Support The Bulwark and subscribe today.
  Join Now

The Ransomware Problem Shows That Russia Is Either a Rogue State or a Failed State

Putin can’t have it both ways. Either he’s sanctioning the cyberattacks or he does not have control of his country.
June 11, 2021
The Ransomware Problem Shows That Russia Is Either a Rogue State or a Failed State
(The Bulwark / Shutterstock)

On June 3, FBI Director Christopher Wray gave an interview to the Wall Street Journal during which he compared the deluge of ransomware attacks emanating from Russia to 9/11. This comparison is even more correct than Wray was willing to say. Because the 9/11 comparison creates us a useful framework for assessing America’s posture towards Russia.

The big geostrategic lesson of 9/11 was that ungoverned territory could present a threat to the American homeland. Immediately after the attacks on the World Trade Center, President Bush gave the Taliban the option to give up Al Qaeda. They declined, which was when he declared that states who harbored terrorists would be held as accountable as the terrorists themselves. The Taliban either controlled the territory where Al Qaeda had hatched the 9/11 plot—in which case it was a rogue state. Or the Taliban did not control the territory, which meant that it was a failed state.

The new wave of cyberterrorism emanating from Russia is clearly analogous. Is Russia 11 time zones of ungoverned digital territory? Or is it a rogue nation sanctioning the attacks emanating from within its borders? Is it North Korea or Afghanistan? Will Vladimir Putin give up the hackers? Or does he not have control over his own country? The choices are pretty binary.

The criminality of the ransomware attacks and questions about any covert links to the Kremlin are beside the point. Even if the intelligence community had ironclad proof of a covert Kremlin connection, good luck trying to prove that to the world.

The uncomfortable implication is that Russia either cannot control its territory or has no fear about economic warfare being launched against the United States from its territory. Even if the answer is both, the world should be hearing something other than soothing rhetoric as President Biden heads to his half-baked, ill-advised summit with Russian President Putin on the sidelines of the G7.

Biden knows that Putin weaponizes corruption. He knows that Putin, who cannot afford a competent military, leans on criminals to undermine the West. Biden wrote as much in a 2018 Foreign Affairs essay. And subsequently I and three other coauthors wrote about how authoritarians such as Putin seed the battlespace with criminals in an effort to undermine the West. All of this is known. On June 4 the Biden administration declared that strategic corruption had become a top-tier national security threat.

In other words, Biden knows that these hackers serve Putin’s purpose and that Putin has not shown any interest (or ability) to stop them. Biden also knows that the FBI is investigating around 100 current cases, mostly Russian in origin. The U.S. faces a systematic, Russian threat.

Yet, during a June 6 interview with Axios, Secretary of State Tony Blinken said, “We would prefer to have a more stable, predictable relationship with Russia.” The next day explaining away the administration’s gift to Putin of his most worrisome geopolitical project, yet, Nord Stream II, Blinken told the House Foreign Affairs Committee “The physical completion of the pipeline was, I think, a fait accompli . . . I think we have an opportunity to make something positive out of a bad hand that we inherited when we came into office.”

In 1998, when Al Qaeda perpetrated multiple terror attacks from Sudan, politicians resisted sober calls to action. Instead, President Bill Clinton shot cruise missiles at baby milk factories. The rest is history.

Any casual observer can see an increase in the operational tempo of ransomware attacks, as well as the increase in their ambition. Two of the most recent attacks—the Colonial Pipeline and the JBS meat producer attacks—were systemically important enough that they caused macroeconomic ripples for America. It does not take too much imagination to realize that these attacks, if not stopped, could cause political hiccups for the administration by putting a drag on the economy. They could even be used to interfere in future U.S. elections.

How many ransomware attacks do we need to witness before the Biden administration makes the uncomfortable connection that Putin’s Russia may not be all that dissimilar from the Taliban’s Afghanistan? Biden’s entire agenda for his upcoming Russia summit should be to give Putin a chance to give up the hackers, and to make clear that if he does not, the United States will take care of the threat—a process that will not spare Putin’s government.

Kristofer Harrison

Kristofer Harrison is senior managing director for a macroeconomic consultancy and is a Russia expert. Previously, he served as an official at both the State and Defense Departments during the George W. Bush administration.  Twitter: @ToferH.