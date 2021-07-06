advertisement advertisement

Many important topics were on the table when President Biden met with Russian leader Vladimir Putin in Geneva in June—none more so than cybersecurity in the wake of the recent Colonial Pipeline attack. Ongoing ransomware and nation-state attacks have given us a taste of consequences that could become much more dire if the world’s governments don’t start making meaningful progress with this issue.

Back in May, Mieke Eoyang, the Deputy Assistant Secretary of Defense for Cyber Policy, testified before the House Armed Services Committee about how the lines are blurring between criminals and state actors, with some nations turning a blind eye to state hackers conducting private cybercrime on the side. The Center for Strategic and International Studies keeps a running list of nation state attacks that provides a glimpse into how serious this is becoming. It shows several attacks in recent months that include the alleged Chinese government attack on Microsoft Exchange Server users and the far-reaching Russian attack on the U.S. software supply chain via the SolarWinds platform. Nations will always engage in cyber espionage, but ransomware attacks against private companies and critical infrastructure should be banned. During the summit, the Biden administration put forward a list of 16 industry sectors to be considered critical infrastructure and therefore strictly off limits. The list could form the beginnings of an international cyber treaty of sorts.

How would such a ban be enforced? That would be up to the current administration and could involve sanctions, approving or not approving pipelines, administrative action against diplomats, counter cyberattacks—in other words, the usual diplomatic, non-kinetic, nonmilitary options. But if none of that worked, then a targeted military option might be considered. This possibility underscores how such attacks create not only economic but, in some cases, life-threatening consequences. These escalating cyber conflicts against the U.S. and other interests could provoke a significant response that quickly escalates out of control. While Russia, China, Iran, and North Korea get most of the attention, we shouldn’t overlook countries where massive amounts of fraud that target individuals—particularly the elderly—are originating, such as Nigeria. The U.S. should engage more actively with these nations in investigating and preventing this type of offense.

Federal involvement is needed domestically as well. On the ground locally, these crimes are often met with a shrug. When I was investigating major fraud in Arizona, we received dozens of complaints per year from elderly citizens who were scammed into buying gift cards to pay “IRS debt,” or who were tricked into downloading malware. Cases to investigate these complaints were rarely opened. The victims, who may have lost their life savings, never got justice or even so much as an effort from law enforcement. Due in part to U.S. and state forfeiture laws, we had ample resources to conduct multi-month illegal gambling investigations, but insufficient resources to investigate fraud against individuals. This type of fraud also gets little media attention, even though the offenses are more devastating to victims than, for example, the ransomware attack against Colonial, which caused millions of people to wait in line and pay more for gas.

The Colonial attack highlighted a clear disconnect in public perception and the media narrative around cybersecurity. Cause millions of people a little pain: international headlines. Devastate thousands of families by stealing their life savings in separate schemes: crickets. While the public looks the other way, private-sector companies are not taking many of these threats seriously enough either. They are still doing the usual cost–benefit analysis that says spending $2 million to stop $1 million in fraud is not worth the expense. This is a dangerous game. The complacency around financial attacks that target individuals sets up another situation with potentially devastating consequences in terms of national security and infrastructure.

There is no way to know for sure who is behind these activities, but when we consider all the possible objectives, a state actor cannot be ruled out—especially since we know from Deputy Assistant Secretary Eoyang’s testimony that some cybercriminals are in fact state actors themselves. Imagine a state actor who, over the last few years, has gained access to thousands of bank accounts, and rather than monetizing along the way, decided instead to wait until they have tens of thousands, hundreds of thousands, or even millions of accounts to then monetize all at once. This could easily cause a run on the banks that would push the entire economy to the brink. In this way, personal cybercrime may also be chipping away at critical infrastructure. Last month’s talks in Geneva may represent progress, but they are only the tip of a much larger—and much needed—conversation. The U.S. government should be much more deeply and publicly involved in bringing together an international community against ransomware and other cyberattacks, especially targeting infrastructure.

