from the International Criminal Tribunal for the Former Yugoslavia, specifically the Tadic case. The court held that the state was responsibility for actions by nonstate actors when the state has a role in organizing, coordinating, and/or providing support for such groups or individuals. But the argument needs to be taken a step further: In the 21st century, when a state is “unwilling or unable” (akin to the Responsibility to Protect principle) to stop its territory from being used for malicious purposes, the international community has a right to respond.

The basis for this legal argument is also found in the Tallinn Manual, a nonbinding academic study on the application of international law to cyberspace. Historical precedent also exists to back up this case. In 2001, the United States and the United Nations legally held the Taliban responsible for the al Qaeda attacks that were planned and launched in Afghanistan, due to the Taliban’s sheltering of the group, even though the Taliban did not explicitly condone, plan, or execute the attacks.

Getting U.S. government assets, in particular the U.S. military, involved in defending the private sector and commercial assets may seem dangerous, but an entire branch of the military was created for the sole purpose of defending U.S. commerce. Shortly after independence, when U.S. shipping no longer benefited from the protection of Britain’s Royal Navy, in 1784 a Moroccan corsair attacked and captured a U.S. merchant ship off the Barbary Coast—the first of many targeted by the Barbary pirates. In 1786, Thomas Jefferson and John Adams met with an envoy from the Barbary state of Tripoli in London and asked that American shipping be allowed to trade unharmed by the marauders; they were rebuffed. Shortly thereafter, in 1794, the U.S. Congress established a permanent navy for the explicit purpose of stopping attacks on U.S. shipping, and by 1801, the U.S. Navy was fighting alongside Sweden in a full-blown war against the Barbary pirates.

U.S. President Joe Biden telling Putin that 16 areas of critical infrastructure are off limits from Russian government attacks is the 21st-century equivalent of the futile trip to London. Action, not words, is required to create effective cyberdeterrence against nonstate entities shielded by the Russian government. The situation will become only more dire as countries such as China begin to employ similar tactics.

Washington needs to unequivocally state that public and private entities of the United States and its NATO allies are off limits and that it will hold all governments that foster cybercriminals responsible for their actions, thereby shifting the burden of proof to Russia, rather than to targets of the attack. Including NATO allies in this declaration is extremely important, as it relies on the same logic as extended nuclear deterrence. To just protect U.S. entities would shift the focus of attacks to allies—only an alliance-led guarantee would prevent any and all Russian meddling. The United States and its allies should support the creation of an agency along the lines of the International Atomic Energy Agency to determine attribution and monitor compliance.

The Biden White House should lead the way. But given that several successive administrations have been unwilling to take the necessary steps, the burden may fall on Congress to craft laws to protect the U.S. national interest. NATO allies should follow suit at home and present a united front against Russia and other states that foster cybercriminals to advance their own nefarious aims at the expense of open, democratic societies.

Michael John Williams is an associate professor of international affairs at Syracuse University’s Maxwell School of Citizenship and Public Affairs.

Join the Conversation

Commenting on this and other recent articles is just one benefit of a Foreign Policy subscription.

Already a subscriber? .

Join the Conversation

Join the conversation on this and other recent Foreign Policy articles when you subscribe now.

Not your account?

Join the Conversation

Please follow our comment guidelines, stay on topic, and be civil, courteous, and respectful of others’ beliefs. Comments are closed automatically seven days after articles are published.

You are commenting as .

More from Foreign Policy

The Pentagon is seen from the air over Washington, D.C., on Aug. 25, 2013.

The Pentagon’s Office Culture Is Stuck in 1968

The U.S. national security bureaucracy needs a severe upgrade.

The Azerbaijani army patrols the streets of Shusha on Sept. 25 under a sign that reads: "Dear Shusha, you are free. Dear Shusha, we are back. Dear Shusha, we will resurrect you. Shusha is ours."

From the Ruins of War, a Tourist Resort Emerges

Shusha was the key to the recent war between Azerbaijan and Armenia. Now Baku wants to turn the fabled fortress town into a resort.

Frances Pugh in 2019's Midsommar.

Scandinavia’s Horror Renaissance and the Global Appeal of ‘Fakelore’

“Midsommar” and “The Ritual” are steeped in Scandinavian folklore. Or are they?