How Biden is boosting cyber defenses against Russia and China

The world watched in shock on Jan. 6 when the U.S. Capitol was physically breached. But the federal government had been breached in a different way months before – by a large-scale cyber intrusion that went unnoticed for months. 

This week, the U.S. responded, announcing economic sanctions against Russia for a hacking campaign that invaded nine federal agencies and about 100 private companies, and jeopardized the security of more than 16,000 computer systems worldwide. In the wake of the sanctions announcement, the long-term question remains: What needs to be done to curb such cyber malfeasance?

What happened?

The so-called SolarWinds hack, named for some of the private-sector software that attackers exploited, began at least a year ago, although it was publicly reported only in December after a private company alerted the federal government of the breach.

On Thursday, the United States named the Russian foreign intelligence service, the SVR, as the culprit. 

Despite having the capability to get into the networks of more than 16,000 SolarWinds customers, the alleged Russian espionage was very targeted. Files, including emails from the then-head of the Department of Homeland Security (DHS), were accessed, as well as data from the departments of Energy, Commerce, Justice, State, and Treasury and major cybersecurity and technology firms.

Suzanne Spaulding, who served in the Department of Homeland Security as undersecretary for cyber and infrastructure during the Obama administration, says the most significant concern is that the SolarWinds intrusion could be reconnaissance for disruptive attacks. 

Moreover, another large-scale cyber intrusion into U.S. computer systems has been exposed in the past six months. This one, too, was not used to destroy systems but to spy and to steal. 

In March, the Microsoft Threat Intelligence Center exposed an attack that targeted Microsoft Exchange Servers, where hackers gained access to email accounts and installed malware to obtain long-term access to computer systems across various industries.

The malware, which the Microsoft group attributed to HAFNIUM, a state-sponsored organization “operating out of China,” allowed for the siphoning of companies’ economic and security information. While no U.S. federal agencies were affected in the Microsoft intrusion, according to the congressional testimony of DHS officials, a European Union agency (the European Banking Authority) was among those breached.

The larger context: On Tuesday, an annual assessment of global threats, made public by the Office of the Director of National Intelligence, focused on cyber, technological, and military threats to the U.S. from China and Russia. 

What is being done in response? 

Collaboration between the U.S. government and the private sector brought the number of U.S. systems affected in the Microsoft Exchange compromise from 100,000 to less than 10,000, Anne Neuberger, a top White House cyber official, said at an event in early April. The Department of Justice announced this week that a court-authorized FBI action removed the illicit access capability on hundreds of U.S. computers, but warned additional malware may remain on some systems. 

The SolarWinds hack was exposed as the legislative process unfolded for what independent Sen. Angus King of Maine called “the most comprehensive piece of national cybersecurity legislation ever passed in U.S. history.” The 2021 annual defense bill, which became law on Jan. 2, included 27 cyber defense provisions, from efforts to improve email security to the creation of a new Office of the National Cyber Director within the White House. 

The provisions were largely the result of the work of the congressionally mandated Cyberspace Solarium Commission, which Senator King co-chaired with Republican Rep. Mike Gallagher of Wisconsin.  

“The national cyber director will make a significant difference going forward,” says Ms. Spaulding. She adds that the new position will help reduce interagency tensions, and the office’s additional staff will boost operational planning. 

On April 12, President Joe Biden announced his nominee for the new position, former National Security Agency Deputy Director Chris Inglis. Speaking with the Monitor that day, Ms. Spaulding, who served with Mr. Inglis on the Solarium Commission, said he will “be terrific” in the new role. Mr. Inglis, pending Senate confirmation, will lead the nascent office charged with aiding the ongoing remediation and the preventive work of deterring future attacks. 

On Thursday, a senior administration official said in a press briefing that the efforts already underway to increase multifactor authentication and other security measures across the nine affected agencies will be the “hallmark” of an upcoming executive order focused on the government’s software procurement. 

Targets of the newly announced sanctions against Russia include more than 30 entities and individuals the Biden administration says were involved in government-directed attempts to influence the 2020 U.S. presidential election and other acts of interference. Six Russian tech firms were designated in the sanctions announcement.

What are the next steps?

The SolarWinds and Microsoft Exchange intrusions came as schools, local governments, and businesses have faced cyberattacks of their own. 

“All these things are really putting a lot of pressure on [nations] to better secure their systems,” says Kristen Eichensehr, who directs the National Security Law Center at the University of Virginia School of Law. She says there is also pressure on the “international legal system to respond to this felt impulse that these things are wrong, and that they should be dealt with as illegal.”

The administration said Thursday it will be “bolstering efforts” through the George C. Marshall Center in Germany to provide training to foreign policymakers on the applicability of international law in cyberspace as well as providing a first-of-its-kind training course on publicly attributing cyber incidents. 

The U.S. “needs to speak frequently and openly with international counterparts in fora like the United Nations and groups of allies about what it thinks the international rules should be,” Ms. Eichensehr said Monday, prior to the announcement of sanctions. “The United States needs to be open, clear, transparent, and vocal about how it thinks international law [in cyberspace] should evolve.” 

Complicating it all, experts say, is that the U.S. conducts its own cyber espionage.

In announcing the sanctions against Russia, the Biden administration cited several reasons including the scale of the compromise, the cost to the private sector, and the potential risks for damage. “Citing a combination of factors is not surprising.” Ms. Eichensehr added Thursday via email, given the difficulty of drawing a single line of argument for Russian sanctions that wouldn’t open up the U.S. to similar allegations in response.

“It’s a hard line to find and not risk charges of hypocrisy based on U.S. behavior,” Ms. Eichensehr says.