Jason Killmeyer: In preparation for Putin

As a second major ransomware attack in the past month threatened a sensitive node of our supply chain — our food supply — America remains stuck in an old way of thinking.

In the late 1990s, we saw the rise of express kidnappings across Latin America, where immediate ransoms were demanded and usually paid. Hollywood even made a movie about it, with Russell Crowe as the star. Companies hired private security as a cost of doing business there, as did freighters a decade later sailing through the Horn of Africa. That was during the height of Somalia’s piracy epidemic, peaking attention-wise with the hijacking of the Maersk Alabama. Another movie, this time with Tom Hanks.

As ransomware barges into the national consciousness, headlines read: “Gas shortages worsen as fuel prices spike after Colonial Pipeline ransomware attack” and “Cyber-attack hits world’s largest meat supplier.”

Through no fault of their own, these headlines fail their readers. Why? They use the word “cyberattack,” a term we need to officially retire. In May, gas stations across the East Coast weren’t having a virtual shortage, the tanks were empty.

Someone took out one of the United States’ major pipelines, preventing the flow of fuel that we need to heat our homes and fuel our cars. The same week that 71% of gas stations in Charlotte, N.C., reported being out of fuel as temperatures went as low as 45 degrees at night. That same pipeline carries heating oil and jet fuel, though luckily the disruptions to those functions were minimal.

Like any good military strategist, the attackers knew that crippling critical infrastructure is a way to get your opponents to sue for peace quickly. And we did. In doing so, we guaranteed the next major attack, which came less than 30 days later and targeted our food supply. The payment by JBS, the meat supplier, has now guaranteed a third attack.

Certainly, this does not excuse firms from underinvesting in their own security, nor should we allow them to pass off their IT infrastructure weaknesses to the taxpayers as an externality. But. These attacks have real world effects, they change what the military calls “facts on the ground.” Someone hammered a U.S. pipeline, and instead of making them pay, we paid them.

Recent action by the Justice Department creates both a new ransomware task force and raises the handling of ransomware cases to the “level of terrorism” in certain aspects of Department of Justice process. However, a closer look at the available portions of the memos reveals that these changes do little more than create basic information sharing across DOJ on the topic.

The elevation in handling of ransomware cases amounts to requiring field offices to report opened investigations to headquarters to “enhance and centralize our internal tracking.” Similarly, “the task force will increase training and dedicate more resources to the issue, seek to improve intelligence sharing across the department, and work to identify “links between criminal actors and nation-states.”

To those unfamiliar with government memos, phrases like “dedicate more resources to” and “work to identify” make clear how little meat there really is to DOJ’s recent steps.

During the past decade we saw a generally healthy evolution of American cyberdefense policy, including granting the Defense Department the lead role and authorizing it to conduct offensive operations. But whatever activity exists was insufficient to prevent a week or more of energy instability in the East Coast of the United States in the middle of a needed economic recovery.

Whatever the bar is, it is too low. Here are some steps to raising it:

First, United States leaders need to retire the term “cyberattack.” Just use attack. As we blend the digital and the physical, to use the term “cyber” is to misunderstand the world that we live in.

Second, in his summit with Putin this week, Biden should not make a request of Putin to rein in these networks. Instead, Biden should provide an explicit and definitive timetable — the type meant to be leaked — by which if the action persists the United States will take disruptive action against the responsible networks. The embarrassment to Putin of U.S. disruption of Russia-based actors might be incentive enough to drive a crackdown … if Putin believes we’ll actually follow through.

Third, we need to remember that the most devastating attack on the American homeland came from a loose collection of actors, and adjust our tactics for asymmetry as we’ve done with success before. Reject the law enforcement model misapplied against terrorism in the ’90s, and grant control to CyberCommand. Our generation of military leaders knows how to adjust tactics to counter asymmetric threats. Let them apply those lessons.

Fourth and finally, we need to consider “real world” deterrence against those enemies who have and who would attack us. If Russia bombed our pipeline, we wouldn’t respond with an appeal to international courts, we would recognize it as an act of war regardless of their motivation. Save the criminal charges for the bank robbers. Cripple our pipelines or our food supply and you might face a Special Forces operator, not crippled servers, Treasury Department sanctions, or Interpol warrants.

Ransomware attacks are a predictable yet preventable scourge if we’ve learned the by-now-rote lesson that we underestimate and underrespond to escalations by non-state actors at our peril.

Have we?

Jason Killmeyer is a Pittsburgh-based writer and columnist at Townhall.com. He worked as a consultant for over a decade in counterterrorism, defense and supply-chain technologies.