Since the WannaCry ransomware attack began in Europe on Friday it has locked thousands of computers in more than 150 countries. Perpetrators of the cyber attack demand that victims pay a $300 ransom to restore their files. Some have called it the biggest ransomware attack in Internet history.
Much of the discussion about WannaCry now focuses on how we can prevent a similar ransomware attack from happening. But one phase of the WannaCry saga must still play out – the criminal investigation.
Steps in a Criminal Investigation of a Cyber Attack
The process to track the criminals involved in the WannaCry attack starts with trying to get an attribution. Investigators will look for who did it or profited by it – down to specific individuals – including where they are located. This involves one or more of three elements of the attack:
- Infection servers (who owned and managed the infection mechanism)
- Command and control of botnet/infected systems and the release mechanism for crypto keys (who provides the keys and how)
- Money trail
In most cases, the attackers are in countries where the US has no ability to take action unless it wants to pay the country or go to war against them to stop the attack(s).
As to which US government agency is in control, it all comes down to who owns the machines that are infected. Most cyber criminals stay clear of the US Department of Defense (DOD) and other federal systems because of the blowback and potential for a kinetic response.
US agencies like the FBI and DOJ have jurisdiction for crimes against citizens and companies in the US. But they don’t have the ability to project power outside the US. So if the criminals reside in another country, then law enforcement has little power or options.
If the attackers hit critical national infrastructure and cause death and destruction, then you enter the realm of the War Powers Act and post 9/11 legislation, as well as the core presidential authority to pursue the attackers and country housing them.
The US has been very clear about its priorities in the use of military responses: the private sector is on its own unless the cyber attack causes loss of life or the destruction of core functional areas of society. There is no government agency that protects the private sector by default.