They have the sort of names that only teenage boys or aspiring Bond villains would dream up (REvil, Grief, Wizard Spider, Ragnar), they base themselves in countries that do not cooperate with international law enforcement and they don’t care whether they attack a hospital or a multinational corporation. Ransomware gangs are suddenly everywhere, seemingly unstoppable – and very successful.

Read the rest at The Guardian

A problem for investors is that companies don’t have proper incentives for preventing attacks. Herb Lin, cyber policy and security scholar at Stanford University’s Hoover Institution, said companies spend too much energy avoiding responsibility for attacks, rather than preventing them. As a result, manufacturers don’t take responsibility for fully protecting themselves from security breaches, he said.

Kaseya’s end-user agreement largely absolves it of breaches that compromise customers’ data unless there was gross negligence or misconduct.

A Kaseya spokeswoman said in an email that their agreement’s language is “standard for our industry.”

According to Lin, widespread use of such agreements is precisely the problem.

“Companies go out of their way to say we’re not liable for any consequences of this type of attack,” he said, pointing to user agreements pre-emptively absolving themselves of responsibility, and seemingly catastrophic events without lasting harm to companies’ stock prices.

Read the rest at Barron's

This interview with CISAC Affiliate Christopher Painter was originally produced by Jen Kirby. The complete article is available at Vox.

The frequency, scope and scale of ransomware attacks against public and private systems is accelerating. In the latest incident, the ransomware group REvil has demanded $70 million to unlock the systems of the software company Kaseya, an attack that affects not only Kaseya, but simultaneously exploits all of the company’s clients.

The REvil, JBS meatpacking and Colonial Pipeline attacks have abruptly raised the profile of ransomware from a malicious strand of criminality to a national security priority. These are issues that Christopher Painter, an affiliate at the Center for International Security and Cooperation (CISAC), has worked on at length during his tenures as a senior official at the Department of Justice, the FBI, the National Security Council and as the world's first top cyber diplomat at the State Department.

Jen Kirby, a reporter for Vox, interviewed Painter to discuss how cybercrimes are evolving and what governments should do to keep ransomware attacks from escalating geopolitical tensions online and off.

Jen Kirby:
I think a good place to start would be: What are “ransomware attacks”?

Christopher Painter:
It is largely criminal groups who are getting into computers through any number of potential vulnerabilities, and then they essentially lock the systems — they encrypt the data in a way that makes it impossible for you to see your files. And they demand ransom, they demand payment. In exchange for that payment, they will give you — or they claim, they don’t always do it — they claim they’ll give you the decryption keys, or the codes, that allow you to unlock your own files and have access to them again.

That is what traditionally we say is “ransomware.” That’s been going on for some time, but it’s gotten much more acute recently.

There is another half of that, which is that groups don’t just hold your files for ransom, they either leak or threaten to leak or expose your files and your information — your secrets and your emails, whatever you have — publicly, either in an attempt to embarrass you or to extort more money out of you, because you don’t want those things to happen. So it’s split now into two tracks, but they’re a combined method of getting money.

Jen Kirby:
We’ve recently had some high-profile ransomware attacks, including this recent REvil incident. Is it that we’re seeing a lot more of them, or they’re just bigger and bolder? How do you assess that ransomware attacks are becoming more acute?

Christopher Painter:
We’ve seen this going on for some time. I was one of the co-chairs of this Ransomware Task Force that issued a report recently. One of the reasons we did this report was we’re trying to call greater attention to this issue. Although governments and law enforcement were taking it seriously, it wasn’t being given the kind of national-level priority it deserved.

It was being treated as more of an ordinary cybercrime issue. Most governments’ attention is focused on big nation-state activity — like the SolarWinds hack [where suspected Russian government hackers breached US government departments], which are important, and we need to care about those. But we’re very worried about this, too.

It’s especially become more of an issue during the pandemic, when some of the ransomware actors were going after health care systems and health care providers.That combined with these big infrastructure attacks — the Colonial Pipeline clearly was one of them. Another one was the meat processing plants. Another one was hospital systems in Ireland. You also had the DC Police Department being victimized by ransomware. These things are very high-profile. When you’re lining up for gas because of a ransomware attack, and you can’t get your food because of a ransomware attack, that brings it home as a priority. And then, of course, you have what happened this past weekend. So ransomware has not abated, and it continues to get more serious and hit more organizations.

Over the July 4 weekend, the Russian-based cybercriminal organization REvil claimed credit for hacking into as many as 1,500 companies. In May, another cybercriminal group, DarkSide shut down most of the operations of Colonial Pipeline. These incidents were bad enough. But imagine a cyberattack that turned off the power at U.S. hospitals, wreaked havoc on air-traffic-control systems and shut down the electrical grid in major cities. Under current U.S. nuclear doctrine, developed during the Trump administration, the president would be given the military option to launch nuclear weapons at Russia, China or North Korea if that country was determined to be behind such an attack.

Read the rest at The Washington Post

Over the past year, a number of seriously consequential cyber attacks against the United States have come to light. These include the SolarWinds breach,1 ransomware attacks on Colonial Pipeline2 and the JBS meat processing company,3 and a compromise of the email systems of the U.S. Agency for International Development.4 U.S. officials have indicated their belief that Russia either sponsored these attacks or at least tolerated the activities of the Russia-based hacker groups responsible for them.

That such attacks have happened at all raises important and disturbing questions about risks to the increasing U.S. dependency on information technology, including that of nearly every aspect of America’s nuclear force management, from stockpile management to launch. These risks suggest that American nuclear forces may be far more vulnerable to cyber disruption, destruction, and corruption than policymakers realize.

Read the rest at Texas National Security Review

This interview by Melissa De Witte originally appeared in Stanford News.

The upcoming summit between President Joe Biden and President Vladimir Putin is not rewarding the Russian leader for his bad behavior: It’s opening negotiations and delivering a warning to him instead, says Stanford scholar Kathryn Stoner.

Here, Stoner is joined by Stanford political scientist and former U.S. Ambassador to Russia Michael McFaul, Payne Distinguished Lecturer at CISAC and former Deputy Secretary General of NATO Rose Gottemoeller and Russia historian Norman Naimark to discuss what to expect at the summit in Geneva on Wednesday.

The meeting, the scholars say, could reset U.S.-Russia relations, signal deterrence on certain issues – including cybersecurity in light of attacks like the SolarWinds breach that the U.S. has blamed on the Russian Foreign Intelligence Service – and launch strategic stability talks related to nuclear weapons.

Interviews have been edited for length and clarity. For more information on what to expect about the Biden-Putin summit from FSI scholars, visit the FSI website.

Where does diplomacy now stand between the U.S. and Russia?

Naimark: Russian-American relations are at their lowest point since the fall of the Soviet Union in 1991, perhaps even since the last years of Gorbachev’s rule. When relations are fraying between the world’s two most powerful nuclear powers, the coming of the summit on June 16 between President Biden and President Putin should be welcomed. It’s worth recalling the heightened military tensions just three months ago between Moscow and Washington, when Moscow moved tens of thousands of troops to the Ukrainian border and mobilized its air and sea power in the region. Both leaders have emphasized that they seek stability, reliability and predictability in their bilateral relations; at the same time, their respective administrations have warned that expectations should be kept at the minimum for any kind of serious breakthrough at the summit.

Stoner: We’ve lost a lot of leverage because of the withdrawal from global politics that started under the latter part of the Obama administration and continued with Trump with his America First platform, which meant America alone. There is some leverage, it’s just how much. We don’t necessarily want to destabilize Russia because it’s a big, complicated country with nuclear weapons, but all signs point to Putin staying in office until 2036. He’s not going away. I think we have to try to signal deterrence on certain issues, like trying to move into another former Soviet republic as he is doing with Ukraine, Georgia and potentially Belarus, but then cooperate in other areas where it is productive to do so.

What do you think about some of the criticisms toward Biden meeting with Putin? For example, that Biden meeting with Putin is only rewarding him for his bad behavior.

Stoner: There is a reasonable question about why Biden and Putin are meeting and if it is somehow rewarding Putin for bad behavior by having a summit with the President of the United States. Rather than rewarding Putin, however, I think this meeting could be Biden’s warning to him that if hacking and other cyberattacks continue, we have a menu of things we could do as well.

Naimark: There is no reason that the American president cannot talk about difficult subjects like cybersecurity, ransomware attacks, human rights, the release of Alexei Navalny, the protection of Ukrainian sovereignty and other important items on the American agenda while focusing on issues of mutual interest: the future of arms control, global warming and the regulation of the Arctic, and outer space. One can always hope that, like the last summit on Lake Geneva between Russian and American leaders [Mikhail Gorbachev and Ronald Reagan] in November 1985, this one can lay the groundwork for serious improvements in relations in the near future.

Is this meeting a reset of diplomatic relations between the two nations?

Stoner: I know in Washington it is popular to say that Biden is not having a reset of relations with Russia when past presidents all have tried that. I think that’s wrong. I do think it is a reset in the relationship in that there should be more clarity and stability, but that doesn’t mean it’s going to be friendly and universally cooperative, given that we still see many differences in perspectives and some antagonism too. Still, Russia and the U.S. need to talk because there are a lot of issues in common where it would be helpful to coordinate with Russia. After all, even in the depths of the Cold War, the leaders of both countries still talked. Russia has reestablished itself as the most formidable power in Europe and it looks like Biden is acknowledging that and the fact that the U.S. can no longer afford to ignore Russia.

Is there anything the two leaders will be able to agree upon?

McFaul: I used to organize these kinds of meetings when I worked in the government and back when President Medvedev was there. We would have these meetings as a way to force our governments to produce what is called in State Department-speak “deliverables.” We didn’t have meetings to have them, we wanted to get things done. In the first Obama-Medvedev meeting we had a long list of deliverables when they met in July of 2009.

But there is no way that will happen with Putin today because he doesn’t really want to cooperate, he doesn’t really want deliverables. That’s challenging for President Biden, I think, because he has said that he wants a stable, predictable relationship with Putin. I think that’s fine to aspire to, but I don’t think Putin is that interested in that kind of relationship, so that creates a challenge of substance for summits like this.

Gottemoeller: With such different threat perceptions, the two presidents are not going to agree in Geneva about what should go into the next nuclear treaty. They can agree, though, to put their experts together to hammer it out. They can also agree to put the two sides together to tackle the different threat perceptions and the question of what stability means. Finally, they can agree to a deadline, so the talks don’t stall. It won’t be a headline-grabbing outcome, but at least Moscow and Washington will get moving again on the nuclear agenda.

Where can Biden make progress?

McFaul: I think the most likely place to make progress is to launch strategic stability talks, which is an abstract phrase for beginning the process of negotiations about nuclear weapons and their delivery vehicles that would be a follow-on to the New START treaty. Biden and Putin rightfully extended the New START treaty early in his term for five years, and I think that was very smart. I personally worked on that treaty, so I think it’s a good treaty and deserves to be extended. But it’s going to run out really fast because the next set of negotiations are going to be much more complicated. I hope they would start some process to begin those negotiations now.

Gottemoeller: Maybe the only place where President Biden can make progress with Vladimir Putin in Geneva is the nuclear agenda with Russia. Since the two men agreed, in February, to extend the New START treaty by five years, they have put out a clear public message that they intend to pursue a deal to replace New START and to launch strategic stability talks. They are not going to have identical ideas, however, about what those two goals mean.

Biden wants a new arms control deal that will control all nuclear warheads, whether launched on intercontinental strategic-range missiles or on shorter-range systems. He also wants to get a handle on some of the new types of nuclear weapons that the Russians have been developing. One new system, for example, uses nuclear propulsion to ensure that it can fly for many hours at great speed over long distances, earning it the moniker “weapon of vengeance.” These exotic weapons did not exist when New START was negotiated; now, they need to be controlled.

Putin, by contrast, focuses on U.S. long-range conventional missiles that he worries are capable of the accuracy and destructive power of nuclear weapons. The United States, in his view, could use these conventional weapons to destroy hard targets such as the Moscow nuclear command center. He also worries that the United States is producing ever more capable ways to intercept his nuclear missiles and destroy them before they reach their targets. In his worst nightmare, the United States undermines his nuclear deterrent forces without ever resorting to nuclear weapons.

What advice do you have for Biden?

McFaul: One, do not have a one-on-one meeting – just have a normal meeting. Two, I would recommend not having a joint press conference that just gives Putin a podium for the world to say his “whataboutism” stuff; it’s better to have separate press conferences because most of the world will be more interested in what Biden says compared to what Putin says.

Third, I think it’s important to cooperate when you can but also be clear about your differences and don’t pull punches on that. In particular, I want Biden to talk about Alexei Navalny, the Americans who are wrongly detained in Russia today, Crimea still being occupied, Russian proxies in eastern Ukraine, and parts of Georgia that are under occupation. They have been attacking us relentlessly with these cyberattacks, these Russian criminals who in my view have to have some association with the Russian government.

That’s a tough list, but I think it’s really important for President Biden to say those things directly to Putin. I have confidence that he can. I was at their last meeting. I traveled with the vice president in 2011 when he met with then Prime Minister Putin. Biden is capable of delivering tough messages and I hope he uses this occasion to do so again.

What would be a sign that their meeting was productive?

Stoner: One sign the meeting was productive would be if Biden and Putin could agree to establish a joint committee or council on some rules surrounding cybersecurity. Another would be if they make plans to talk again about either replacing or reviving the Minsk-2 agreement [that sought to bring an end to Russia’s war on Ukraine]. And three, a positive sign would be if they plan to do some negotiation on further reducing tactical nuclear weapons or strategic nuclear weapons. An agreement to disagree on some issues, but to continue talking on others would be indicative of at least some small progress.

In collaboration with Global:SF and the State of California Governor’s Office of Business and Economic Development, the China Program at Shorenstein APARC presented session five of the New Economy Conference, "Navigating Chinese Investment, Trade, and Technology," on May 19. The program featured distinguished speakers Ambassador Craig Allen, President of the US-China Business Council; David K. Cheng, Chair and Managing Partner of China & Asia Pacific Practice at Nixon Peabody LLP; James Green, Senior Research Fellow at the Initiative for U.S.-China Dialogue on Global Issues at Georgetown University; and Anja Manuel, Co-Founder and Principal of Rice, Hadley, Gates & Manuel LLC. The session was opened by Darlene Chiu Bryant, Executive Director of GlobalSF, and moderated by Professor Jean Oi, William Haas Professor of Chinese Politics and director of the APARC China Program.

U.S.-China economic relations have grown increasingly fraught and competitive. Even amidst intensifying tensions, however, our two major economies remain intertwined. While keeping alert to national security concerns, the economic strength of the United States will depend on brokering a productive competition with China, the world’s fastest growing economy. Precipitous decoupling of trade, investment, and human talent flows between the two nations will inflict unnecessary harm to U.S. economic interests--and those of California.  

Chinese trade and investments into California have grown exponentially over the last decade. But they have come under increasing pressure following geopolitical and economic tensions between the two nations, particularly in the science and technology sectors. Ambassador Craig Allen, David Cheng, James Green, and Anja Manuel explored the role of Chinese economic activity in California in the context of the greater US-Chinese relationship. Watch now: