According to a Washington Post report, the Biden administration has refined National Security Presidential Memorandum 13 (NSPM-13), which was signed by President Donald Trump in 2018 and granted the Secretary of Defense the authority to conduct cyber operations without the need to receive authorization. of the President and other federal agencies. The purpose of the classified memorandum was to shorten and simplify the decision-making process that governs the procedures for planning and executing urgent operations in cyberspace (as defined in Presidential Directive 20, which was signed by President Barack Barack Obama in 2012).
Officials said the refinement was intended to expand White House and State Department oversight of offensive cyber operations, prevent operations from inadvertently interfering with other government-directed cyber activities, such as diplomatic efforts or cyber espionage, and to prevent tensions with third countries on whose networks these operations generally take place.
Reports on the NSPM 13 review prompted calls from lawmakers who had urged the White House to preserve Department of Defense cyber authorities, saying changing them would limit the nation’s ability to signal its willingness to use cyber capabilities. and would thwart his ability to “engage persistently”. his adversaries in cyberspace. The reports may also raise questions regarding the Biden administration’s stated fight against ransomware, which includes the use of offensive cyber capabilities to deter threat actors involved in ransomware and disrupt their infrastructure. In November 2021, General Paul Nakasone, director of US Cyber Command and the National Security Agency, revealed that the command had conducted a flurry of operations to deal with the threat of ransomware to US interests.
While it is crucial to maintain fast and relatively flexible planning and execution procedures for offensive cyber operations to disrupt adversary activity in cbeace, there are several reasons why the impact of the review on countering ransomware may not be as bad as some claim.
First, unlike operations in other domains, the vast majority of offensive cyber operations typically do not have broad strategic implications. These are usually operations against ransomware gangs and other cybercriminals, some of whom have an ambiguous relationship with foreign governments or at least enjoy a safe haven within a country’s territory. Host countries such as Russia have long dismissed allegations of their relationship with these criminals. Combined with the empirical evidence that cyber operations are not necessarily evolutionary in nature, such anti-ransomware operations are unlikely to have strategic implications requiring presidential authority.
Second, since the stated goals of these cyber operations are deterrence and disruption of ransomware operations, there is a need to question their effectiveness and overall contribution. For its part, an effective deterrence strategy depends on understanding the adversary’s motivations and risk tolerance. As some ransomware groups conduct their operations for a mix of financial, political, or national motives, and their relationships with foreign governments remain ambiguous, it is difficult to tailor an effective military response based on an understanding of the attacker. Although the military has the most advanced capabilities to target foreign adversaries from cyberspace, the critical challenge to an effective deterrence strategy may not be the decision-making process of cyber operations. Rather, it may be about understanding whether and to what extent the employment of military resources (or the mere threat of them) could change a threatening actor’s calculus.
A similar argument could be made with respect to disruption, as past evidence from operations suggests that disruption to these activities is only limited and temporary. In October 2020, reports emerged that US Cyber Command had disrupted the Trickbot botnet by accessing its operators’ command and control server and sending all infected systems a disconnect command. However, after a few months, Trickbot was up and running again. In July and November 2021, Cyber Command targeted infrastructure belonging to the prominent Russian-speaking REvil ransomware gang. According to US officials, the action “left its leaders too scared of identification and arrest to stay in business.” However, in April 2022, the group reappeared, with some researchers pointing revealed that threat actors affiliated with the group had already launched a new ransomware campaign as early as December 2021, barely a month after the shutdowns.
While clarifying the scope of the Department of Defense’s powers in cyber operations is crucial, maintaining an effective anti-ransomware strategy requires answering more pressing questions. It’s also important to remember that employing military resources may not be the only solution to combating ransomware, nor the most effective. For a counter-ransomware strategy to be effective, a thorough discussion is needed to determine how to use these means effectively and, more importantly, how to harm the profitability of the ransomware market.
Omree Wechsler is a Senior Researcher in Cyber Policy and Strategy at the Israeli think tank Yuval Ne’eman Workshop for Science, Technology and Security at Tel Aviv University. He is a graduate of Bar Ilan University’s CISO & DPO training program and previously served in Israel’s military intelligence branch.