Security
Finian Cunningham
June 17, 2021
© Photo: REUTERS/Raphael Satter

Blaming Russia for cyberattacks is not only a misdirection of the Western cybersecurity problems from its own commercial negligence. It is also risking setting up a catastrophic conflict based on disinformation.

Cyberattacks on American and European industries and government departments are increasingly reported, representing massive financial losses for victims who pay out hefty ransoms to avert damage. It has become fashionable in Western media to blame Russian state actors or criminal cyber gangs based in Russia.

NATO leaders this week fingered Russia for the upsurge in ransomware attacks, either through malign state agents or from turning a blind eye to organized crime. There is no evidence to support such claims against Russia but of course, they play into Western media narratives that have sought to demonize Russia over a range of other malign conduct.

There is, however, a cogent explanation for why there appears to be a recent spike in computer hacking in the United States and other Western countries, and why the blame is being pushed so intensely onto Russia.

Randy Martin, a U.S.-based political analyst who also worked for years in developing computer security systems, says that American companies are wide open to criminal attacks because the software industry there is “such a dismal failure”.

Unlike in many other countries, cybersecurity in the U.S. is commonly supplied by private firms that operate on a profit basis. That goes for government departments such as health and education, as well as for key utilities of power, water and fuel. Martin says that these companies have cut back on developing robust cybersecurity over several years in order to reduce costs and boost profits. The upshot is that industries and government departments are left acutely vulnerable to bad actors who can exploit the weaknesses with ransomware attacks.

This prevalent condition of poor cybersecurity was illustrated last month when an oil pipeline serving the entire U.S. east coast was shut down by cyber attackers who demanded a multi-million-dollar ransom for recovery. It’s not clear where the criminal gang operated from, although U.S. media claimed it was from Russia.

U.S. deputy attorney general Lisa Monaco admitted in a media interview that the problem of increasing ransomware rackets on U.S. firms lay with inadequate cybersecurity. She told CNBC: “The message needs to be to the viewers here, to the CEOs around the country, that you’ve got to be on notice of the exponential increase of these attacks… If you are not taking steps — today, right now — to understand how you can make your company more resilient, what is your plan?”

So, that’s the first point. The vulnerability of U.S. industries and businesses is largely due to dereliction in cybersecurity services because of the profit motive.

The second point, as analyst Randy Martin notes, is that the rush to blame Russia or Russia-based hackers is a handy way to shift liability for the damages.

“The US software industry is such a dismal failure when it comes to the security of its products it is using the ‘Blame Russia’ or blame criminal hackers to take the focus and liability off of themselves,” says Martin.

He further explains: “If the attack is blamed on a state actor and attributed by U.S. intelligence then liability will largely become a taxpayer burden. In that way, insurance companies and companies that sold or distributed the software or were responsible for security are largely exempted from litigation and costs. All of this is significant in understanding why everyone is so quick to attribute blame.”

In other words, if malware-hit companies were to direct complaints against the software firms that were paid to protect their computer systems, then those software services would be potentially slapped with massive bills for reparations. It is thus a big incentive for firms to scapegoat the perpetrator as some awesome, mysterious malign force (Russia) in order to let the real culprits (inferior U.S. cybersecurity services and management) off the hook. And an added incentive is that cyberattacks from a purported foreign actor can then qualify for generous U.S. government compensation on the taxpayers’ tab.

Says Martin: “All of the fancy dancing around ‘who done it?’ has everything to do with shifting the liability.”

He points out that this lack of accountability for U.S. computer security firms is exceptional compared with other industries. “If for instance, Microsoft is negligent due to hacker exploits not being fixed, and if the blame can be attributed to the attacker, then Microsoft is off the hook for negligence. This is unprecedented behavior in other industries. Automobile manufacturers and aircraft makers are often sued for being negligent for not installing specific safety devices on the products. Why shouldn’t Microsoft be sued for inadequate cybersecurity?”

But this cybersecurity scam has even bigger and more grave implications. Blaming Russia or Russia-based hackers is not simply a neat way to offset costs, it is a dangerous escalation of national security tensions at a time when relations are already fraught with animosity.

At this week’s summit in Brussels of the U.S.-led NATO military alliance, Moscow was accused of carrying out cyber attacks on Western industries and government departments as part of an alleged “hybrid warfare”. The Kremlin was also accused of turning a blind eye to alleged criminal cyber gangs operating from Russia. No evidence was presented, as usual, but the insinuation is that the Kremlin is using cyber gangs as proxies to disrupt Western states. More alarming is that the NATO leaders cited this purported Russian malign conduct as being equivalent to acts of war and in the context of invoking Article 5, the common defense clause of the 30-member military alliance.

Blaming Russia for cyberattacks is not only a misdirection of the Western cybersecurity problems from its own commercial negligence. It is also risking setting up a catastrophic conflict based on disinformation.

It should be borne in mind that Russia has repeatedly urged the United States and its allies to formulate an international cybersecurity treaty to enable joint safeguards. Those appeals by Moscow have been repeatedly spurned by Washington and NATO.

Blaming Russia for Hacking Lets Faulty U.S. Cybersecurity Off Hook

Blaming Russia for cyberattacks is not only a misdirection of the Western cybersecurity problems from its own commercial negligence. It is also risking setting up a catastrophic conflict based on disinformation.

Cyberattacks on American and European industries and government departments are increasingly reported, representing massive financial losses for victims who pay out hefty ransoms to avert damage. It has become fashionable in Western media to blame Russian state actors or criminal cyber gangs based in Russia.

NATO leaders this week fingered Russia for the upsurge in ransomware attacks, either through malign state agents or from turning a blind eye to organized crime. There is no evidence to support such claims against Russia but of course, they play into Western media narratives that have sought to demonize Russia over a range of other malign conduct.

There is, however, a cogent explanation for why there appears to be a recent spike in computer hacking in the United States and other Western countries, and why the blame is being pushed so intensely onto Russia.

Randy Martin, a U.S.-based political analyst who also worked for years in developing computer security systems, says that American companies are wide open to criminal attacks because the software industry there is “such a dismal failure”.

Unlike in many other countries, cybersecurity in the U.S. is commonly supplied by private firms that operate on a profit basis. That goes for government departments such as health and education, as well as for key utilities of power, water and fuel. Martin says that these companies have cut back on developing robust cybersecurity over several years in order to reduce costs and boost profits. The upshot is that industries and government departments are left acutely vulnerable to bad actors who can exploit the weaknesses with ransomware attacks.

This prevalent condition of poor cybersecurity was illustrated last month when an oil pipeline serving the entire U.S. east coast was shut down by cyber attackers who demanded a multi-million-dollar ransom for recovery. It’s not clear where the criminal gang operated from, although U.S. media claimed it was from Russia.

U.S. deputy attorney general Lisa Monaco admitted in a media interview that the problem of increasing ransomware rackets on U.S. firms lay with inadequate cybersecurity. She told CNBC: “The message needs to be to the viewers here, to the CEOs around the country, that you’ve got to be on notice of the exponential increase of these attacks… If you are not taking steps — today, right now — to understand how you can make your company more resilient, what is your plan?”

So, that’s the first point. The vulnerability of U.S. industries and businesses is largely due to dereliction in cybersecurity services because of the profit motive.

The second point, as analyst Randy Martin notes, is that the rush to blame Russia or Russia-based hackers is a handy way to shift liability for the damages.

“The US software industry is such a dismal failure when it comes to the security of its products it is using the ‘Blame Russia’ or blame criminal hackers to take the focus and liability off of themselves,” says Martin.

He further explains: “If the attack is blamed on a state actor and attributed by U.S. intelligence then liability will largely become a taxpayer burden. In that way, insurance companies and companies that sold or distributed the software or were responsible for security are largely exempted from litigation and costs. All of this is significant in understanding why everyone is so quick to attribute blame.”

In other words, if malware-hit companies were to direct complaints against the software firms that were paid to protect their computer systems, then those software services would be potentially slapped with massive bills for reparations. It is thus a big incentive for firms to scapegoat the perpetrator as some awesome, mysterious malign force (Russia) in order to let the real culprits (inferior U.S. cybersecurity services and management) off the hook. And an added incentive is that cyberattacks from a purported foreign actor can then qualify for generous U.S. government compensation on the taxpayers’ tab.

Says Martin: “All of the fancy dancing around ‘who done it?’ has everything to do with shifting the liability.”

He points out that this lack of accountability for U.S. computer security firms is exceptional compared with other industries. “If for instance, Microsoft is negligent due to hacker exploits not being fixed, and if the blame can be attributed to the attacker, then Microsoft is off the hook for negligence. This is unprecedented behavior in other industries. Automobile manufacturers and aircraft makers are often sued for being negligent for not installing specific safety devices on the products. Why shouldn’t Microsoft be sued for inadequate cybersecurity?”

But this cybersecurity scam has even bigger and more grave implications. Blaming Russia or Russia-based hackers is not simply a neat way to offset costs, it is a dangerous escalation of national security tensions at a time when relations are already fraught with animosity.

At this week’s summit in Brussels of the U.S.-led NATO military alliance, Moscow was accused of carrying out cyber attacks on Western industries and government departments as part of an alleged “hybrid warfare”. The Kremlin was also accused of turning a blind eye to alleged criminal cyber gangs operating from Russia. No evidence was presented, as usual, but the insinuation is that the Kremlin is using cyber gangs as proxies to disrupt Western states. More alarming is that the NATO leaders cited this purported Russian malign conduct as being equivalent to acts of war and in the context of invoking Article 5, the common defense clause of the 30-member military alliance.

Blaming Russia for cyberattacks is not only a misdirection of the Western cybersecurity problems from its own commercial negligence. It is also risking setting up a catastrophic conflict based on disinformation.

It should be borne in mind that Russia has repeatedly urged the United States and its allies to formulate an international cybersecurity treaty to enable joint safeguards. Those appeals by Moscow have been repeatedly spurned by Washington and NATO.

Blaming Russia for cyberattacks is not only a misdirection of the Western cybersecurity problems from its own commercial negligence. It is also risking setting up a catastrophic conflict based on disinformation.

Cyberattacks on American and European industries and government departments are increasingly reported, representing massive financial losses for victims who pay out hefty ransoms to avert damage. It has become fashionable in Western media to blame Russian state actors or criminal cyber gangs based in Russia.

NATO leaders this week fingered Russia for the upsurge in ransomware attacks, either through malign state agents or from turning a blind eye to organized crime. There is no evidence to support such claims against Russia but of course, they play into Western media narratives that have sought to demonize Russia over a range of other malign conduct.

There is, however, a cogent explanation for why there appears to be a recent spike in computer hacking in the United States and other Western countries, and why the blame is being pushed so intensely onto Russia.

Randy Martin, a U.S.-based political analyst who also worked for years in developing computer security systems, says that American companies are wide open to criminal attacks because the software industry there is “such a dismal failure”.

Unlike in many other countries, cybersecurity in the U.S. is commonly supplied by private firms that operate on a profit basis. That goes for government departments such as health and education, as well as for key utilities of power, water and fuel. Martin says that these companies have cut back on developing robust cybersecurity over several years in order to reduce costs and boost profits. The upshot is that industries and government departments are left acutely vulnerable to bad actors who can exploit the weaknesses with ransomware attacks.

This prevalent condition of poor cybersecurity was illustrated last month when an oil pipeline serving the entire U.S. east coast was shut down by cyber attackers who demanded a multi-million-dollar ransom for recovery. It’s not clear where the criminal gang operated from, although U.S. media claimed it was from Russia.

U.S. deputy attorney general Lisa Monaco admitted in a media interview that the problem of increasing ransomware rackets on U.S. firms lay with inadequate cybersecurity. She told CNBC: “The message needs to be to the viewers here, to the CEOs around the country, that you’ve got to be on notice of the exponential increase of these attacks… If you are not taking steps — today, right now — to understand how you can make your company more resilient, what is your plan?”

So, that’s the first point. The vulnerability of U.S. industries and businesses is largely due to dereliction in cybersecurity services because of the profit motive.

The second point, as analyst Randy Martin notes, is that the rush to blame Russia or Russia-based hackers is a handy way to shift liability for the damages.

“The US software industry is such a dismal failure when it comes to the security of its products it is using the ‘Blame Russia’ or blame criminal hackers to take the focus and liability off of themselves,” says Martin.

He further explains: “If the attack is blamed on a state actor and attributed by U.S. intelligence then liability will largely become a taxpayer burden. In that way, insurance companies and companies that sold or distributed the software or were responsible for security are largely exempted from litigation and costs. All of this is significant in understanding why everyone is so quick to attribute blame.”

In other words, if malware-hit companies were to direct complaints against the software firms that were paid to protect their computer systems, then those software services would be potentially slapped with massive bills for reparations. It is thus a big incentive for firms to scapegoat the perpetrator as some awesome, mysterious malign force (Russia) in order to let the real culprits (inferior U.S. cybersecurity services and management) off the hook. And an added incentive is that cyberattacks from a purported foreign actor can then qualify for generous U.S. government compensation on the taxpayers’ tab.

Says Martin: “All of the fancy dancing around ‘who done it?’ has everything to do with shifting the liability.”

He points out that this lack of accountability for U.S. computer security firms is exceptional compared with other industries. “If for instance, Microsoft is negligent due to hacker exploits not being fixed, and if the blame can be attributed to the attacker, then Microsoft is off the hook for negligence. This is unprecedented behavior in other industries. Automobile manufacturers and aircraft makers are often sued for being negligent for not installing specific safety devices on the products. Why shouldn’t Microsoft be sued for inadequate cybersecurity?”

But this cybersecurity scam has even bigger and more grave implications. Blaming Russia or Russia-based hackers is not simply a neat way to offset costs, it is a dangerous escalation of national security tensions at a time when relations are already fraught with animosity.

At this week’s summit in Brussels of the U.S.-led NATO military alliance, Moscow was accused of carrying out cyber attacks on Western industries and government departments as part of an alleged “hybrid warfare”. The Kremlin was also accused of turning a blind eye to alleged criminal cyber gangs operating from Russia. No evidence was presented, as usual, but the insinuation is that the Kremlin is using cyber gangs as proxies to disrupt Western states. More alarming is that the NATO leaders cited this purported Russian malign conduct as being equivalent to acts of war and in the context of invoking Article 5, the common defense clause of the 30-member military alliance.

Blaming Russia for cyberattacks is not only a misdirection of the Western cybersecurity problems from its own commercial negligence. It is also risking setting up a catastrophic conflict based on disinformation.

It should be borne in mind that Russia has repeatedly urged the United States and its allies to formulate an international cybersecurity treaty to enable joint safeguards. Those appeals by Moscow have been repeatedly spurned by Washington and NATO.

The views of individual contributors do not necessarily represent those of the Strategic Culture Foundation.

See also

November 27, 2022
November 23, 2022
November 21, 2022

See also

November 27, 2022
November 23, 2022
November 21, 2022
The views of individual contributors do not necessarily represent those of the Strategic Culture Foundation.