Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary Coast of northern Africa. The Barbary States had been the scourge of the seas for centuries. They raided coastal towns along the Mediterranean, British Isles and west African coasts to rob, pillage and enslave over a million people. They captured merchant ships and stole their goods while enslaving the passengers and crew. After a four-year war with the Barbary States, the U.S. still paid tribute to prevent piracy against U.S. citizens and merchant ships.

Today, Russia harbors cybercriminals who engage in constant attacks on the rest of the world for financial gain. For a decade these attacks grew. It started with attackers making money from fraudulent clicks and grew to stealing banking credentials. DDoS gangs demanded protection money in exchange for not getting shut down, with online gaming sites the primary targets. The invention of cryptocurrencies led to widespread use of ransomware to hold data and companies’ livelihood hostage until ransoms could be negotiated.

Can we look to the past and the international response to state-supported piracy to find solutions to today’s problem of ransomware gangs given safe harbor by Russian president Vladimir Putin?

President Biden is preparing a response even now. He has already warned Putin with veiled threats against Russian pipelines and has told the press several times that retaliation for ransomware attacks is coming. There is speculation that the takedown of REvil’s website on July 13 may even be an example of this.

European navies were effective at fighting Barbary pirates. The pirates typically had galleys, rowed by slaves, while the fighting men were armed with cutlasses and pistols. The appearance of a frigate, heavily armed with cannons, would scare them away quickly and sometimes result in the death of the pirates.

I submit that a U.S. response that targeted the perpetrators of ransomware attacks would be similar to deploying frigates to the Mediterranean. Results would be similar: individual cybercriminals may be deterred, but the problem would not go away.

Paying ransoms is a way to cure the symptom while encouraging the disease to spread. In 1715, the churches in Denmark collected money for a “slave fund” that was used to pay ransoms. The Danish government created a tax on seafarers that was used to bolster a similar fund. There have been calls (mostly from cyberinsurance companies, I suspect) for the United States to do something similar.

What about Jefferson’s approach? Should the United States deploy its military to counter Putin’s ransomware gangs? The actual result of Jefferson’s deployment was a negotiated treaty whereby the U.S. paid tribute to the Barbary States to protect U.S. merchant shipping and its citizens. The amount paid was 20% of the U.S. government’s total budget.

I am certain that Putin would agree quickly to a series of payments from the U.S. to Russia, confident that most of the money would end up in his own bank accounts around the world. I don’t think this option is on the table.

How were the Barbary Pirates finally quelled? It was not until France invaded Algeria and took over the country in 1830. The Ottoman Empire, which controlled the Barbary States until that time, eventually lost most of its hold on North Africa and the business of slavery was, thankfully, curtailed.

It is hard to miss the parallels between the Barbary States and Russia. Harboring cybercriminals is only one element of Putin’s intransigence in the face of world condemnation for interfering in U.S. elections, shooting down passenger planes, annexing territories on its borders, assassinations and pilfering its own people and resources to support a ruling class of oligarchs.

I suspect that Putin will eventually crack down on cybercrime. But I also predict this will not happen until he gains significant concessions from the West.

Richard Stiennon

Richard Stiennon is the author of Security Yearbook 2021: A History and Directory of the IT Security Industry. He has held leadership roles at PwC, Webroot Software, Fortinet, and Blancco Technology Group. He was a Research VP at Gartner. He researches and reports on 2,615 IT security vendors. His clients are vendors, investment firms, and CISOs at large enterprises.

richard-stiennon has 11 posts and counting.See all posts by richard-stiennon