Publisher’s Note: Frank Cilluffo directs the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University. He previously served as a commissioner on the U.S. Cyberspace Solarium Commission and as a special assistant to President George W. Bush for homeland security. Joshua Whitman, PhD, is the interim associate director of policy at the McCrary Institute, specializing in cybersecurity policy and communications. The views expressed in this commentary are their own. See more opinion on CNN.
The threat that cybercrime poses to countries, businesses and individuals has reached a critical point. It is time to acknowledge that cybercriminals operate freely in countries that harbour them, causing economic damage and undermining global security.
The United States International Cyberspace and Digital Policy Strategy, published by the State Department in May, introduces the concept of “digital solidarity” to collectively combat malicious cyber activities. However, this strategy ignores a crucial tool for combating cybercrime: the designation of state sponsors of cybercrime.
To close this gap and stay ahead of growing cyber threats, the United States must take the lead in identifying and designating countries where cybercriminal organizations are based.
The exponential rise of cybercrime demands an accelerated international response. Ransomware attacks alone generated record amounts of money in 2023 and are expected to cost the world more than $40 billion by 2024. Nation states, large corporations, critical infrastructure providers, schools, hospitals, and ordinary citizens have all fallen victim. The ubiquity of cybercrime has normalized what was once a niche threat reserved for high-value targets.
This normalization is a result of the proliferation of cybercrime safe havens: countries that allow cybercriminal syndicates to operate within their borders without fear of extradition or prosecution. By “looking the other way,” these countries provide cybercriminals with the stability and infrastructure to plan complex attacks and safely store illicit proceeds. Presumably emboldened by state protection, hackers based in safe havens can escalate their attacks with increasing sophistication.
Russia is the epitome of this model of the state’s cyberfree state. Despite its public condemnations of cybercrime, the Kremlin quietly supports hacker groups as long as they do not target Russian interests and are willing to do Moscow’s bidding when called upon. Symbiotic relationships have developed, with hackers sharing stolen data with Russian intelligence and the state providing safe haven and access to money laundering services.
The scale of this problem is significant. According to a recently published report from TRM Labs, Russian-language ransomware groups will account for at least 69% of all cryptocurrency ransomware revenues in 2023, amounting to more than $500 million.
North Korea has embraced cybercrime on an institutional scale to circumvent international sanctions and finance its nuclear program. Unlike traditional scenarios in which organized crime attempts to infiltrate the state, North Korea represents a reversal of this dynamic: the state itself has infiltrated and co-opted organized cybercrime.
North Korean hacking units serve as pillars of a vast state-sponsored criminal enterprise. These groups have carried out sophisticated ransomware attacks explicitly at the direction of North Korea’s Reconnaissance General Bureau, as noted in a recent U.S. indictment of a North Korean hacker wanted by the FBI. Notably, North Korean hackers often operate from other countries, including China, to disguise their origins and take advantage of cybersecurity laxity. Pyongyang’s nuclear ambitions are aided by the cybercrime it claims to prohibit, with the state acting as the orchestrator of these illicit activities.
By allowing cybercrime safe havens to fester unchecked, the international community has condoned a continued escalation of costly and destabilizing cyberattacks. This problem extends beyond high-profile actors such as Russia and North Korea to include a number of countries in various regions that turn a blind eye to cybercriminal activity within their borders. Impunity has created an incentive for hackers to migrate to safe haven countries.
This self-reinforcing cycle not only threatens the digital security and economic prosperity of the U.S. and other compliant countries, but also the long-term viability of an open internet. Addressing these challenges requires a comprehensive approach that uses all the tools of statecraft, including economic sanctions, diplomatic measures, intelligence capabilities, law enforcement cooperation, cybercriminal disruption, and strategic communications.
Designating states as sponsors of cybercrime, similar to how the State Department designates states as sponsors of terrorism, would mark a long-overdue change in direction. The strategy is in line with legislation proposed by Senate Intelligence Committee Chairman Mark Warner of Virginia that would classify ransomware as a threat comparable to terrorism.
While Warner’s provision in the Fiscal Year 2025 Intelligence Authorization Act specifically targets ransomware, our suggestion to designate state sponsors of cybercrime would encompass a broader range of malicious cyber activities. Explicit criteria such as actively failing to cooperate with cybercriminal investigations, taking advantage of cybercriminal safe havens, or assisting hackers with training, resources, and infrastructure should trigger designation. As with state sponsor of terrorism designations, this would allow the U.S. to use coordinated sanctions, diplomatic penalties, restrictions on foreign assistance, and other accountability measures.
This approach builds on established precedents in the fight against global threats. For decades, Congress has required the State Department to produce annual reports describing patterns of global terrorism and identifying the top terrorist groups. A similar framework for cybercrime could prove equally effective.
Annual reports on state-sponsored cybercrime could identify large cybercrime syndicates and document their most significant attacks, while countries that provide safe haven could be designated as state sponsors of cybercrime. Additionally, large cybercrime syndicates could be designated as Transnational Criminal Organizations, a classification that would free up additional law enforcement and Treasury Department tools to combat these groups; for example, last month the Treasury’s Office of Foreign Assets Control designated two Russian hackers whose group, Cyber Army of Russia Reborn, claimed attacks on U.S. critical infrastructure targets, including water facilities in Texas.
This designation would provide a consistent foundation for expanded actions against cyber threats, leveraging the full range of U.S. government capabilities to address this growing threat.
Some argue that such designations could dangerously inflame tensions between cyber superpowers already engaged in hostile hacking operations. Others argue that proving explicit state sponsorship is an unnecessarily high legal hurdle. But these risks pale in comparison to the existential threat that cyber safe havens pose to the rules-based international order.
Admittedly, effective cyber designations require rigorous evidence gathering and multilateral cooperation. But U.S. intelligence has been constantly monitoring the Kremlin’s cyber reserve forces and Pyongyang’s institutionalized hacking kleptocracy, along with other countries with active state-sponsored cyberwarfare, such as China and Iran.
The United States has both the justification and the capacity to productively initiate an international cyber designation regime now, particularly because a constant stream of cyberattacks collectively poses a significant threat to our security. Just as previous counterterrorism and countercrime designations have isolated rogue states, multilateral cyber designations could force Russia, North Korea, and those seeking to provide safe haven for hackers to reconsider the effectiveness of their current models for harboring criminals.
Holding countries accountable for sponsoring cybercrime is a crucial first step on the long path to building collective cyber deterrence rooted in the rule of law. Allowing dark hacker havens to exist in the gray areas of geopolitics ensures an ever-escalating future of cyber insecurity and instability. Such accountability may not stop cybercrime overnight, but it does initiate a long-overdue process of creating international accountability.
Strategic inaction is no longer an option for the integrity of the Internet, economic prosperity, and the collective security of all countries committed to a more democratic and prosperous world.
For more CNN news and newsletters, create an account at CNN.com