13 July 2021

Opinion | Could Ransomware Become a Geopolitical Weapon? Game Theory Says Yes.

JENNY JUN

Over the weekend, the REvil ransomware gang locked up the data of more than 1,000 businesses in an unprecedented supply-chain attack on the software firm Kaseya, demanding $70 million for the data’s release. While it’s unclear which, if any, of the individual businesses have paid the group anything, just a month ago JBS and Colonial Pipeline paid nearly $11 million and $5 million, respectively, to resume operations after a ransomware attack.

The fact that attackers can mount these attacks so frequently and extort large sums of money from victims shows that encryption has emerged as a really good way to hold hostages. What if an adversary state or a terrorist group starts using the same tool to demand something more than money?

Today, ransomware is treated mostly as a criminal problem, but it may also soon be a geopolitical issue. I use game theory to study ransomware, and I’ve also examined how adversaries like North Korea use cyber tools for strategic goals. My research suggests it’s only a matter of time before encryption is used for geopolitical gains. The incentives built into ransomware attacks — for both the attacker and the victim — will make it easier for smaller, poorer players to extract concessions from more powerful adversaries. But the good news is that two can play at that game: In the future, encryption might also become a way for countries to proportionally respond to cyberattacks without causing all-out war in cyberspace.

Throughout history, state and nonstate actors have sought to hold an enemy’s valued assets at risk to bargain for political gains. Land invasions that captured capital cities have been used to compel governments to surrender, threats to close critical maritime chokepoints have been used as bargaining chips, and hostages have been taken to negotiate political or monetary concessions. In other cases, adversaries have kidnapped each other’s princes or held one another’s cities at risk with nuclear weapons, creating mutual hostage relationships to ensure neither side upsets the status quo.

Ransomware — or the underlying encryption algorithm that locks up data — is just another chess piece in this game. But the game theory that drives the attacker and the victim in a ransomware attack may sometimes make this a more attractive way of coercing the enemy than bombings, blockades or nuclear threats.

The nature of encryption increases the incentives for attackers to attack and for victims to concede. First, once the victim’s data is locked up, the attacker can keep it that way for as long as it takes to get their demands met, at no extra effort or cost. Compare this to other methods of holding enemy assets at risk — laying a siege, blockading a port — which can be as costly to maintain for the attacker as they are to endure for the defender. Even after a siege starts, the attacker needs to be able to credibly commit to applying force for long enough to convince the defender to acquiesce.

If the capacity to keep the asset at risk is limited by how long an army can keep attacking or how much airpower the military has, the attacker’s threat to hurt the asset may not be credible. The defender may decide to just wait it out, predicting the attacker will eventually back down. But the attacker faces no such credibility problem when using encryption — it costs nothing to keep the “siege” going as long as necessary.

Second, encryption is reversible, which makes it more appealing for the victim to concede. As with kidnapping, it is the prospect of getting the hostage back — in this case, the recovery of data and systems — that makes concessions attractive. On the other hand, a threat that relies on destroying part of the asset creates sunk costs. Every hostage executed and every building bombed cuts away from what the attacker can promise to give back if the victim concedes.

Third, ransomware attacks are just easier to carry out than other forms of geopolitical coercion. Compared to a conventional military operation or a nuclear program, the barrier to entry is very low. Encryption algorithms are readily available and even lazier attackers can purchase highly customizable ransomware-as-a-service (RaaS) subscriptions for as low as $40 per month.

Encryption can also hold assets at risk around the globe without geographical constraints. Without having to punch through the Ardennes, acquire long-range missiles or control strategic chokepoints on land and sea, an attacker can take hostages. It’s a cheap, easy way to create more bargaining chips whenever something needs to be exchanged but cannot be taken by brute force. To an impoverished and isolated state like North Korea, or a nonstate group with few resources, these practical benefits would seem quite attractive.

Of course, encryption has limitations. Because ransomware relies on denying access, encryption cannot inflict costs if the victim doesn’t value what’s being encrypted, or can replace the asset relatively easily. A defender that can adopt real-time, offline backups has an alternative way to get their data back after a ransomware attack, which reduces the attacker’s coercive power. This option to back up data is a unique advantage for the defender, unlike in other domains.

However, the ability to adopt seamless backup is not always correlated with the business’s importance. For example, a power plant that runs on a legacy operating system will probably struggle with backups because it most likely requires custom solutions. Therefore, a ransomware attack is primarily a selection problem: An attacker needs to identify a victim who is either unlikely to have good backups or who has such large daily costs that even a week or two’s disruption inflicts large costs. This is why ransomware has moved away from targeting individuals towards businesses such as hospitals or utilities. Now, attackers are casting an even wider net, encrypting multiple businesses at once by exploiting supply chains.

Ransomware and encryption have additional limitations that they share with other forms of coercion. Any effort to hold enemy assets at risk can prompt retaliation and escalation, and victims may resist making concessions out of fear of acquiring a reputation as an easy target. These common problems make it difficult in general to force geopolitical adversaries to do what you want. Nonetheless, because encryption resolves certain credibility concerns, it is likely to appear in the toolbox of both state and non-state actors as they seek new ways to make gains without blatantly inviting retaliation.

Given these factors, when might ransomware be used for geopolitical purposes instead of simply extorting money? Here are a few ways it might play out — and they’re not all bad.

The bad news is that ransomware could be used as an additional tool by any state and non-state actors that have previously attempted to extract concessions by holding enemy assets at risk. Iran has held Americans as hostages and seized ships in the Strait of Hormuz to compel states to unfreeze Iranian financial assets, undermining U.S. sanctions. It’s conceivable that Iran could attempt to create a similar situation using ransomware as it experiments with new ways to conduct cyber operations. Iran has already used ransomware as part of a destructive cyber campaign against Israel since last year, and it may be only a matter of time before they demand something in return rather than just cause destruction.

Non-state actors such as Yemeni rebels have taken hostages to negotiate prisoner swaps, pro-Russian insurgent groups have occupied government buildings to demand a referendum on secession, and ISIL seized Iraq’s largest oil refinery. Because ransomware greatly reduces the cost of occupation for the attacker and does not require geographical and military advantages, it can be a viable alternative to physical occupation of buildings and or taking of actual hostages.

The geopolitical use of ransomware is therefore an asymmetric threat. Poorer, less connected state and non-state actors will be able to use encryption to punch above their weight and force concessions from more powerful states. In a tit-for-tat exchange of ransomware, target-poor states such as Iran and North Korea simply have less to lose from having their own critical systems frozen than their target-rich Western counterparts, because these smaller states are less reliant on cyberspace for everyday activity.

Non-state actors like civil war belligerents and terrorist groups will have even less to lose, assuming the technology remains ubiquitously available at low cost. While conducting ransomware attacks requires basic cyber operations training and Internet infrastructure, the barrier to acquiring these prerequisites is relatively low. We can expect some of these actors to try their hand, now that it is common knowledge that ransomware pays.

The good news is that encryption can be used to respond to a fait accompli in cyberspace. If an adversary has taken something valuable, whether a piece of territory or cryptocurrency stolen from an exchange, one way to respond is to take something that they value in turn to create a mutual hostage relationship, then negotiate for both assets’ return. For instance, the quickest way to get North Korea to return its stolen cryptocurrency is probably by freezing some of its own assets, instead of a long process of trying to regulate intermediary money launderers. Such measures may be useful if the United States cannot rely on purely defensive measures to prevent such grabs from occurring in the first place, or rely on international law enforcement efforts to apprehend hackers.

Using encryption to create mutual hostage relationships might offer a useful solution to the dilemma of how to proportionally respond to malicious cyber campaigns without violating international norms. Cyber practitioners and scholars have long debated how to respond to cyber operations and other internationally wrongful acts that fall below the threshold of war. Encryption could be an appropriate tool because it can be calibrated to be proportional, has limited potential for casualties and can be reversed upon the target state’s compliance. If encryption comes to be accepted as a more proportional and temporary method of cyber retaliation, it could counterintuitively help build international “rules of the road” for cyberspace — similar to how “letters of marque” were issued for anti-piracy efforts in the olden days.

It may be several years before we see the first coercive encryption used in a geopolitical context. Ransomware was first used in the 1980s, but it wasn’t until a few years ago that it became a pervasive threat as criminals learned and fine-tuned their operations over time. The skyrocketing ransom demands and emergence of new tactics, such as encrypting backups and exploiting supply chains, indicate that in many ways this learning is still ongoing. Likewise, the first documented case of cyber espionage was in 1986, but it took years before states adopted this new means of conducting espionage in earnest.

Given these lengthy timelines, the idea that encryption could be another chess piece in the greater geopolitical game is still probably relatively obscure to national security practitioners more used to traditional forms of warfare. However, increasingly high-profile ransomware incidents like Kaseya and Colonial will get policymakers — as well as adversaries — thinking in this direction more and more.

As the source of wealth moves elsewhere — that is, as countries’ most valued assets move from the physical to the virtual realm — the weapons will also adapt accordingly. Encryption is one excellent tool to hold such connected assets at risk, and soon actors will learn to use this tool to extract more than money.

No comments: