In 2010, Joseph Menn in his book “Fatal System Error” revealed that Russian intelligence agencies were collaborating with organized criminal hacking groups. The core narrative of the book was the true story of a California private security expert and a U.K. detective who worked to root out a cyber-extortion gang. In those days, the extortionists used botnets to launch denial of service attacks on websites and demanded payment by Western Union in order to drop their assaults and let the companies reach customers again. Over three years of working mostly in Russia and two attempts on his life, and with help from the British foreign secretary, detective Andy Crocker managed to get three of the gang arrested, tried, convicted and sent to prison for 8 years. Yet when he tried to go upstream and get the taskmasters, he was told his time in Russia was up. The reason was that some of the same people and botnets were being used to go after targets at odds with the Russian government, including sites in Estonia and Georgia. The thin plausible denial of “patriotic hackers” and the lack of consequences, I warned, made it likely that the situation would get far worse unless it became a priority for the White House and other world leaders.
Well, those were the good old days. Since then, the Russian criminal underground has reinvested its profit, diversified into far more sophisticated hacking capabilities and targets, and recruited young talent with flashy cars and arm-candy girlfriends. The intelligence services, meanwhile, have hired criminals directly into their ranks and formalized splitting the haul from data breaches, so that the gangs keep what they can monetize and hand over what might be useful in international relations, as with the Yahoo breach, to the agencies for further handling. In addition to making election interference easier, the more mature formulation has led the unchecked surge in ransomware that crippled Western hospitals during Covid and idled the largest U.S. gas pipeline in May. Sanction declarations and other penalties have bounced of the Kremlin walls like so many toy arrows. Far from negotiating from a position of strength, The U.S. has been reduced to increasing regulation of its vendors and cajoling critical infrastructure to do a better job on defense. The answer might be a new global treaty for accountability—except that the United Nations has turned to Russia to draft one. My conclusion: It’s going to be a long decade.