Petya Malware may be an Early Test of Muscular Trump Cyber Doctrine

In-brief: In the hours before the Petya malware began circulating, two high level Trump Administration officials called for a tougher stand against online actors who sow chaos. The question now is how the Administration will react.

Tel-Aviv, Israel– With the Petya “wiper” virus spreading globally, leaving crippled computers and organizational chaos in its wake, eyes are turning to the six month-old administration of President Donald Trump for clues about how the U.S and its allies will respond to one of the most destructive malware attacks to date.

In official statements, at least, the Administration takes a hard stand on ransomware, wipers and other forms of cyber crime and online adventurism. But experts say that retaliating against a nation-state like Russia will not be easy, even if attribution for the Petya attack can be tied to them.

The case for a muscular Trump Administration response to Petya is strong, at least judging the words of its chief cyber security experts. Speaking at a conference at Tel Aviv University on Monday, just hours before the Petya outbreak would begin in Ukraine, the Trump Administration’s two leading advisors on cyber security policy each took a tough stand on acts of cyber criminality and called for a policy that imposes tough sanctions on nations and other actors who refuse to abide by international norms in cyber space.

Asked about his top concern, White House Cybersecurity Coordinator Rob Joyce seemed to anticipate the outbreak, identifying destructive malware attacks like the Shamoon attack on Saudi Arabia’s national oil company, ARAMCO. “Destructive malware like the Shamoon virus that just deletes data – that’s just beyond the pale,” Joyce told an audience at Tel Aviv University on Monday. Specifically, Joyce said he was worried that the world’s inaction in response to Shamoon reflected an unwillingness to take on bad actors in a forceful way. “The real issue is that we’re watching that happen in Saudi Arabia and we’re kind of letting that go. There has not been a huge international outcry about that behavior,” Joyce said.

The question, he said, is “what are the responsible actions we can take to make sure that …that is not going to come at us – our businesses, networks, governments.” How the U.S. and its allies respond to such attack will or will not limit future actions, he said. Later, during the same discussion, Joyce called for strategies to impose costs on other nations who don’t adhere to norms of behavior. “We need to convince them that their attacks will be unable to achieve the outcomes they’re seeking or that the costs of proceeding in attacks are too grave to consider executing,” he said.

That opinion was echoed by Trump Administration Homeland Security Advisor Tom Bossert. In an address at the same event, “We have to get serious about a deterrent strategy. We need a foundation of what constitutes responsible behavior,” he said. The Trump administration will move from “talking about norms to implementing them,” he said and “hold those who violate norms accountable.”

A map of Petya infections shows that the vast majority were in Ukraine, a frequent target of disruptive attacks believed to be the work of Russian hackers. (Image courtesy of ESET.)

The subsequent emergence of Petya just hours after those statements were made may challenge the administration to make good on its statements.

Research by ESET, Microsoft and others traces the initial infection a software update from the Ukrainian company M.E.Doc, which develops tax accounting software. The group in question, which ESET has dubbed “Telebots,” and Russian anti-virus firm Kaspersky Lab has dubbed “Sandworm” has links to a wave of cyber attacks against financial institutions and critical infrastructure in the Ukraine. That puts the incident in line with a string of attacks against the government of Ukraine that have been attributed to hacking groups affiliated with Russia, which seized Ukrainian territory in the Crimea and has been backing a separatist movement in Western Ukraine. Previous attacks have included hacks of Ukraine’s electric grid which caused widespread power outages in the country. The fact that the Petya attack also affected private sector organizations in the U.S. and its allies including hospitals, transportation firms and other critical infrastructure could be seen to raise the stakes on the Trump Administration to enforce those norms by making an example of who or whatever ends up being identified as the source of the attack.

Should the Russian government or hacking groups affiliated with it be linked unequivocally to the attack, the preferred U.S. response is unclear. Bossert, in his remarks in Tel Aviv said that there need to be “incentives for cooperation and consequences for disruption.” He further raised the possibility of sanctions that would “limit bad actors’ access to markets and other benefits that the Internet brings.” However, other options are possible, including retaliatory strikes against nations or groups suspected of disruptive cyber attacks.

The statements from both Bossert and Joyce track closely to those of the Obama Administration, said Michael Sulmeyer, the Cyber Security Project Director at the Harvard Kennedy School’s Belfer Center. And the Petya incident clearly crossed a line by targeting a state not for criminal exploitation but to delete and destroy data.

“This feels like an exercise of state power rather than criminal hacking,” Sulmeyer said.

The fact that the attack ‘jumped the fence’ and affected countries and organizations other than its intended targets, including in the U.S., raises the stakes further.  The question is whether the Trump Administration will be willing to act upon those statements – overtly or covertly. “At the very least there should be an explanation or statement about how (the Petya incident) lines up with the statements made by Joyce or Bossert,” Sulmeyer said.

Decisions about how or if to respond to provocations are always complex. For example, if the Trump Administration is seeking a reset of relations with Russia, then it may not want to pursue punishing the country for its hostility towards Ukraine. But if that is the case, the Administration needs to make the case publicly for that position.

The emergence in recent years of destructive malicious software like Shamoon and Petya is just one element of a fast-changing theater of operations for the U.S. military and intelligence services that also includes politically motivated attacks on the U.S. presidential election and high-profile government agencies and politicians in the U.S. and Europe. Those changes require governments to foster a range of digital capabilities, from stockpiling exploits of unknown (zero day) software holes to investigating and prosecuting cyber crimes, to imposing sanctions on bad actors said J. Michael Daniel, the President of the Cyber Threat Alliance and a former Special Assistant to the President and Cybersecurity Coordinator in the Barack Obama administration.

Joshua Corman of The Atlantic Council* said that the fast pace of attacks, including WannaCry and Petya, underscores the need for new mechanisms to enforce communal standards of behavior that are agile and not bound to slow-moving diplomatic processes. Attacks like Petya and WannaCry, which affected 65 hospitals in the UK “demand more progress,” he said. “Rather than boiling the ocean by trying to port The Geneva Convention to cyber space, I think we need a parallel track to address realtime attacks like WannaCry and that would impose severe punishment and sanctions on attacks that damage hospitals deliberately or otherwise,” Corman said.

In the case of the Trump Administration and the U.S., Sulmeyer warns that a failure to respond could send a worrying message to the U.S.’s allies in this newest theater of geopolitical and military conflict.

“The big danger for the US is that for our allies and our partners, it becomes increasingly clear that US won’t react to hostile acts against them in cyber space,” he said. “The message will be that when we say ‘we’ve got your back,’ its only in the kinetic world, not in cyber space. And that’s a dangerous proposition.”

(*) Correction: an earlier version of this story provided an incorrect name for The Atlantic Council. The story has been corrected. PFR July 3, 2017. 

Security Ledger wants to hear your thoughts! Leave a reply.