The Biden administration is moving to treat ransomware attacks as a national security threat, using intelligence agencies to spy on foreign criminals and contemplating offensive cyber operations against hackers inside Russia, U.S. officials and other sources familiar with the matter tell NBC News.
Though using the military to take action against criminals would not be without precedent, it's controversial in legal circles, and any American cyber action against targets in Russia would risk retaliation. But officials say criminal ransomware attacks from abroad, once a nuisance, have become a major source of economic damage, as the disruption of gasoline and meat supplies in recent weeks has illustrated.
"Right now, they are hair on fire," one former government official said of the Biden administration.
In an example of the new approach, the White House was unusually quick to point the finger at Russia for harboring the attackers, just one day after officials learned of the ransomware strike on meat processor JBS. In previous incidents, it took weeks or months for the U.S. government to publicly blame another country as the source of a cyber attack.
But momentum was building even before Biden took office. As the onslaught of ransomware attacks against hospitals and local governments increased, the National Security Agency in the summer of 2019 began spying on certain foreign criminal hacker groups, according to a former official and three other sources familiar with the matter. Officials say that intelligence collection puts the U.S. in a better position to target the groups if the president orders a strike.
Because they are not carried out directly by governments, ransomware attacks like the ones that hit Colonial Pipeline and JBS have for years been treated as purely criminal matters, investigated by the FBI with an eye toward prosecution. Criminal accountability was rare, though, because most of the hackers reside in Russia and other places outside the reach of American law enforcement. Russia allows the hackers to operate without interference as long as they are attacking the West, U.S. officials say.
Even as the NSA began assembling data on ransomware groups, hospital systems were hit last fall by another wave of attacks. Sources say U.S. officials in charge of cyber policy became further convinced that it was time to get more intelligence resources — and military cyber warriors — focused on the problem.
"Sometime at the end of last year, everyone decided that this had risen to the level of a threat to national security," said James Lewis, a cyber expert at the Center for Strategic and International Studies who consults frequently with government officials.
Spokespersons for the NSA and U.S. Cyber Command declined to comment.
"While we won't comment on specific planned or ongoing operations, we provide options through the Department of Defense to the president," the cyber command spokesperson said.
Since Biden took office, the impact of ransomware attacks has grown, officials say. An attack on Colonial Pipeline last month led to gasoline shortages, and a strike against meat processing firm JBS threatened a quarter of America's meat processing capacity. Had JBS not gotten back online quickly —presumably by paying a ransom — experts say Americans might have experienced significant meat shortages.
On Thursday, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, issued an open letter to corporate leaders urging them to improve their cyber defenses.
"The number and size of ransomware incidents have increased significantly," she said. "The U.S. government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility."
Neuberger also said the U.S. government was seeking to "disrupt" ransomware networks, though she didn't say how.
In a typical ransomware attack, hackers break into a corporate network and lock up data, demanding payment in order to release it. Some also threaten to post business secrets on the internet if payment is not made.
Cyber security experts say successful ransomware attacks often take advantage of companies with substandard cyber defenses.
But even if every company and local government had the best defensive technology in place, hackers with enough time and money would find a way to get through, experts say. That's why the Biden administration is contemplating ways to deter ransomware gangs and the countries that give them sanctuary, principally Russia.
The White House says Biden will put Russian President Vladimir Putin on notice at the June 16 summit between the two leaders that Russia must stop harboring criminal hackers. But Lewis and other experts do not anticipate Putin caving to U.S. demands.
If he doesn't, Biden will have a menu of options in front of him, current and former officials say, including offensive action by U.S. Cyber Command, the military hackers based at Fort Meade who wield cyber weapons that can take down networks and turn computers into bricks.
The military would be careful to operate in a gray area, just short of the international law definition of an act of war, said Gary Brown, a former Pentagon cyber warrior who now serves as professor of cyber law at the National Defense University. That's exactly what Russia has been doing to the U.S. over the last decade, he said, with a campaign of disinformation, election interference and hacking.
Among the things Cyber Command could do, he said, is disrupt the hackers' ability to access their own networks and tools, "infect their networks with modified tools that have our own little special gifts attached to them," and harass some of the key players.
Indictments by the Justice Department also serve a purpose, he said, by blocking the hackers from most travel and access to the U.S. financial system.
The U.S. could also impose further economic sanctions on Russia, but "we've kind of pressed the sanctions button pretty close to the max," Brown said. "In my opinion, we seem to have kind of run the course on how much you can do with that."
Whatever the U.S. response has been, it hasn't led Russia to stop harboring the criminal hackers, said Glenn Gerstell, who retired in 2020 after five years as NSA general counsel.
"We're not going to shut off all the lights in Moscow," he said, but "whatever it is we're doing now is clearly not producing the desired effect. We need to do something different."
Some scholars have urged caution in the use of the military against criminal hackers. Jason Healy, a former White House official who is now a cyber expert at Columbia University, made that argument in an article for the Lawfare blog last month, saying the military should only be used against criminal groups as a last resort, in response to an imminent threat.
Military force has been used against criminals before, in raids to free American hostages, such as when Navy SEALs rescued merchant ship crew members from Somali pirates in 2009, an incident later portrayed in the Tom Hanks movie, "Captain Phillips."
And in August 2020, current and former officials say, U.S. Cyber Command took down a Trickbot, a botnet used to deploy ransomware. That was the first known use of military force against criminal hackers, and it was justified as a measure to prevent election interference, because Trickbot also could have been repurposed to disrupt the 2020 elections.
Cyber command's mission is to defend the United States in cyberspace, Gerstell said.
"If the country is experiencing malicious effects from a cyber attack, that to me creates a justification for U.S. Cyber Com to be more aggressive," he said.