Technological advances now touch every area of our lives. We work primarily at computers or on mobile devices, book medical appointments via apps, and even critical infrastructure like power and water stations are increasingly present online.
This connectivity benefits society incredibly but also opens us all to a diverse set of complex and persistent cyber threats. Even more distressing is the reality that many of these threats operate with impunity and are not deterred from their malicious online activities like their offline counterparts. Cybercriminals who perpetrate ransomware attacks are a perfect example but fortuitously they might also provide the key we need to better strategies for cyber deterrence.
What is cyber deterrence?
While the term cyber deterrence is relatively new, the concept and theory of deterrence has been around for a long time. The core idea is that a deterrence strategy aims to convince an adversary that the cost or penalty that they would encounter from conducting an attack is not worth any benefit that may materialise. Deterrence features in several domains (e.g., preventing crime) but is particularly studied at a nation state and political level, considering how states deter others from acts of aggression.
Cyber deterrence builds on this foundation and explores all facets of deterrence in cyberspace. One interpretation from Iasiello (2014) is:
“Cyber deterrence is a strategy by which a defending state seeks to maintain the status quo by signalling its intentions to deter hostile cyber activity by targeting and influencing an adversary’s decision making apparatus to avoid engaging in destructive cyber activity for fear of a greater reprisal by the initial aggressor.”
This definition, albeit more politically oriented, highlights key components of deterrence online. Further to this conceptualisation, the author makes the case for at least two primary types of cyber deterrence. Deterrence by punishment where adversaries are dissuaded from attacks due to the reprisal actions (e.g., from those impacted or relevant authorities). And deterrence by denial – in this case the adversary is discouraged due to likely denial of the sought-after benefits.
Ransomware poses a significant threat to business and states alike due to its indiscriminate nature and its ability to cripple systems.
In theory, this works well. A cybercriminal may be convinced not to hack into a bank because they may be caught, prosecuted, and imprisoned. Or, they may decide not to attempt the hack because they would face challenges transferring any ill-gotten funds to an untraceable account.
In practice however, this concept has not materialised as expected, and this is particularly visible in the case of ransomware attacks.
The case of ransomware
Ransomware is a malicious type of software that encrypts digital systems and prevents them from being accessed until a ransom is paid to an adversary. This form of cyber-attack has risen significantly of late with current statistics suggesting that 66% of organisations have been impacted and that ransomware payments totalled $1 billion in 2023. A unique facet of ransomware is also the link of some attackers to nation states, either as direct or indirect supporters.
Ransomware poses a significant threat to business and states alike due to its indiscriminate nature and its ability to cripple systems. We have witnessed attacks on government institutions (the Costa Rica government attack in 2022), local governments (Leicester City Council in 2024, City of Oakley, California in 2024, City of Augusta in 2023, Hackney Council, 2020, City of Atlanta in 2018), oil pipelines (Colonial Pipeline in 2021), health services (Change Healthcare in 2024, HSE in 2021, NHS in 2017), financial services (CNA Financial in 2021), food suppliers (JBS in 2021), and the education (British Library in 2023, Stanford University in 2023) and transport (San Diego Port in 2018) sectors.
These attacks have caused a range of significant harms to individuals but have also impacted the ability for countries to function effectively. In the case of Costa Rica in 2022, the attack was so damaging that the country declared a national state of emergency to deal with the crisis. At local government, the ransomware compromise of Hackney Council in 2020 meant that basic services such as social care and the land registry were unavailable. Worse yet, in 2023 the City of Dallas had its Police Department website knocked offline and other critical services like 911 were impacted.
The increase in ransomware attacks has been gradually matched by an increase in perpetrators and in sophistication of the ransomware ecosystem. To date, there have been countless ransomware groups, with some of the most prominent including LockBit, Conti, BlackCat/ALPHV, CL0P, REvil, Akira, Ryuk, DarkSide, Maze and Hive. Many of these groups function like legitimate businesses with management structures, HR departments and call centres.
Considering their significance and impact on society, a critical question is, what, if anything, has been done in terms of cyber deterrence?
Ransomware as an opportunity to get cyber deterrence right
Although cyber deterrence has been discussed in policy and academic arenas for decades, the reality is that there seems to be little agreement on how best to achieve it and how broad or narrow it should be regarded. This lack of clarity – and undoubtedly the international nature of the adversary – may well be key reasons why threats like ransomware have arisen.
Focusing first on what has been done to address the threat, there are a few poignant examples that align with traditional deterrence approaches. As it relates to deterrence by punishment, governments have sanctioned ransomware actors and law enforcement agencies have launched offensive cyber operations, takedown campaigns (as seen with Operation Cronos on LockBit in 2024) and arrested group members. There are also actions to deny ransomware groups financial benefits from their attacks. For instance, as a part of multinational collaborations, like the Counter Ransomware Initiative (CRI), in 2023 governments vowed not to pay or support ransom demands. Also of note is the growing ability to track and seize ransom payments, as was done in the case of Colonial Pipeline where at least $2.3 million in Bitcoin originally paid to the DarkSide group was seized by the US Justice Department.
Cyber deterrence strategies for ransomware – at least in the situations discussed – do not seem to be widely effective.
These strategies, albeit significant, seem to have had little prolonged, effective impact on deterring ransomware groups or their attacks. New ransomware operators and attacks continue to emerge. Even LockBit – which was itself the victim of a significant international law enforcement takedown operation – appears to have returned online only a few weeks later.
Arguably therefore, cyber deterrence strategies for ransomware – at least in the situations discussed – do not seem to be widely effective. Indeed, a recent UK National Security Strategy report stated:
“There is a high risk that the Government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking.”
While this lack of effectiveness is a critical issue, it also poses a tangible opportunity for academics, policymakers, and practitioners to join efforts to develop the field of cyber deterrence further – by focusing on a common enemy. Ransomware is a unique cyber threat that is not primarily perpetrated by nation states (albeit impacting them), is not bounded by physical properties (as traditional discussions around deterrence), requires international collaboration at various levels of government, law enforcement and private sectors, and is a policy as well as a technical concern. Defining an effective cyber deterrence strategy for ransomware could facilitate a more comprehensive understanding of deterrence in cyberspace in general, and provide the basis for future deterrence strategies.
Read more
Iasiello, E. (2014). Is cyber deterrence an illusory course of action?. Journal of Strategic Security, 7(1), 54-67.
Mott, G., Turner, S., Nurse, J.R.C., MacColl, J., Sullivan, J., Cartwright, A., & Cartwright, E. (2023). Between a rock and a hard (ening) place: Cyber insurance in the ransomware era. Computers & Security, Elsevier.
Pattnaik, N., Nurse, J.R.C., Turner, S., Mott, G., MacColl, J., Huesch, P., & Sullivan, J. (2023). It’s more than just money: the real-world harms from ransomware attacks. In International Symposium on Human Aspects of Information Security and Assurance (pp. 261-274). Springer.
House of Commons et al. (2023). A hostage to fortune: ransomware and UK national security. Available at: https://committees.parliament.uk/publications/42493/documents/211438/default/
MacColl, J., Hüsch, P., Mott, G., Sullivan, J., Nurse, J.R.C., Turner, S., & Pattnaik, N. (2024). Ransomware: Victim Insights on Harms to Individuals, Organisations and Society. RUSI OP.
Copyright Information
Image credit: © Bits and Splits | stock.adobe.com