The international community is putting increased pressure on Russia to stop protecting its cybercriminals. But while Russian President Vladimir Putin has made some positive statements, it's doubtful that meaningful progress against Russian cybercrime is about to happen.
The latest wave of cyberattacks is just the latest continuation of a multidecade trend, said Leo Taddeo, CISO at Cyxtera. "Vladimir Putin sees the cyber domain as an area where his forces are on par, or even superior, to U.S. forces. This gives him greater flexibility to unleash both criminal and government hackers against the West."
Even with sanctions, the reality is that Putin has paid a very low price for the damage he's inflicted, said Taddeo.
That may now be changing.
U.S. President Joe Biden is scheduled to meet with Putin on Wednesday, and cybersecurity is expected to be a top topic.
On Sunday, the G-7 group of leading industrial nations issued a statement condemning Russian cybercrime and calling on the country "to stop its destabilising behaviour and malign activities ... and to identify, disrupt and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms and other cybercrimes."
That same day, Putin appeared on Russian television to claim that Russia takes cybercrime seriously and is prepared to extradite criminals.
"If we agree on the extradition of criminals, then Russia will naturally do that, but only if the other side, in this case the United States, agrees to the same and will also extradite corresponding criminals to the Russian Federation," Putin said, according to a report by TASS, the Russian news agency. "Cybersecurity is one of the most pressing issues today because any disconnections of whole systems entail very grave consequences, and this turns out to be possible."
Following Putin's comments, Biden told reporters that this was a "potentially good sign of progress."
Protecting Russian Cybercrime
This is a turnaround from 2018, when Putin told NBC's Megyn Kelly that he would not extradite the 2016 election hackers to the U.S. "Never. Never. Russia does not extradite its citizens to anyone," he said.
The Russian constitution prohibits extradition, though the government is able to override this in some cases. In the past, however, such action has been as part of a political trade: cybercriminals in return for political dissidents who have fled Russia to avoid persecution.
And Russia doesn't just protect criminals who are hiding behind its borders. It alerts its cybercriminals when international arrest warrants are filed against them, according to comments from former government officials. And when criminals travel abroad and are arrested in another country, Russia has filed its own extradition requests so that the criminals can be tried at home – where the charges are quickly dropped – instead of in the U.S.
"There is this common knowledge between Russian-speaking and Russia-based cybercriminals that as long as you refrain from attacking Russia or any other CIS [Commonwealth of Independent States] countries, you're safe to a certain degree as local Russian authorities won't hunt you," said Irina Nesterovsky, chief research officer at KELA, a threat intelligence firm.
"It reminds of the age of pirates and privateers when England and other nations would legally allow pirates to attack their enemies’ merchant ships so long as the pirates didn’t attack English ships," said Ruston Miles, founder and advisor at Bluefin, a payment security company.
Beyond Russian Cybercrime
Russia isn't the only country to sponsor cyberattacks and turn a blind eye toward cybercrime.
In China's case, according to experts, the targets are usually related to intellectual property or trade issues. And while China also has no extradition treaty with the U.S., it is a global technology powerhouse and is protective of its digital infrastructure and reputation. As a result, last year alone, China charged more than 138,000 people with internet-related crimes, according to the Supreme People's Protectorate, also known as the Prosecutor General's Office.
As a result, China doesn't appear on the list of nations targeted by the U.S. government for sanctions based on cybercrimes, according to a report by Third Way, a Washington, D.C., think tank, and reports from the U.S. State Department.
Between 2016 and 2020, out of 15 rounds of sanctions issued, 10 were against the Russian government or Russian actors, targeting 71 individuals and 25 organizations. Of the other sanctions, two were against North Koreans, two against Iran and one was aimed at Nigerians.
And the sanctions keep coming.
In April, the U.S. Department of the Treasury issued yet another round of sanctions against the Russian government and several Russian technology companies "that support the Russian Intelligence Services’ efforts to carry out malicious cyber activities against the United States."
In the announcement, Treasury Secretary Janet Yellen referred to "Russia's continued and growing malign behavior."
Ransomware Crooks Akin to Pre-FBI Bank Robbers
In the early 20th century, kidnappers, bank robbers and other criminals would cross state lines in the U.S. to avoid prosecution. The creation of the FBI ushered in a new era of national action against criminals.
Bank robbing and kidnappings still happen, but they are no longer the epidemic they once were.
In 2019, the latest year for which statistics are available, there were 3,834 bank robberies – out of 268,000 total robberies – accounting for about $16 million in losses.
Cyber is the hot new crime. According to the FBI, cybercrime cost the U.S. over $4 billion in reported losses in 2020, and complaints increased by 69% compared with the previous year.
There's been an escalation in the Russian attacks, said Amit Serper, area vice president of research for security firm Guardicore, the researcher who found a vaccine for the NotPetya ransomware.
"We're seeing that almost all bets are off," he said, referring to attacks against Colonial Pipeline, the world's largest meat processor, hospitals, schools and other critical organizations. "The attacks that are happening are affecting everyone's lives. It's getting to the point where it affects the fabric of society, where we don't have food, we don't have gas."
Putting the biggest cybercriminals in jail would be a big step forward. It would break up criminal organizations, take the biggest and most successful players out of the game, encourage the smartest ones to find other lines of work, and reduce the funds available for research and development.
That can't happen as long as criminals can escape prosecution by basing their operations in safe-haven countries like Russia.
"The vast majority are living in regions where we don’t have extradition treaties in place," said Peter Klimek, director of technology at security firm Imperva. "The governments tolerate them. The goal of the U.S. and various G-7 nations is figuring out to what degree they can turn up the pressure until those governments no longer tolerate them anymore."
There's a lot of motivation to do that, he added, and it is one of the few areas that sees bipartisan support in the U.S. Congress.
"We might potentially see some action in that regard," he said.
Action can't come soon enough.
Extradition might be the first step.
"You may see some individuals extradited in the interest of political favors and agendas," said Marc Punzirudu, director on the cybersecurity team at Sikich, a business consulting firm.
Russian Cybercrime Extradition Won’t Necessarily Solve the Problem
Extradition from Russia might help in the short term, Punzirudu said, until the hackers find a new safe haven.
"If the program is successful, I would hope that it sets a precedent for other countries," he said. "But I would find it more likely that it would just end up shifting the direction."
Plus, there are political considerations. Putin is demanding reciprocity, for example, but is the U.S. willing to send its own citizens to be prosecuted by Russia?
"Traditionally this topic has been very sensitive for Americans," he said.
Bottom line: Data center cybersecurity managers shouldn't be easing up anytime soon.
Even if the political efforts are successful, extradition, investigation and legal action take time and resources, he said. "Prioritization of security spending is more important now than ever before."