by Jean-Louis Gergorin and Léo Isaac-Dognin, co-authors of “Cyber, la guerre permanente” (Editions du Cerf, 2018), Paris
A year ago, we voiced our concerns regarding the exponential rise of ransomware attacks, and over the impunity enjoyed by certain cybercriminals – modern pirates sometimes more akin to corsairs – in the countries from which they conduct their operations.1 At the time, despite ample commentary from cybersecurity firms and media, no senior western public official had ever spoken on record about the responsibility that states held in such events.
Sophisticated ransomware attacks
In the nine months leading up to October 2021, cyberattacks of all types have grown both in number and in impact, particularly when it comes to ransomware. A report by Sonic Wall, a cybersecurity firm, suggests that the number of ransomware attempts observed in the first semester of 2021 – 304.7 million – was equivalent to that observed in the whole of 2020. Ransomware attacks have also grown in sophistication – recent attacks have even been linked to groups previously associated with the use of zero-day vulnerabilities which up until now remained the exclusive realm of state-sponsored hackers.2
One of the most alarming traits of recent ransomware activity is the increase of attacks against public health systems and hospitals. The most dreadful of these targeted Ireland’s Health Service Executive (HSE), which manages all hospitals and health services across the country. Hit on 14th May 2021, the HSE had recovered a mere 70% of its IT systems by the end of June. As we write, Irish citizens still face delays of two to three months in registering births, leading to knock on delays in accessing free healthcare or passports for new-borns.3
Brussels’ enduring silence…
Responsibility for the attack was claimed with pride by a Russian group currently referred to as Wizard Spider and supposedly operating from St Petersburg. Most strikingly, the code in Wizard Spider’s Conti malware is specifically written to “uninstall itself if it locks onto a Russian language system or any systems featuring internet protocol (IP) address in former Soviet states”.4 On 6th September, the Irish Gardai’s National Cyber Crime Bureau announced that it had seized web domains used by Wizard Spider to prevent a further series of attacks. This rare public intervention by an EU member makes it even harder to understand Brussels’ enduring silence regarding an attack of “unprecedented scale” according to the UK NCSC former director, perpetrated by individuals that are knowingly based within the borders of a major EU economic partner.
… and Washington’s countermeasures
Such geopolitical passivity comes in stark contrast to the change of tone and strategy assumed by US leadership over the same period. It only took a few days after the ransomware attack against Colonial Pipeline for President Biden to publicly say the US would act to “disrupt” capabilities of the group of cybercriminals that had claimed responsibility – named DarkSide, and who similarly used malware programmed to spare targets in former Soviet states – if Russia did not. A day later, DarkSide announced its self-dissolution “due to US pressure”.5 This was quickly followed by news from the FBI that they had managed to recover 80% of the $4.4m bitcoin ransom paid out by Colonial Pipeline to restart its operations. Biden also announced he would be raising the issue with his Russian counterpart and did not under deliver: half of the historic Geneva meeting between the two world leaders on 16th June focused on cybersecurity. It appears that the US President listed 16 types of critical activities that must be protected from cyber-disruption, and that both leaders agreed to reinstate a direct line between their administrations on matters of cybersecurity, as was shortly implemented under the Obama presidency. Five days later, Alexander Bortnikov, head of the FSB, stated at a security conference in Moscow that Russia “will work with [the United States] on locating hackers and hope for reciprocity”.6
Pragmatic Russian-US dialogue
Following a separate attack against the US software supplier named Kaseya by a group named REvil, whose effects reverberated across the globe on 9th July 2021, Biden immediately declared that he had called his Russian counterpart and made clear that the US expects Russia to intervene when “a ransomware operation is coming from its soil…if we give them enough information to act on”, later adding that the US would take down the perpetrators’ servers if Putin did not. On 13thJuly, REvil’s websites and other infrastructure vanished from the internet. Ten days later, Kaseya announced it had the received the key to decrypt its files from a “trusted third party”.
REvil reappeared early September and on 18 October was deemed responsible for an attack against the Sinclair Broadcast Group, one of the largest US TV station operators. Three days later, the FBI and US Cyber Command acted to definitively take down their infrastructure according to people directly involved interviewed by Reuters.
All of the events above clearly point in the direction of an agreement between Presidents Putin and Biden that attacks originating from their respective sphere of influence against the others’ critical infrastructure are out of bounds and to the fact that they will not hesitate to use cyber-offensive capabilities to enforce deterrence. This form of deterrence, specific to cyberspace, implies swift and focused retaliation each time a red line is crossed.
A recent article published in Kommersant7, one of Russia’s leading news outlets, suggests that Moscow is particularly satisfied to have established a new field of strategic dialogue on equal terms with the United States thanks to its multi-pronged, decade-long cyber strategy.
Shortfalls of the EU Cybersecurity Strategy
But while there may henceforth be reasons for cybercriminals to shift their attention away from US-based targets, the same cannot be said for Europe. Make no mistake, the authors of this paper commend the initiatives brought forward by the current European Commission in its renewed EU Cybersecurity Strategy, announced in December 2020.8 Measures like the revised NIS Directive and proposed new Directive on the resilience of critical entities pave the way for stronger protection of European critical infrastructure and services by heightening cybersecurity requirements and broadening their scope of application. These will be bolstered by further requirements on Internet of Things (IoT) devices announced last month as part of a proposed ‘Cyber Resilience Act’.
In addition, the EU’s strategy plans the launch of a coordinated network of Security Operations Centres across the EU to enable faster detection, containment, and remediation of cyberattacks, together with a Cybersecurity Competence Centre based in Bucharest, as well as increased support to SMEs for research and upskilling. Thanks to the EU Recovery and Resilience Fund, Member States have themselves planned even further investments in public and private sector cybersecurity. The Commission is also expanding the EU External Action Service’s “Cyber Diplomacy Toolbox” and outreach activities to establish international norms of behaviour in cyberspace, support states in the EU’s “Eastern and Southern neighbourhood” with cyber capacity building, leverage the PESCO mechanism to coordinate responses to cyber-attacks, and impose sanctions where dialogue does not yield sufficient results. Finally, over the summer the Commission laid out its vision to build a “Joint Cyber Unit” that seeks to enable more coordinated operational responses to major cyber-attacks and facilitate further information sharing between member states.
Still, all these initiatives – collectively branded as a “Cyber Shield” for Europe – do no more than what they say: build resilience, or at best, soft forms of response to cyber-attacks. They do not address the current reality in cyberspace, namely that resilience and defence at large are insufficient and, above all, uneconomical to deter adversaries in cyberspace, as the cost to hackers remains low, and the pace of digital innovation continuously creates new risks. That is precisely the consequence of cyberspace becoming a “great equaliser in the way power can be used today by rogue states or non-state groups”, as expressed by President von der Leyen in her most recent State of the Union address.
European leaders must wake up
Too little is planned to end the impunity enjoyed by groups that attack European assets, and to grant Europe the ability to weigh on the behaviour of partners and rivals. We recommend four strands of action.
First: European leaders must wake up to the fact that cyberthreats have become a matter of national security to be dealt with at the highest political levels. In particular, commitments on cybersecurity similar to those agreed between Biden and Putin should become a condition of any future economic trade discussions with the EU’s partners. Given the key achievements gained in ‘Normandy format’ negotiations on Ukraine, the French president and future German chancellor should put this on the agenda of a joint summit with their Russian counterpart, together with the Commission President and High Representative for Foreign Affairs and Security Policy.
Second: This change of tone at political and diplomatic levels must be backed by credible deterrence capabilities: specifically, the ability to trace the origin of the most sophisticated attacks back to specific locations and operators and disrupt their capabilities if required. While the Joint Cyber Unit and existing PESCO mandates go to some lengths in this direction, they remain driven by “solidarity and assistance” between member states rather than deterrence, and they aim for a level of inclusiveness of all “civilian, military, and private sector actors” that is detrimental to effectiveness in highly sensitive operations.
The reality is that the type of prerogatives needed to act in this realm remains in the hands of national capitals, and as long as this remains the case, Europe must accept strengthened collaboration between a restricted circle of member states that sufficiently trust each other to share the type of intelligence required for attribution – similar to what anglosphere countries achieved with Five Eyes. This European “cyber-coalition of the willing” should bring together member states with the capabilities and most importantly the willingness to undertake counter-offensive measures and remain open to collaboration with Five Eyes members.
Third: EU policymakers should deepen initiatives that reduce criminals’ ability to leverage the proceeds of cybercrime. The Commission’s recent proposal to enforce transparency on cryptocurrency transfers by enforcing application of the same rules as currently apply to traditional financial services should be supported by all member states. Europe can leverage its economic weight to encourage other continents to enforce these measures and impose pressure on states that harbour intermediaries in the money laundering chain.
Finally: For Europe to speak and act with one voice, a single coordinator needs to be designated at Commission or Council level to jointly orchestrate resilience, external relations and deterrence policy.
Pending these changes, Europe is bound to become the primary global target of cybercrime, depleting its wealth, and weakening its balance of power with global rivals.
