Western Law Enforcement Agencies are Going on the Cyber Offensive

Earlier this month, the UK’s National Health Service was hit by a ransomware attack, delaying procedures for hundreds of patients. Meanwhile, this spring, it was revealed that healthcare data on roughly half of US citizens is being held hostage by ransomware actors, for whom 2023 was a record-breaking year in terms of revenue. These developments are broadly reflective of the trendlines for transnational cybercrime, which are dismal across the board. The same might be said of the prospects for the most vulnerable sectors, including healthcare, education, municipalities and infrastructure operators – entities that continue to subsist below the so-called cybersecurity ‘poverty line‘, lacking dedicated staff or up-to-date hardware and software.

For Western democracies, this trend has come to pose something of a dilemma: should they militarise their national responses to cybercrime, or bank on the periodic apprehension and prosecution of global cybercriminals having a deterrent effect? After all, the preponderance of cyber capability naturally rests in the military and intelligence services, whose domestic remits are tightly constrained and for whom transnational cybercrime is but one ‘mission’ that might fall below the priority threshold. Meanwhile, the periodic conviction of global cybercriminals often comes late, if at all.

Recently, however, Western law enforcement agencies (LEAs) seem to have converged on an alternative: pre-emptive disruption through offensive cyber operations of their own.

For example, the US Federal Bureau of Investigation (FBI), the UK National Crime Agency (NCA), the Australian Federal Police (AFP) and other likeminded states’ LEAs have increasingly been ‘hacking the hackers’ – seizing, re-routing or denying them access to the very technologies they use – or ‘hacking to patch’ victimised devices, removing or neutralising malware from them (often without their users’ foreknowledge). A spate of recent takedowns, including one against the notorious Lockbit ransomware gang and the ‘largest ever botnet’ takedown in history, gives reason for cautious optimism that Western governments are making some progress in reconceptualising both the problem of transnational cybercrime and potential countermeasures, expanding beyond a dichotomy of courtrooms versus interstate military conflict. While concerted cybercrime collectives are likely to reconstitute after these kinds of takedowns, the downtime is likely to spare new victims and to introduce distrust among illicit actors, and the practice builds cross-border and institutional trust among LEAs. In theory, these takedowns can be repeated and expanded upon to make reconstitution more time-intensive, more costly, and less trustworthy for cybercrime collectives.

This trend among Western LEAs for conducting takedown operations, as we detailed in a recent report, is not without controversy. Prompted in part by the borderlessness of cyberspace and the deceptive techniques used by cybercriminals to obscure their identities and whereabouts, these operations have potentially – and unforeseeably – global reach. This reach poses risks to state sovereignty and entails escalation concerns with adversaries. For instance, friendly states might be understanding if a server within their borders is inadvertently taken offline by a friendly state’s LEAs in a counter-ransomware operation. Given the widespread use of anonymising methods used to obscure IP addresses and locations, such scenarios are more likely than not. Adversarial states, however, may be less forgiving or willing to distinguish between an LEA badge and a military patch in cyberspace.

Meanwhile, civil rights and privacy advocates are wary of the prospects for abuse. The notion of LEAs rooting around in personal electronic devices, unbeknownst to their owners – even with a warrant and a mission to remove demonstrably harmful malware – is understandably controversial. Additionally, cybersecurity experts worry that the tools used by LEAs may not be subject to third-party validation, and might only fuel the market for cyber vulnerabilities.

Legal scholars note that some of these practices lack explicit legislative backing, threatening their long-term durability. For example, the FBI’s cyber offensive against botnets, ransomware actors, and Chinese state-backed hackers largely pivots on a 2016-era update to the rules of criminal procedure, which might be contested in court. The UK’s ‘Investigatory Powers Act,’ by contrast, explicitly guides and bounds LEA-led ‘equipment interference’. Meanwhile, supranational entities like Interpol and Europol have played indispensable roles in forging collaboration abroad for both technical takedowns and apprehension of cybercriminals, models which might be duplicated in other regional contexts like Africa and Southeast Asia.

These aspirations are lofty, however. Sceptics might claim that Western LEAs can do little more than engage in an interminable game of ‘whack-a-mole’ with botnets, dark-web sites, and crypto-currency. They might also assert that the financial incentives – for cybercriminals, software developers, and corporate boardrooms alike – and permissive environments like Russia make LEA technical takedowns an ultimately futile endeavour. More government-led interventions may, in the worst case, further disincentivise the private sector from taking cybersecurity more seriously – especially those entities that otherwise have an abundance of resources to do so. Barriers to fulsome collaboration with the private sector – particularly those with the technical expertise and financial resources to significantly contribute to countering cybercrime – remain, including bureaucratic red tape, liability and proprietary concerns, and the (often necessary) secrecy surrounding active criminal investigations.

These concerns are all valid and, in our view, worth exploring and addressing. Cyber conflict theorising and strategising has for years been dominated by conversations about military and espionage operations, rather than those by law enforcement. In general, however, we see the more assertive and preventive approach taken by Western LEAs as a welcome development. It is a preferable alternative to a militarised response to transnational cybercrime, and thus one which warrants more resources and policy scaffolding – both domestically and diplomatically – to enhance it.

The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.