Russia’s Offer to Extradite Attackers - and a Grain of Salt

President Vladimir Putin said that Russia would be willing to hand over cyber criminals to the United States if Washington agreed to reciprocate. According to Reuters, Putin disclosed his country’s willingness to work with the United States on prosecuting cyber criminals in an interview aired by state television over the weekend.

A Conditional Offering

“If we agree to extradite criminals, then of course Russia will do that, we will do that, but only if the other side, in this case the United States, agrees to the same and will extradite the criminals in question to the Russian Federation,” Putin said, as quoted by Reuters.

“The question of cyber security is one of the most important at the moment because turning all kinds of systems off can lead to really difficult consequences.”

Reuters wrote that U.S. President Biden plans to bring up ransomware attacks generated by Russian actors in a June 16 summit between the two leaders. Biden’s reported intention aligns with a shared agenda released by the Group of Seven (G7) following its summit on June 11-13. 

In their communiqué, the United States and the six other countries pledged to tackle the growing ransomware threat.

“We also commit to work together to urgently address the escalating shared threat from criminal ransomware networks,” they vowed. “We call on all states to urgently identify and disrupt ransomware criminal networks operating from within their borders, and hold those networks accountable for their actions.”

They also wrote up specific language around working with Russia on the issue of ransomware.

“We call on Russia… to identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes.”

A day after news of Putin’s comments broke, National Cyber Security Centre (NCSC) CEO Lindy Cameron made news when she stated that “the primary threat is not state actors but cyber criminals, and in particular the threat of ransomware.”

Speculations on the Biden-Putin Summit

Leading up to the Biden-Putin summit, I'm cautiously optimistic. You expect the traditional photo ops and the leaders shaking hands and smiling for the global cameras. But President Putin, you can no longer sit behind the iron curtain of yesteryear. The Iron Curtain might have fallen, but the cyber curtain remains, and it’s time to take it down brick by brick. 

Will this summit turn out similarly to the historic Obama-Xi meetings at Stanford University in 2015? We found out years later that Xi Jinping lied to the United States and the world about being willing to stop attacking government agencies and other contractors with their cyber arsenal. They never stopped for a second, as they continued to pilfer IP, data, and proprietary information on nuclear weapons designs, airplane engine designs, and any other patent or drawing they could steal.

Still, the good news is that Biden and Putin are having talks in general. How this plays out weeks, months, and years later is what matters. But to President Putin, welcome to the community of responsible nations. This is what you should have been doing for years, as there's no sovereignty bigger than a nation. 

How we all behave is really, really important. Responsible nations work with other nations constantly on big issues such as trade, refugees, and crime. One of the most important aspects of being responsible is enforcing laws.

Later this week, will Biden and Putin work toward the creation of a cybercriminal extradition treaty? If not, then Putin pounding his chest to the media is useless. If the two leaders do agree to something, I'll be curious to learn whom Putin plans to give up to the United States. They aren't giving up anyone working for a Russian agency, that’s for sure. 

Will they give up a contractor working in a consultant's role for the Russian government? This is very unlikely. Will they give up the privateer working indirectly with Russia because they can exist in Russia? Again, very unlikely. 

Or will they give up rogue, off-the-grid, insignificant threat actors that maybe Putin isn't even aware of on a regular basis? Every country has them. Could they be members of a new threat group? For these threat actors, mutually-agreed-upon treaties for extraditing criminals are needed. 

Only time will tell if Russian would be willing to give up people who operate in this threat category. Organizations don’t have the luxury of time when it comes to defending themselves against ransomware, however.

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry