BLUF – Operation Medusa engaged nation-state activities with a law enforcement response. There are advantages and other considerations for further operations.
Amidst applause for the FBI’s Operation Medusa disrupting Russian FSB’s Snake malware distribution, we can tout the latest in a series of aggressive international cyber efforts. The push to reclaim the internet is long overdue, however this operation was different with further considerations.
- Advantage of FBI as the outlet for cyber offence: Criminals versus enemies argument starts here. The Bureau has something going for it as a response option that traditional military/ espionage organisations do not, namely the ability to operate internationally and domestically. This gives a fuller spectrum to operate within cyber by an organisation with an active response option. Though not pre-emptive left-of-launch operations, this is closer to offence than found previously.
- OpMedusa versus prior operations: Prior, recent, known Bureau-led disruptions were against criminals. There have been named nation-state actors arrested or identified and wanted, but the disruption operations were all against criminal organs. Medusa was dressed similarly, as the Bureau needs certain conditions met to operate – but make no mistake, this wasn’t intended for a courtroom.
- Opening a new Pandora’s box: There are multiple contents in this box, none unexpected. Doesn’t make it desirable, but foreseeable.
- Cyber offence utilising Bureau restrictions forces a different engagement model – between both domestic and international agencies – reducing other potential options. As an example, military has information operations to work within, seeking to adjust the perceptions and decisions. Covert ops could be conducted in this construct, but only based on a case and with court approval. If this is the route we are going, there is little degree of subtlety or influence to work with. Perhaps showing our operational hand is a good approach, but we lose denial and deception capabilities. No longer can we implant false information or seed of doubt that something may have been missed. Many people can be occupied looking for (or at) a red herring for a long time.
- We are allowing Russia (or whomever) to not only openly take down our cyber espionage but also openly call out operations. Consider this fodder for disinformation with just enough truth to be believed. We just took down a long-standing operation. I’m sure they know about and will be outing ours. As tit-for-tat resurges, reasoning for cyber arms races grows.
- Now there is a loss of collections from a well-known distribution channel. We could see who was targeted, what was used, changes to TTPs and assess where Russia’s priorities were. It may take a while for them to create another espionage platform, but our visibility may be limited when they do.
- Retribution may not be swift, but it’s coming.
Not saying the operation was bad. Rather, long overdue. But the Bureau fights crime, not wars. Engaging cyber offences against nations invites conflict, requiring options. I hope the court signed on for those as well.