How Biden is boosting cyber defenses against Russia and China

Nathan Ellgren/AP
Kevin Mandia, CEO of FireEye, gives a tour of the cybersecurity company's office space in Reston, Virginia, on March 9, 2021. The firm, which revealed the SolarWinds cyberattack affecting U.S. federal agencies, now has 550 employees working remotely to respond to a recent barrage of cyber breaches, including four different attacks against Microsoft Exchange, he said.

Two ways to read the story

  • Quick Read
  • Deep Read ( 4 Min. )

This week, the U.S. announced economic sanctions against Russia for a hacking campaign that breached nine federal agencies and about 100 private companies. Another large-scale cyber intrusion on U.S. computer systems, exposed in the past six months, has been attributed by Microsoft to a state-sponsored organization “operating out of China.”

Congress and the Biden administration are mounting various responses beyond the sanctions. The 2021 annual defense bill, which became law on Jan. 2, included 27 cyber defense provisions, from efforts to improve email security to the creation of a new Office of the National Cyber Director within the White House. 

Why We Wrote This

Sanctions against Russia are just part of a rising U.S. response after major breaches attributed to foreign hackers. Some experts see frameworks of international law as a next path to address global cyberattacks.

The foreign intrusions came as schoolslocal governments, and businesses have faced cyberattacks of their own. Meanwhile, experts note that the U.S. conducts its own state-sponsored cyber espionage.

“All these things are really putting a lot of pressure on [nations] to better secure their systems,” says Kristen Eichensehr, who directs the National Security Law Center at the University of Virginia School of Law. She says there is also pressure on the “international legal system to respond to this felt impulse that these things are wrong, and that they should be dealt with as illegal.”

The world watched in shock on Jan. 6 when the U.S. Capitol was physically breached. But the federal government had been breached in a different way months before – by a large-scale cyber intrusion that went unnoticed for months. 

This week, the U.S. responded, announcing economic sanctions against Russia for a hacking campaign that invaded nine federal agencies and about 100 private companies, and jeopardized the security of more than 16,000 computer systems worldwide. In the wake of the sanctions announcement, the long-term question remains: What needs to be done to curb such cyber malfeasance?

What happened?

Why We Wrote This

Sanctions against Russia are just part of a rising U.S. response after major breaches attributed to foreign hackers. Some experts see frameworks of international law as a next path to address global cyberattacks.

The so-called SolarWinds hack, named for some of the private-sector software that attackers exploited, began at least a year ago, although it was publicly reported only in December after a private company alerted the federal government of the breach.

On Thursday, the United States named the Russian foreign intelligence service, the SVR, as the culprit. 

Despite having the capability to get into the networks of more than 16,000 SolarWinds customers, the alleged Russian espionage was very targeted. Files, including emails from the then-head of the Department of Homeland Security (DHS), were accessed, as well as data from the departments of Energy, Commerce, Justice, State, and Treasury and major cybersecurity and technology firms.

Suzanne Spaulding, who served in the Department of Homeland Security as undersecretary for cyber and infrastructure during the Obama administration, says the most significant concern is that the SolarWinds intrusion could be reconnaissance for disruptive attacks. 

Moreover, another large-scale cyber intrusion into U.S. computer systems has been exposed in the past six months. This one, too, was not used to destroy systems but to spy and to steal. 

In March, the Microsoft Threat Intelligence Center exposed an attack that targeted Microsoft Exchange Servers, where hackers gained access to email accounts and installed malware to obtain long-term access to computer systems across various industries.

The malware, which the Microsoft group attributed to HAFNIUM, a state-sponsored organization “operating out of China,” allowed for the siphoning of companies’ economic and security information. While no U.S. federal agencies were affected in the Microsoft intrusion, according to the congressional testimony of DHS officials, a European Union agency (the European Banking Authority) was among those breached.

The larger context: On Tuesday, an annual assessment of global threats, made public by the Office of the Director of National Intelligence, focused on cyber, technological, and military threats to the U.S. from China and Russia. 

What is being done in response? 

Collaboration between the U.S. government and the private sector brought the number of U.S. systems affected in the Microsoft Exchange compromise from 100,000 to less than 10,000, Anne Neuberger, a top White House cyber official, said at an event in early April. The Department of Justice announced this week that a court-authorized FBI action removed the illicit access capability on hundreds of U.S. computers, but warned additional malware may remain on some systems. 

The SolarWinds hack was exposed as the legislative process unfolded for what independent Sen. Angus King of Maine called “the most comprehensive piece of national cybersecurity legislation ever passed in U.S. history.” The 2021 annual defense bill, which became law on Jan. 2, included 27 cyber defense provisions, from efforts to improve email security to the creation of a new Office of the National Cyber Director within the White House. 

The provisions were largely the result of the work of the congressionally mandated Cyberspace Solarium Commission, which Senator King co-chaired with Republican Rep. Mike Gallagher of Wisconsin.  

“The national cyber director will make a significant difference going forward,” says Ms. Spaulding. She adds that the new position will help reduce interagency tensions, and the office’s additional staff will boost operational planning. 

On April 12, President Joe Biden announced his nominee for the new position, former National Security Agency Deputy Director Chris Inglis. Speaking with the Monitor that day, Ms. Spaulding, who served with Mr. Inglis on the Solarium Commission, said he will “be terrific” in the new role. Mr. Inglis, pending Senate confirmation, will lead the nascent office charged with aiding the ongoing remediation and the preventive work of deterring future attacks. 

On Thursday, a senior administration official said in a press briefing that the efforts already underway to increase multifactor authentication and other security measures across the nine affected agencies will be the “hallmark” of an upcoming executive order focused on the government’s software procurement. 

Targets of the newly announced sanctions against Russia include more than 30 entities and individuals the Biden administration says were involved in government-directed attempts to influence the 2020 U.S. presidential election and other acts of interference. Six Russian tech firms were designated in the sanctions announcement.

What are the next steps?

The SolarWinds and Microsoft Exchange intrusions came as schools, local governments, and businesses have faced cyberattacks of their own. 

“All these things are really putting a lot of pressure on [nations] to better secure their systems,” says Kristen Eichensehr, who directs the National Security Law Center at the University of Virginia School of Law. She says there is also pressure on the “international legal system to respond to this felt impulse that these things are wrong, and that they should be dealt with as illegal.”

The administration said Thursday it will be “bolstering efforts” through the George C. Marshall Center in Germany to provide training to foreign policymakers on the applicability of international law in cyberspace as well as providing a first-of-its-kind training course on publicly attributing cyber incidents. 

The U.S. “needs to speak frequently and openly with international counterparts in fora like the United Nations and groups of allies about what it thinks the international rules should be,” Ms. Eichensehr said Monday, prior to the announcement of sanctions. “The United States needs to be open, clear, transparent, and vocal about how it thinks international law [in cyberspace] should evolve.” 

Complicating it all, experts say, is that the U.S. conducts its own cyber espionage.

In announcing the sanctions against Russia, the Biden administration cited several reasons including the scale of the compromise, the cost to the private sector, and the potential risks for damage. “Citing a combination of factors is not surprising.” Ms. Eichensehr added Thursday via email, given the difficulty of drawing a single line of argument for Russian sanctions that wouldn’t open up the U.S. to similar allegations in response.

“It’s a hard line to find and not risk charges of hypocrisy based on U.S. behavior,” Ms. Eichensehr says.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.