The US, the West and the wider international community are struggling to calibrate their response to a growing number of cyberattacks – mostly blamed on Russia and China – against governments and businesses that are damaging computer networks and infrastructure and costing billions of dollars.

Cyberattacks could be lethal – for example, if an attack were to disable the cooling system of a nuclear power plant and cause a meltdown, releasing deadly radiation into the environment. 

The research company Cybersecurity Ventures has projected that cyberattacks will cost the global economy $6-trillion in 2021 – double the 2015 total. It predicts the damage caused will greatly exceed that of all natural disasters in the year and the profits for cybercriminals will surpass those from the trade in all major illegal drugs combined.

A rising level of destructive cyberattacks

Hacking has now become routine. But over the last few years there have been several especially bad cyberassaults which have caused great harm to many companies, government agencies or political parties in the West.

In 2016 an outfit called Cozy Bear (or APT 29) – which the US identified as a front for the Russian SVR intelligence agency – stole and released a trove of embarrassing emails from the US Democratic National Committee, apparently designed to damage Hillary Clinton’s presidential election campaign and favour Republican Party candidate Donald Trump – whom Russian President Vladimir Putin evidently considered more sympathetic. 

In 2017 the WannaCry cyberattack hit many corporations and institutions, notably taking down large chunks of the UK’s National Health System. 

The US, UK, Australia, Canada, New Zealand, and Japan all attributed this attack to the North Korean government. The same year NotPetya, a particularly noxious ransomware virus, paralysed scores of multinational companies in Europe, Asia and the Americas. It knocked out the system monitoring continuing radioactivity at the site of Ukraine’s 1986 Chernobyl nuclear power plant disaster as well as several Ukrainian ministries, banks and metro systems.

The attack inflicted more than $10-billion in total damage, including to many multinationals such Denmark’s Maersk Line, the world’s largest container ship and supply vessel operator; the US pharmaceutical company Merck, the US logistics company FedEx, German logistics company DHL and India’s largest container port, JNPT. The White House called this “the most destructive and costly cyberattack in history” and blamed the Russian military, as did 11 other countries.

“It was part of the Kremlin’s ongoing effort to destabilise Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict,” the White House said. Cybersecurity experts noted that corporations were increasingly being dragged into cyberwarfare among nations.

In 2020 a huge cyberattack on the US company SolarWinds, which develops software that manages networks, systems, and information technology infrastructure, hit about 16,000 companies, including Microsoft, Intel and Cisco; and several US government agencies, most embarrassingly, the Cybersecurity and Infrastructure Security Agency, whose responsibility it is to protect federal computer networks from cyberattacks.

The US also blamed this attack on Cozy Bear, AKA APT 29, AKA the Russian SVR intelligence agency.

The New York Times called it “one of the biggest failures of American intelligence since Pearl Harbor and the Sept. 11, 2001, terrorist attacks”. Government officials expressed concern that the same access that had given the Russians the ability to steal data could also allow them to alter or destroy it. 

The US’s infrastructure vulnerability was badly exposed in May 2021 when another Russia-based hacking outfit, DarkSide, conducted a ransomware attack that forced the US company Colonial Pipeline to shut down the pipes which provide petrol, diesel and jet fuel to much of the East Coast after its computer network was breached.

The most recent culprit fingered by US security agencies was another Russian ransomware firm, REvil, which attacked several hundred US corporations, including one of its largest beef producers, JBS. REvil – short for Ransomware evil – then demanded millions of dollars to unlock the accounts of these companies. 

The US discovered that from January this year several Chinese hacking outfits – which Washington said were “affiliated with the PRC’s MSS,” (Ministry of State Security) – had hacked into about 250,000 Microsoft Exchange email servers in a“smash and grab” operation to steal information. 

Why are Russia and China intensifying cyberattacks?

These increasing attacks reflect rising geopolitical tensions between the West and Russia and China. They appear to be tactics which Russia and China are using in a “hybrid” war they are waging against the US, Nato and the West more generally. This grey area of espionage, theft of state or industrial secrets or attempts to destabilise Western democracies causes disruption, confusion, high costs and some destruction but falls short of the sort of aggression that could justify a military response which Russia and China probably suspect they would lose.

The US believes China is particularly focused on stealing industrial and military secrets to enable it to leapfrog its backlogs in advanced technology.

How should the US, the West and the rest respond?

The rapid spike in cyberattacks is presenting a particular dilemma not only for the US but also for the West and the wider international community on how to calibrate an appropriate response

The US Pentagon has a Cyber Command with a mandate to conduct cyberwarfare.

But US cybersecurity analysts believe that at least until recently the US has been holding back for fear of unleashing an all-out cyberwar in which the US could be the biggest loser as it is more digitised.

Michele Markoff, the US acting cybercoordinator, acknowledges that the US is more exposed than others.

“The US, which is highly networked and dependent on everything, from energy to water to banking to communications, to transport, to anything, is far more vulnerable,” she told Daily Maverick. 

“And therefore if you had an adversary with the capacity to truly damage those social infrastructures, those critical infrastructures, you could do a great deal of damage.”

Seeking a diplomatic solution

As the most senior State Department official responsible for cyberaffairs, Markoff has been leading efforts to find a diplomatic solution to the rise in cyberattacks. 

“We need to find ways to identify common ground. We have common interests in being able to positively exploit this technology for mankind and for our individual countries.”

Markoff previously helped negotiate nuclear disarmament treaties with the Soviet Union/Russia, but she says negotiating similar legally binding instruments is much harder in cyberspace.

Weapons of mass destruction – nuclear, chemical and biological – have been subject to arms control because they are owned and developed by governments and are not easily developed by non-state actors. They are more easily observable or traceable and a limited number of states have them. 

“And there’s a common interest in not mutually annihilating one another… and I think countries have understood that since the dawn of the nuclear age.

“By contrast, the use of information technology as a weapon is not owned by states. 

“And the current scourge of ransomware or any other type of cybercrime… can be developed by just about anybody on just about any platform.” 

Markoff notes that information technology is evolving so rapidly that any attempt to limit it in a treaty would “become irrelevant before the ink was dry”. 

So instead of trying to control information technology, nations have focused on circumscribing state action, through a voluntary “Framework of Responsible State Behaviour in Cyberspace”, which was negotiated by small groups of countries at the United Nations for more than a decade and which all 193 UN member states endorsed this year. 

The framework asserts that international humanitarian law – the law of armed conflict – applies to states’ activities in cyberspace as elsewhere.

“So, international humanitarian law applies and acts in the context of armed conflict,” Markoff said, “to protect civilians and civilian objects from military behaviour.

“Most disruptive cyberactivity falls below that threshold, since it doesn’t rise to the level of a use of force that could give rise to an armed conflict.” And so the framework also includes 11 “normative statements” about state behaviour in cyberspace below the threshold of armed conflict.

These include admonitions such as: “Take measures to prevent misuse of ICT on your territory”; “Cooperate to stop crime and terrorism”; “Respect human rights, including with respect to privacy”; “Do not damage critical infrastructure”; and “Do no harm to emergency response teams”. 

Markoff notes that South Africa “fully participated in the design of this framework of responsible state behaviour”.

Moliehi Makumane, who represented the Department of International Relations and Cooperation in the negotiations, said the rising volume of cyberattacks globally made South Africa realise the importance of regulating state behaviour in cyberspace and so to seek membership of the 25-nation Group of Governmental Experts which finalised the framework.

But what if good intentions fail… advancing to sanctions

These voluntary measures have clearly not been enough to keep cyberspace safe. Cyberattacks continue at an accelerating pace. 

The US drew up a “playlist” of non-lethal instruments of power it could use in response to attacks, Markoff said. It included coordinated public attributions of cyberattacks to their perpetrators, targeted economic sanctions, and the exposure of adversaries’ cybercapabilities to degrade their effectiveness. Further reactions would be at the president’s discretion. 

Markoff said it was not only the US that was suffering from these daily small disruptions and ransomwares. “There were many of us. It was a very big tent.”

And if just the US stood up and individually accused Russia and China of an attack, it was easy for them to deny it and counteraccuse the US of something else. 

“If we do it as a group, who are they going to retaliate against? It’s a much more forceful and powerful statement for many members of the international community to stand up and say, ‘No, this is not acceptable. We all signed up to this framework of responsible state behaviour and you need to abide by it and we’re not going to let you get away with it.’”

Markoff said the coalition of states had recently stood up against Russia over the SolarWinds incursion and against the PRC over its Microsoft hack. 

On the PRC she said, “We just had 38 states and Nato and the EU stand up and make very strong statements. Nato has not previously made a public statement regarding malicious PRC cyberactivity.”

This coalition also provided cover for smaller and less developed states to stand up and call out countries which attacked them. Markoff notes that in 2019 at the UN General Assembly, 28 foreign ministers subscribed to a document that said we should abide by the framework of responsible state behaviour and impose consequences on those who don’t. 

Since then that coalition has grown. It is not just a coalition of Western allies. “This is a big tent coalition.” South Africa is not a member of the coalition,“but they have signed on to the framework of responsible state behaviour”, Markoff notes, hopefully.

Makumane, though, makes it clear that Pretoria is hesitant about attributing cyberattacks because of the danger of getting it wrong. “This is not like conventional warfare where you have boots on the ground, soldiers raising the flag,”she says. However, she acknowledges that more technologically-developed states like the US have greater capacity to identify perpetrators. 

South Africa had also taken the position that if attacked it would not respond by itself but would only do so through a multinational body such as the African Union or United Nations.

Biden has responded more strongly than Trump

US President Joe Biden has gone further than Trump in using the US “playlist”in responding, especially to Russian cyberaggression. 

On April 15 the US expelled 10 Russian diplomats from the US and imposed sanctions on 32 Russian officials and other entities for cyberattacks, particularly SolarWinds and alleged interference in the 2020 elections. Biden also barred US financial institutions from purchasing rouble-denominated bonds from June.

Biden called Putin after issuing the order, to warn that he could have gone further but did not want to start a downward spiral of retaliations. 

And on July 15 the US laid formal criminal charges against four hackers of China’s Ministry of State Security, which the US said had been behind the huge Microsoft email hack and other cyberattacks. 

But the full extent of US retaliation is not publicly known as the Biden administration has reportedly warned of secret responses.

After another REvil attack over the July 4 holiday, The New York Times wrote that officials had revealed to it that the first major retaliation in kind by the US was expected over the next three weeks, “with a series of clandestine actions across Russian networks that are intended to be evident to President Vladimir V Putin and his intelligence services and military but not to the wider world”.

The newspaper quoted Biden’s national security adviser, Jake Sullivan, as saying a mix of public sanctions and private actions was the most likely combination to force a “broad strategic discussion with the Russians”. 

These public and clandestine actions would clarify to Russia “what the United States believes are in bounds and out of bounds, and what we are prepared to do in response,” he added.

Two days later Biden called Putin and warned him to take down REvil or the US would. On 13 July REvil’s website suddenly went offline. But who did that?

Analysts have speculated that it could have been the Russian government responding to Biden’s warnings. Or perhaps REvil itself decided to lie low for a while.

Or perhaps Russia refused to act and the US decided to do so? DM