October 29, 2021
When we talk about threats to our elections and those around the world, one of the places we focus much of our attention is on protecting our elections infrastructure from ransomware attacks or other cyber intrusions. I and others have written ad nauseum about these potential points of weakness, which are especially concerning given how diverse and diffuse that infrastructure is.
One way to counter this threat is to bring the fight directly to these nefarious cyber actors on their turf, by turning the tables and taking their platforms offline, for example. This kind of offensive attack is increasingly seen by experts and government officials as an incredibly helpful tool in our arsenal. We cannot wait until we’re attacked to respond, and we have to show these organizations that there are consequences to their actions.
In this vein, Reuters recently broke the story that REvil — one of the most aggressive ransomware culprits and which is based in Russia — was “ itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.” While the U.S. government has not officially confirmed this activity, this could well be a bellwether of what’s to come. Many cyber attacks, even high profile and quite destructive ones, are often not terribly sophisticated, and the U.S and partner governments have a lot of technical capability that can really make life difficult for these organizations.
Maurice Turner, my colleague here at USC’s Election Cybersecurity Initiative and a Cybersecurity Fellow at the Alliance for Security Democracy, said in an ASD publication, “This is a solid B+ effort by the U.S. government working in concert with its foreign allies and private-sector partners to disrupt a prolific ransomware group. However, a joint press conference announcement would have been a significant step in reassuring the public that the United States is serious about tackling cyber crimes, and an unambiguous warning to criminals that the government is willing to exercise its capabilities to disrupt malicious activity.”
Maurice raises an interesting point, and one I’ve thought a lot about during and since my time serving as a media spokesperson for various U.S. government agencies. National security outfits are often reluctant to announce their successful operations publicly, in part because of a concern about undermining sources and methods and partly based on an outdated notion that selling things to the press isn’t that important when we’re talking about such shadowy topics.
But in today’s world, when we face increasing ransomware attacks and activists (both here and overseas) are trying to undermine the legitimacy of our elections and our systems more broadly, clear public statements about government activities that protect those systems are important. We cannot look complacent when up against such an onslaught of attacks, and we cannot let people start to believe that this level of intrusion is just inevitable (although sadly some of it probably is). Finally, I think the public would benefit from knowing that the burden isn’t solely on them to set up strong security protections or to hire firms to handle cybersecurity for their private companies. We are all truly in this together.
And while these cybercriminal groups don’t necessarily care about public opinion per se, they do prefer to fly under the radar so as not to attract too much attention (which makes it harder to undertake their attacks). This kind of public shaming would speak to that weakness.
Interestingly, this isn’t the first time that REvil has been taken offline in the recent past. The platform last went offline in July, after it undertook “the single largest global ransomware attack on record,” — a hack of software provider Kaseya, an operation that shut down hundreds of businesses around the world because of interruptions to their systems. REvil was likely responsible for that attack, in addition to also being behind the ransomware attack on meat processing company JBS in May.
In a plot twist worthy of a spy novel, REvil mysteriously disappeared from the internet in the aftermath of that attack — and no one knew exactly why. As I wrote at the time
One possibility is that the criminal enterprise is trying to lay low after conducting several high-profile, successful attacks. It’s not uncommon practice for these groups to go quiet, only to later reemerge after some of the attention has subsided.
Another possibility is that someone — such as the United States government — took REvil’s properties offline, to send the group a message that there will be consequences for its actions.
A third option is that the Russian government directed REvil to go or be taken offline, to release some of the international pressure that’s been building because of these attacks…Whether Putin took that message seriously and as a result, REvil was somehow shut down because of Russian actions or pressure, is unknown — but it’s not out of the question.
Those trying to stop REvil’s actions probably benefit from a bit of tactical ambiguity; if the cybercriminals don’t know exactly how they were breached, that’s all the better for us. I strongly hope that we see more of this kind of aggressive, offensive action being taken. As we do so, we should not be hesitant to attack hostile outlets directly aligned with foreign governments. For example, on the one hand, the Biden administration is exploring whether it’s possible to set up some rules of the road with Russia to govern the cyber realm — a worthy exercise. On the other hand, we cannot be passive in the face of direct attacks on our elections and our country, any more than we would be if physically attacked by a terrorist or a foreign army. We shouldn’t let the first exercise trump the second.
Marie Harf
International Elections Analyst, USC Election Cybersecurity Initiative
Marie Harf is a strategist who has focused her career on promoting American foreign policy to domestic audiences. She has held senior positions at the State Department and the Central Intelligence Agency, worked on political campaigns for President Barack Obama and Congressman Seth Moulton, and served as a cable news commentator. Marie has also been an Instructor at the University of Pennsylvania and a Fellow at Georgetown University’s Institute of Politics and Public Service.