John P. Carlin was the assistant attorney general for the Department of Justice’s National Security Division and served as chief of staff and senior counsel to former FBI Director Robert Mueller. He currently chairs the Aspen Institute’s Cybersecurity & Technology Program and is chair of Morrison & Foerster's global risk and crisis management group. As per policy for former employees, this article has been reviewed by the Justice Department to ensure it contains no classified information.

It’s not just Robert Mueller: In four different instances in the past four weeks, the U.S. government, often with allies throughout the world, has publicly called out Russia’s bad online behavior and made clear it is behaving as an outlaw nation.

The loudest condemnation, of course, came in the form of the special counsel’s recent indictment of the Russian Internet Research Agency and 13 individuals involved in interfering from afar with the 2016 presidential election—a highly detailed, 37-page document that reads like an espionage novel, complete with covert trips, stolen identities and faked on-the-ground recruiting in states from New York to Florida.


Mueller’s indictment, echoing the assessment of every high-level Trump administration national security official, leaves no doubt that Russia engaged in a large, lengthy and expensive effort to interfere with our democratic process, an effort that involved scores of employees who showed up at their office job each day to undermine our tradition of democratic elections.

And it’s not just Mueller who is warning us about the Kremlin’s increasingly nefarious activities. Vladimir Putin’s Russia is engaged in a low-intensity conflict not just against the United States, but against the civilized world, where commerce and prosperity are inextricably intertwined with digitally connected machines. Fearing that both democracy and free and fair economies represent an existential threat to his corrupt authoritarian regime, Putin’s Russia is increasingly responsible both for indiscriminate destructive cyberattacks and for harboring cybercriminals who harm the global online economy. It is impossible to confront threats to cybersecurity without addressing the Putin problem.

Less discussed, just days before Mueller’s indictment, the so-called Five Eyes—the intelligence alliance between the U.S., U.K., Canada, New Zealand and Australia—named Russia responsible for last year’s devastating NotPetya ransomware attack, which was responsible for hundreds of millions of dollars in damages to companies around the world.

“We saw an indiscriminate attack launched by Russia against Ukraine in the ongoing hostilities there. What they used was a cyberweapon that was launched in the dark, that hit numbers of companies, individuals, and caused damage to our economies. It stopped shipping from moving … it literally shut [companies] down,” White House cybersecurity coordinator Rob Joyce said. “And that is unacceptable.”

The NotPetya attack caused massive disruptions at companies as varied as the shipping company FedEx ($300 million in damages), drugmaker Merck ($310 million in damages), and the advertising firm WPP ($15 million in damages). It required the replacement of 45,000 computers and 4,000 servers at the cargo giant Maersk alone. “We can't blame the victims for something a nation state wantonly did in an act of aggression,” Joyce said. “Russia needs to be held responsible for this.”

Earlier, on February 7, the Justice Department unsealed charges against 36 individuals who ran and participated in a massive online crime forum—run from within the protection of Russian borders for the better part of a decade—that facilitated more than $530 million in losses by stealing and trading credit card numbers. The forum’s motto was clear about their goal: “In Fraud We Trust.” Thanks to well-meaning and like-minded international law enforcement partners, more than a dozen of those targeted were arrested, in countries that included Australia, the United Kingdom, France, Italy, Kosovo and Serbia. It’s no surprise that those indicted in Russia remain at large.

Just days before the Infraud indictment, Russian hacker Peter Levashov—one of the most notorious spammers in the internet’s history—was extradited to a Connecticut courtroom from Spain, where he was captured while on vacation after years of living safely in Russia. Russia vigorously protested his arrest and tried hard to return him to its soil rather than see him face justice in the United States.

The collective message is hard to miss: Putin’s Russia is a rogue actor, and both its government’s behavior and the freedom it provides criminals is making the world less safe. It is operating far outside the bounds of civilized countries online. It’s a problem similar to the rogue behavior we’re seeing from North Korea on nuclear issues—and we need a similar, collective global approach to punish and isolate Russia.

“Russia is ripping up the rulebook by undermining democracy, wrecking livelihoods by targeting critical infrastructure and weaponizing information,” British Defense Secretary Gavin Williamson said, in citing Russia’s role in NotPetya. “We must be primed and ready to tackle these stark and intensifying threats.”

If Russia harbored terrorists whose attack caused FedEx $300 million in damages, or if the Russian government attacked a FedEx transit hub, our retaliation would be swift and decisive. It must be the same in cyberspace. Russia’s behavior is undermining the consumer trust and posing a systemic risk to an increasingly wired world, particularly as we move more of our infrastructure and daily life online, from cars to medical devices.

InFraud is only the latest in a long series of such online crime forums, including CarderPlanet.Ru, led by the Russian hacker Roman Seleznev, who was eventually captured overseas when he left Russia and was sentenced last year to decades in U.S. federal prison.

There are many more like Seleznev to catch. To look at today’s list of Most Wanted CyberCriminals is a who’s who of Russian hackers.

Among others, there’s Evgeniy Bogachev, the creator of the GameOver Zeus botnet and architect of a vast financial fraud that stole somewhere north of $100 million from U.S. banks and businesses, and Alexsey Belan, who has been indicted in three major cybercrimes, most recently along with another criminal and two Russian FSB intelligence officers who were involved in the theft of a billion user accounts from Yahoo.

Putin enables these online bazaars and shields their leaders from criminal prosecution—or, worse, as appears to be the case with both Belan and Bogachev, signs up criminals as intelligence assets, to help enable further thefts and espionage by the government.

It’s critical the White House and U.S. government punish Russia. President Barack Obama created a mechanism to sanction states that participated in malicious cyber behavior and then used it, in December 2016, against Russia after its election operations. But more needs to be done—and the United States needs to take the lead. The most effective action is collective action. The United States needs to partner with countries around the world to impose devastating economic penalties proportional to the billions of dollars of indiscriminate criminal cyber-enabled activities and for the repeated undermining of internal democratic elections around the world. The partnership of the interconnected world should also consider collectively closing embassies and consulates.

We cannot allow Putin to ruin the internet for the rest of us. If he won’t take action to prevent imminent damage to online communities from people harbored inside his country, the world must act together. The goal and message must be simple: The bad behavior must end. If the regime is committed to acting like a rogue pariah, it should be treated accordingly.

The threat from efforts like the Internet Research Agency is hardly behind us; these attacks on our country and our democracy are ongoing. The very same week that the NotPetya condemnations and Mueller’s indictment became public, proving the depths of Putin’s Russia’s depravity, Twitter trolls and bots linked to Russia were busy promoting conspiracy theories and online discord related to the murder of children in Parkland, Florida.

Then this weekend came news that U.S. intelligence has concluded that Russia attacked the opening ceremonies of the Olympics—the very epitome of an event and moment aimed at a peaceful, collaborative global community. What could demonstrate more telling that Putin’s regime is fundamentally opposed to the rest of the civilized world than attacking the opening ceremonies of the Olympics, a celebration by 92 countries from every corner of the globe? According to private-sector reports, it appears the Olympics attack was carried out by the same GRU unit responsible for helping to spread NotPetya.

Responsible countries cannot allow this behavior online to continue without response. Failure to act encourages worse and worse behavior—and not just by Putin’s Russia: Other rogue regimes are watching and wondering where the lines are for cyber aggression.

The United States must demonstrate to Putin that it will take public and proportional action to counter Russia’s malicious behavior online. One of the lessons of America’s battle against terrorism is that we cannot allow terrorists safe havens inside ungoverned or poorly governed countries around the world; we must develop a similar doctrine to ensure the world’s safety online. Against Russia, those tools could range from further sanctions to frozen international bank accounts to cyber activity intended to target the infrastructure used by criminals and efforts like the Internet Research Agency.

It’s time to shut down Putin’s online chaos machine. The world must act—now.

