Revised 28/1/2022 – On the face of it, Somali piracy, which dominated the headlines between 2009-2012, has very little to do with today’s ransomware epidemic.
One took place at sea, involving groups of young men, armed with AK47s and RPGs, operating from skiffs, targeting poorly defended international commercial shipping and ocean-going private yachts, at random off the coast of Somalia. They held crew and cargo hostage, the vessels moored up off the Somali coast, often for months until, after lengthy negotiations through intermediaries, insurers paid millions of dollars in ransoms.
The other involves groups of highly skilled cyber criminals, sitting in front of a computer, a part of a distributed cyber network, often hundreds of miles away from fellow gang members, choosing targets at random and deploying ransomware against poorly defended IT systems.
There are some obvious differences. Between 2010 and 2011, 16 crew members were killed during Somali pirate attacks on international shipping in the Indian Ocean. Although ransomware gangs have targeted healthcare systems, as happened in Germany in 2020 and Ireland in 2021, connecting loss of life with a cyber attack has yet to be proved beyond doubt. And in the case of piracy, ship insurers paid the ransoms directly to the pirates, via private military companies.
However, in other respects, the similarities are striking.
Somali pirates were based in a country offering a permissive environment, allowing them freedom of action to conduct raids and hold their hijacked ships without fear of intervention. Ransomware gangs also enjoy the benefits of operating from a safe haven, beyond the reach of international law enforcement, albeit under different circumstances. In Russia for example, it is widely known that ransomware gangs are tolerated because of the disruption they cause to the West’s economies.
In fact, in view of the current standoff over Ukraine, it is not inconceivable that their skills are a part of President Putin’s grand strategy over the potential invasion of their neighbours. Following the recent cyber attacks in Ukraine – denied by Russia – these attacks are likely to be deployed as a weapon of war.
The similarities go on.
The goal of both enterprises is to extort money. The insurance industry is central to both business models. At the beginning of the crisis in the Indian Ocean ships were poorly defended from attack, much as the West’s IT systems are vulnerable to cyber intrusion now. We might be stretching the point, but a ship’s citadel could be likened offline backups.
Somali piracy peaked in 2010 and by September of the following year, the focus shifted from tackling piracy in the Indian Ocean to resolving the problem on land in Somalia. Crucially, in March 2012, a decision was made to allow the UN-mandated EU naval task force to conduct offensive operations against pirate paraphernalia on shore in Somalia; to destroy and disrupt piracy operations. In conjunction with this, Somali pirates began being prosecuted through judicial systems in countries neighbouring the Indian Ocean, such as the Maldives and Mauritius.
So with a safe haven removed, and the knowledge that, if caught, young Somali men faced years behind bars, the incidence of piracy began to drop off to normal levels.
So at what point does the UK Government, in collaboration with its allies, make a step change in its response to dealing with ransomware gangs, and what thresholds need to be crossed for it to be considered a national security issue? According to Lindy Cameron, CEO of the UK NCSC, speaking at RUSI’s annual security lecture last year, we are already there. We know the UK Government has the capability to disrupt these attacks, but does it have the appetite to pursue the full range of options open to it.
In normal times, economic sanctions, diplomatic pressure and, at the other end of the scale, covert offensive operations to disrupt the gangs’ activities in situ, are all levers that can be pulled. With the threat of a state on state conflict in Eastern Europe looming, the rules of the game are already changing, making it harder for responsible cyber democracies to bring those responsible to justice.
The only way to respond to the ransomware epidemic is to approach it as we did against Somali piracy. We need international cooperation, coordinated offensive action, and we need to explore the potential for ransomware gang members to be tried in an international criminal court, if they can be traced.
Notwithstanding the current geopolitical crisis, we can still do more to regain the initiative in the global fight against the cyber criminals behind ransomware.