The proliferation of state-sponsored cyber-attacks against government and private sector entities is escalating exponentially. The Solar Winds cyber-attack in March 2020 that successfully targeted hundreds of U.S. Government agencies and private sector businesses was a wake-up call that something must be done before it’s too late. A state actor, either acting alone or contracting out to a criminal group, attacks our critical infrastructure, like the programs that control the electric grid, air traffic control, or water supply.
The Colonial Pipeline ransomware attack in May 2021 and the JBS meat processor ransomware attack in January 2021 were a few of thousands of ransomware attacks that were reported to the FBI. Indeed, the FBI Internet Crime Report of 2020 reported 2,474 attacks in the U.S., with losses of more than $29 million.
According to media reporting, a Russian-affiliated criminal group, Cozy Bear, was responsible for the Solar Winds attack. An East European criminal group, Darkside, was responsible for the Colonial Pipeline attack. Russian cybercriminals reportedly were responsible for the JBS attack.
President Biden made it clear to Russian President Putin during their June 2021 meeting in Geneva that cyber-attacks, including ransomware attacks by criminal groups in Russia, need to cease, and he provided Putin with a list of 16 key infrastructure entities that are off-limits to Russian cyberattacks.
Defending against these cyber-attacks is a priority of this and former administrations. Ensuring that the perpetrators are held accountable with the threat of sanctions and indictments are logical and necessary responses that, hopefully, will deter future attacks. Unfortunately, however, even with the threat of biting sanctions, these state-sponsored attacks by a growing number of cyber-criminal groups continue to grow.
It’s obvious that more must be done to deter countries from using cyber to attack other countries for economic and political advantage. We have relevant experience with nuclear energy and biological and chemical sciences that could and should be applied to cyber.
The threat of nuclear proliferation was addressed with the establishment of the Nuclear Nonproliferation Treaty (NPT) in 1970. There are currently 193 countries, with the initial five nuclear weapons states, committed to the peaceful use of nuclear energy and the eventual abolishment of all nuclear weapons. The threat of biological weapons was addressed in 1972 with the establishment of the Biological Weapons Convention, with a membership of 183 countries, which bans all biological and toxin weapons. And the 1994 Chemical Weapons Convention, with a membership of 193 countries, bans all chemical weapons.
It should now be obvious that cyber, if not used for peaceful purposes, should be viewed as another weapon of mass destruction. The cyberattacks against government and private sector entities and the recent spate of ransomware attacks against critical private sector entities mean we must be more proactive and establish international norms that hold countries accountable for their behavior and the behavior of their citizens and criminal groups who are involved in cyber-crimes.
We have rich experience convening conventions that addressed the unlawful and harmful use of nuclear energy and biological and chemical uses that could inflict significant pain and suffering on millions of innocent people. We could and should do this with cyber.
Given that establishing a new forum to address cyber, in the hope of establishing an international organization that could advocate for the peaceful and beneficial uses of cyber while prohibiting the harmful uses of cyber, and establishing a process to oversee compliance with these commitments, will take time, something must be done now, as an important interim step.
As we enter into a five-year extension of New Start arms control negotiations with Russia, there may be value in using this venue to table the issue of cyber to determine if the U.S. and Russia are prepared to discuss the issue of cyber in a different forum, but with the vigor that was applied to nuclear weapons, starting with the Strategic Arms Limitation Treaty (SALT)in 1972, followed by the Strategic Arms Reduction Treaty (START) in 1991 and the 2021 five year extension, with the New START Treaty.
Any discussion of cyber and the establishment of a forum to ensure that cyber is used only for peaceful purposes should also include China, given that several cyber intrusions reportedly also emanated from China. Indeed, this could and should be a subject that continues to be discussed directly with China, especially given the 2015 agreement between former President Barack Obama and President Xi Jinping that neither the U.S. nor China “will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.”
Cyber is an international issue requiring immediate attention. The U.S., Russia, and China can provide the leadership necessary to ensure that the cyber domain is used only for peaceful purposes.
• Joseph R. DeTrani was the former special envoy for negotiations with North Korea from 2003-2006 and the former director of the National Counterproliferation Center. The views expressed in this publication are the author’s and do not imply endorsement of the Office of the Director of National Intelligence o any other agency.