This week, the U.S. Department of Justice unsealed charges against six Russian intelligence officers for malicious cyber activities against the U.S. The indictment revealed a laundry list of crimes tied to the defendants who allegedly work for Russia’s Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Unit 74455. The DOJ blames them for:

·      Causing mass blackouts in Ukraine

·      Distributing malware that disrupted global supply chains and cost businesses billions

·      Messing with companies and government entities in Georgia

·      Disrupting and sowing discord during the French elections

·      Preventing holding Russia accountable for its use of “weapons-grade nerve agent” in a foreign country

·      Attempting to sabotage the 2018 Winter Olympics

 The GRU entity behind the attacks is colloquially known as Sandworm, ELECTRUM, BlackEnergy, Telebots, Voodoo Bear, and Iron Viking, among others. (Note: Naming conventions vary from threat intelligence providers and government entities. For the purposes of this blog, I’ll call them Sandworm. ELECTRUM is what my company Dragos calls the initial access group associated with CRASHOVERRIDE.)

Sandworm is a notorious group – as documented in Andy Greenberg’s terrific book – and have singlehandedly caused billions of dollars in damages, plunged cities into darkness, and proved to be a poisonous thorn in the side of businesses, politicians, human beings, countries and their respective intelligence agencies for years. Sandworm has become the chief villain in the theater of cyberwar, that, despite unmasking, has yet to face any consequences.

The DOJ indictment contains 50 pages describing a lot of disruptive and destructive activity attributed to this group. Some of it, including the 2015 and 2016 cyberattacks on Ukraine’s electric infrastructure, could have had very real human consequences. And yet, the defendants are only charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft.

To be fair, that’s really all the lawyers can do, considering some of this group’s most egregious activities were executed well away from U.S. soil. However, it is another line on a growing list of cyberattacks conducted by foreign actors that have yet to see any real consequences.

Although the U.S. department of Treasury has issued sanctions on entities in response to hacks, including NotPetya and 2016 election interference. Additionally, this summer, the European Union issued its first cyber-related sanctions on North Korean, Russian, and Chinese individuals and entities responsible for cyberattacks known as WannaCry, NotPetya, and Operation Cloud Hopper. They followed that up recently with additional sanctions on the head of the GRU this month for an attack that – as my cyber husband and reporter Patrick Howell O’Neill points out – happened way back in 2015. But sanctions and indictments generally do little to dissuade state-backed operators. They essentially put restrictions on finances and travel. Generally, organizations and people residing within the country or union implementing the sanctions cannot conduct business with the sanctioned entities, nor can those who are sanctioned travel within those regions. But cyberattackers carry on with little regard to consequences. The 2018 U.S. sanctions on Russia’s GRU, for instance, have not stopped Russian adversaries from continuing activities – including targeting the 2020 Olympic and Paralympic Games, U.S. businesses and government entities, and even entities working on coronavirus vaccine research.

Frustratingly, there has been no accountability or consequences for destructive attacks on critical infrastructure that took down electricity in Ukraine. The BlackEnergy event in 2015 and CRASHOVERRIDE, the 2016 attack that caused blackouts in the country, were major cyber events that impacted innocent citizens, and yet there was no global outrage or response.  

There is an ongoing conversation in various circles from policy to security to law enforcement over the concept of “cyberwar.” What do we do about it? How do we prevent it? What, actually, is cyberwar? People put on their suit jackets and thinking caps and debate the merits of sanctions, offensive cyber operations, and (ugh) “hacking back.” Effectively, global scholars and hackers and lawyers are attempting to come up with the “rules of cyberwar” in a time when cyberattacks can impact human life.

As Dragos’ vice president of intelligence Sergio Caltagirone and I write in the book “Cyber War & Cyber Peace in the Middle East: Digital Conflict in the Cradle of Civilization,” despite cyber warfare capabilities existing and being deployed for over a decade, cyber warfare norms and civilian protections are nonexistent. 

Until norms are established and enforced, cyberspace will effectively be a lawless landscape, with adversaries targeting any entity that furthers economic and national interests regardless of humanitarian cost. Espionage, disruptive malware, and destructive attacks can ultimately endanger societal structures and individual welfare. The ultimate and early costs of international inaction will land squarely on the shoulders of civilians, given the current cyber threat environment. 

Having no real consequences for disruptive or destructive cyberattacks is not good for cyber “norms” and boundary setting. The ongoing and frequent conversation around “rules of cyberwar” has no foundation to build on.

Until such time as operators receive more than a slap on the wrist for disruptive and destructive cyberattacks, hackers will be empowered to continue their behavior. So, what does that look like? Well, society is working on it. As we explain in our chapter, Caltagirone and I write: 

At a minimum, countries should prohibit cyberattacks impacting or harming civilians, which would include any disruption to critical infrastructure. Building on the work of civil society organizations, governments, and technology firms, Microsoft in 2017 released a whitepaper suggesting ten rules a digital Geneva Convention should contain. The first rule is, “Refrain from attacking systems whose destruction would adversely impact the safety and security of private citizens (i.e., critical infrastructures, such as hospitals, electric companies).”

 The threat of disruption to critical infrastructure is real, as we have observed in Ukraine and Saudi Arabia. The potential impact on human life, the environment, and the necessary infrastructure for survival is very real, too. As a cyber threat intelligence analyst, I enjoy the indictments, the sanctions, the official attribution of cyber operations to threat actors. But the human in me wonders: but where are the consequences? Where is the accountability?