US will impose costs on Russia for cyber ‘acts of aggression,’ White House cybersecurity czar says

  • Russia will be made to pay for its acts of cyber aggression on the international stage, White House cybersecurity coordinator Rob Joyce told CNBC on Friday.
  • The act in question was the malware attack known as NotPetya that wiped out billions of dollars as it spread across 64 countries in July 2017.
  • It was seen as a deliberate attack on Ukraine, which saw its National Bank and numerous businesses, airports and government agencies paralyzed.

Russia will be made to pay for its acts of cyber aggression on the international stage, Rob Joyce, special assistant to the president and White House cybersecurity coordinator, told CNBC on Friday.

The act in question was the malware attack known as NotPetya that wiped out billions of dollars as it spread across 64 countries in July 2017. The White House, for the first time Thursday, directly blamed Russia's military for the attack.

"We're going to work on the international stage to impose consequences. Russia has to understand that they have to behave responsibly on the international stage," Joyce said at the Munich Security Conference in Germany. "So we're going to see levers the U.S. government can do to impose those costs."

A veteran of the intelligence community, Joyce spent 27 years at the National Security Agency prior to this current post in the White House.

NotPetya appeared in Ukraine last July and spread to Europe and the U.S., wreaking havoc on businesses including banks, shipping ports, law firms, transportation networks and government agencies in what's been considered the costliest cyber attack in history.

In total, it affected more than 80 companies in Russia and Ukraine and thousands of systems internationally, and caused billions of dollars in damage. Major companies like AP Moller-Maersk, Merck, FedEx and Rosneft were among those hit. The Kremlin, meanwhile, stated that NotPetya had not caused major damage in Russia.

"We saw an indiscriminate attack launched by Russia against Ukraine in the ongoing hostilities there. What they used was a cyber weapon that was launched in the dark, that hit numbers of companies, individuals, and caused damage to our economies, it stopped shipping from moving… it literally shut (companies) down," Joyce said. "And that is unacceptable."

The malware was dubbed "NotPetya" as it actually impersonates Petya ransomware, which was discovered in 2016 and targets and infects Microsoft Windows-based systems, encrypting the hard drive and demanding a payment in bitcoin to re-allow user access.

Joyce stressed the need for companies to invest heavily in cybersecurity, noting that much of the NotPetya damage would have been avoidable if better security measures had been in place.

"We can't blame the victims for something a nation state wantonly did in an act of aggression," he said. "Russia needs to be held responsible for this. But at same time companies do need to take active role in making sure that from beginning they have cyber security considered, invested in and it's up to speed."

The act was seen as a deliberate attack on Ukraine, which saw its National Bank and numerous businesses, airports and government agencies paralyzed. Russia invaded Ukraine's Crimean peninsula in 2014, and continues to fuel fighting in the country's east, where at least 10,000 people have since been killed. The Obama administration in 2014 imposed sanctions on Russia for its intervention.

Joyce's comments follow a statement from the White House on Thursday in which it accused the Russian military of launching the "reckless" attack as "part of the Kremlin's ongoing effort to destabilize Ukraine."

The statement, delivered by Press Secretary Sarah Sanders, represented a rare show of condemnation from the Trump administration, which has yet to fully endorse an assessment by all 17 U.S. intelligence agencies that Russia meddled in the 2016 U.S. election.

In a controversial development, the heads of the FBI and NSA this week revealed to lawmakers during a Senate Intelligence Committee hearing that the president never specifically asked them to investigate Russia's election hacking activities. Asked about this, Joyce maintained that Trump was, in fact, dedicated to addressing cyber threats.

"I think the president is working through the administration, he's got us on task doing a lot of work on making sure the elections are protected and the American public can have confidence in the elections," he said.

In late January, Trump bypassed a Congressional deadline to hand down new sanctions on Russia to punish Moscow for its alleged interference in the 2016 election and military interference in Ukraine.

Earlier this month, CIA director Mike Pompeo told the media that he "fully expects" Russia to attempt to disrupt the U.S. midterm elections in November.

More than 450 senior leaders in government and the private sector are gathered in Munich this weekend to discuss security threats and cooperation, with a special focus on the European Union and its relations with Russia and the U.S., as well as threats emanating from North Korea and instability in the Middle East.