Sanctions for NotPetya? You Betcha.

Cyber Advisor

The White House deployed words to chide Russia for the NotPetya attack. On 15 February 2018, the White House Press Secretary released a blunt statement:

In June 2017, the Russian military launched the most destructive and costly cyber-attack in history.

The attack, dubbed “NotPetya,” quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences.

The U.S. statement echoes statements from Canada, Australia, New Zealand and the U.K in attributing these devastating NotPetya ransomware attacks to Russia.

But mere words, if not followed by actions like sanctions, may only encourage Russia – and others – to do it again.

The attacks impacted governments, businesses, academic institutions and non-profit organizations globally. They caused technology disruptions at major transportation centers, impacted the delivery of products to market, and even interfered with the production of medicines. The impact was huge.

All indications are that the attack was designed to impact Ukrainian businesses and government agencies but spread out of control. This is the nature of automated cyberattacks. It takes incredible planning and exquisite intelligence to do them in a way that limits their scope to the intended target.

What happened? All indications are that the decision to use cyber weapons in this way was done because the Kremlin believed the code, developed by the Russian GRU’s secretive cyber war center (the Main Center for Special Technology of the GRU aka Main Intelligence Directorate), would only impact Ukrainian businesses and government agencies.

The code was certainly sophisticated but did not have limits that would confine it to geography or political boundaries. Fire-stop solutions like this can be put in cyber weapons with planning and exquisite intelligence. But the targeting in this case was not well thought out.

The code was designed to attack a data encryption tool used in accounting software that is widely used by Ukrainian financial and government indications, but someone at the GRU must have thought this would be the only place the malware would run. Could it be that the GRU is getting a case of the big head? Did a growing hubris cause them to make this mistake?

Students of cyber conflict policy are watching how the international community will respond. Strong statements of attribution make a fast splash in the press, but there are no indications those will change Russian behavior. Historically, our attribution of the Sony Attacks and WannaCry attacks to North Korea did nothing. There are indications that cyber theft from the People’s Republic of China dropped a little after public shaming, but it is also clear that theft continues, and some of the theft is getting harder to detect, meaning our public shaming may have just caused the PRC to go more covert in their theft.

When it comes to Russia, if nothing is done after a strongly worded joint attribution statement, then the public attribution would almost certainly do more harm than good. It would send the signal that future attacks like this are also just going to be met with a strongly worded memo. Not only Russia, but every country could feel empowered to attack infrastructure with cyber weapons. A formal diplomatic demarche to protest behavior in cyberspace is a logical next step to consider but would also not have any impact. Real sanctions are called for here.

In selecting real sanctions, policymakers have a range of options that can deliver real messages while keeping us off an escalation ladder with a nuclear power. Some options include:

  • Further economic sanctions
  • Expulsion of businesses and Russian citizens from nations effected by the attacks
  • Reduction of diplomatic ties including expelling a number of diplomats from nations affected
  • Sport sanctions designed to send the message that fair play is required in all endeavors with the civilized world
  • Coordinated activities to restrict Russian use of the internet or to limit internet use to be through key points, which can be monitored and blocked as required

There is another series of actions that this incident should compel every nation to consider. Every law-abiding country, not just the Five-Eyes nations, needs to establish mechanisms to collaborate and coordinate on cybercrime. Organizations like the U.K.’s National Cyber Security Centre (NCSC) or the U.S’s National Cybersecurity and Communications Integration Center (NCCIC) provide value in helping share information not just with other nations, but internally to help raise the defenses of citizens, businesses and infrastructure providers. Every law-abiding nation needs a collaborative cyber center like this.

Every business should also consider what this means for digital risk. One thing is clear, attacks will continue. Those businesses that have agile defenses are much better prepared to mitigate the impact of attacks.

Cyber Advisor

Leave a Reply