Russia Must Pay for NotPetya Cyberattack, Trump Cybersecurity Official Warns

An employee walks behind a glass wall with machine coding symbols at the headquarters of internet security giant Kaspersky in Moscow, on October 17, 2016. A Russian malware attack is estimated to have affected around 64 countries and cost companies over $1.2 billion. KIRILL KUDRYAVTSEV/AFP/Getty Images

The U.S. is going to make Russia pay for its acts of cyber aggression on the international stage, a top U.S. cybersecurity official told the audience at the annual Munich Security Conference in Germany.

"We're going to work on the international stage to impose consequences. Russia has to understand that they have to behave responsibly on the international stage," Rob Joyce, the White House cybersecurity coordinator and special assistant to the president, said Friday. "So we're going to see levers the U.S. government can do to impose those costs."

Joyce was speaking primarily about a malware attack called NotPetya that the British government says Russia carried out last summer. The malware attack is estimated to have affected around 64 countries and cost companies over $1.2 billion.

The attack spread around the globe after originally hitting an accounting program in Ukraine. The country's national bank and numerous government agencies were all affected.

The worst part about the NotPetya/Nyetya attack was that it did not even attempt to focus on military/strategic targets. Nyetya was an intentionally broad campaign against civilian targets at great cost to Ukraine and its people. Attacks focusing on civilians must be condemned.

— Craig Williams (@security_craig) February 16, 2018

On Thursday, Britain's Foreign Office released a statement that said that "the attack masqueraded as a criminal enterprise but its purpose was principally to disrupt."

"Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business," the statement read, adding that the U.K. judges that the Russian government was responsible for the attack.

The White House subsequently released a similar statement, calling the attack part of the Kremlin's ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia's involvement in the ongoing conflict."

Russia annexed Ukraine's Crimean peninsula in 2014, and many analysts and experts say that Russia is aiding Russian-allied separatists in a conflict in Eastern Ukraine. The U.S. and European Union have implemented numerous sanctions against Russia in response to its involvement in Ukraine.

The @WhiteHouse Cybersecurity Coordinator Rob Joyce is highly engaged in this year's @MunSecConf events & panels and strengthen the cooperation between 🇺🇸 and 🇩🇪 in #Cybersecurity. #MSC2018 #MSC

— US Consulate Munich (@usconsmunich) February 16, 2018

Cybersecurity experts say that the U.S. and the U.K. are likely correct in their assessment that Russia was responsible for NotPetya, and that strong offensive measures are needed to counter Russian cyberattacks.

"The U.S. and U.K. governments are in a unique position to validate technical cyber forensics with traditional intelligence data, allowing them to more effectively connect the dots and come to conclusions about who is behind particular attacks. In the case of the NotPetya attacks, it is reasonable to assume that nation states could camouflage a political attack as a cybercrime campaign to conceal its origin," Steve Grobman, CTO of the cybersecurity firm McAfee, told Newsweek.

"Offensive cyber operations by nation states should attempt to limit damage to noncombatants and nonobjectives. In this case, NotPetya had substantial impact beyond the intended political targets, disrupting the IT systems and operations of thousands of civilian organizations worldwide. It's critically important to ultimately hold nations accountable for the comprehensive damage inflicted by such attacks," Grobman added.

During his talk at Munich, Joyce did not outline specific ways that the U.S. would make Russia pay for its actions.

President Donald Trump recently failed to pass new sanctions on Russia that would punish the country for its interference in Ukraine and for its interference in the 2016 presidential election. U.S. intelligence agencies have unanimously concluded that Russia interfered in the 2016 elections, including through hacking and online disinformation campaigns, but Trump has failed to acknowledge Russian interference.