WASHINGTON — A top lawyer for America’s cyberwarrior force is calling publicly for military operations against transnational criminal hackers, shedding light on a debate inside and outside the government about how best to deal with ransomware and other virtual threats.
Kurt Sanger, a Marine lieutenant colonel serving as general counsel at U.S. Cyber Command, argues in an article published last week on Lawfare.com that the disruptions from ransomware and other criminal hacking threats have become so harmful to national security that using military force against them — with lines of code, not bombs and bullets, as weapons — is justified and legal.
“Under ideal conditions, law enforcement organizations would address any type of criminal activity; however, in cyberspace, ideal conditions rarely prevail,” Sanger writes with a co-author, Peter Pascucci, a judge advocate with the rank of commander in the Navy. “Transnational crimes, of varying scale and sophistication, can surpass the capacity of U.S. federal law enforcement to take immediate action. … Operational opportunities often must be seized immediately by whatever entity is best positioned to do so.”
The article includes a standard disclaimer that the views are those of the authors, not the U.S. government. But it was significant that Sanger, who has been laboring in the legal trenches of military cyber operations for years, came out publicly and forcefully in favor of hacking the hackers.
For years, successive administrations have been reluctant to respond forcefully with cyber weapons to hacking by either nations or criminals, in part because the U.S. is uniquely vulnerable in cyberspace and leaders feared the implications of a potential retaliation and escalation.
The authors framed the piece as a response to a Lawfare article by Jason Healey, a former White House cyber adviser who is now senior research scholar at Columbia University’s School for International and Public Affairs.
Healey had argued that a military cyber operation against criminal hackers should be considered only in the rare event that it met a five-part test that requires the threat to be imminent, extremely dangerous and linked to major nation-state adversaries.
“If implemented, Healey’s five-part test would significantly disadvantage the United States and take major assets out of the president’s hands,” Sanger and Pascucci write. “The self-restraint imposed by this test is ill fit given the nature of cybercrime, the nature of cyberspace targets, and the threats cybercrime poses to the nation and its interests.”
Such self-restraint may be “exactly what U.S. adversaries hope for when committing lawfare and engaging in gray zone operations,” they write.
“Gray zone operations” refers to efforts by nation-states to use proxies and other deniable means to inflict pain on adversaries to an extent that is just short of an act of war, with the idea of limiting possible retaliation.
Traditionally, U.S. law and policy call for the military to be used against foreign and terrorist threats. But there have been real-world exceptions, as when Navy SEALs rescued a ship captured by Somali pirates.
Typically, the FBI investigates cybercrime with an eye toward prosecution. Military cyber operations against criminal hacking networks appear to have been extremely rare.
“We tend to divide cyber bad actors into different categories, and that sort of dictates who responds,” said Gary Brown, a professor of cyber law at National Defense University and a former counsel to Cyber Command.
Last fall, according to people briefed on the matter, Cyber Command took down a huge botnet run by Russian-speaking hackers in the biggest known example of a military cyber operation against criminals.
As first reported by The Washington Post, the operation was justified to protect the 2020 election, because there was intelligence that the botnet could be used to interfere.
The botnet had also been used to install ransomware.
Those kinds of military cyber operations “can absolutely be disruptive” to criminal networks, Brown said, even if they can ultimately restore their operations.
Cyber experts say similar operations could be ordered against, for example, the REvil and DarkSide Russia-based ransomware gangs, which have recently crippled and extorted businesses in the U.S. President Joe Biden is under pressure to act as global businesses try to fend off yet another ransomware attack by REvil, three weeks after Biden warned Russian President Vladimir Putin to crack down on criminal hackers in Russia.
Sanger and Pascucci argue that cybercrime is different in scope from other types of crime, meriting a national response that can include military force.
“Not long ago, it would take a well-resourced armed attack to achieve the strategic impacts that can be produced by some cybercrimes,” they write.
The Colonial Pipeline hack, in particular, “highlights the broad and severe impacts criminals can inflict through cyberspace,” they add. It was a crime, they say, but also a national security threat.
“The U.S. military’s mission is not to carry out military operations. Its mission is to defend the nation,” the authors write. “If the United States insists on customary alignment between threats, federal organizations, and capabilities, it certainly will fail to protect its citizens, its interests and its values.”
In a statement, a spokesperson for Cyber Command said, “U.S. Cyber Command’s roles are to enable our partners…with the best insights available and act when ordered to disrupt, degrade, or otherwise impose consequences on our adversaries. The command provides options…but does not set policy.”