“The Biden administration responded both forcefully and responsibly, and I assume the Russians know that while the [United States] is not escalatory, we are no longer going to ignore provocation,” said cybersecurity entrepreneur Dave Aitel.
After entering office in January, Biden ordered a sweeping review of the SolarWinds attack and other Russian aggressions, including election interference. The full extent of the damage wrought by the attack is unknown and officials believe there are still many unnamed victims.
“The SolarWinds Orion hacking campaign called for that kind of retaliation combining financial and political punishment,” said Jay Kaplan, co-founder and chief executive of Synack. “The response shows that the Biden administration is not going to sit back and let Russia, China, North Korea or any of our other adversaries continue carrying out damaging cyberattacks that victimize thousands of companies and costs hundreds of millions to clean up.”
Many experts suggested the sanctions were a step in the right direction after years of failing to hold Russia accountable.
“A serious situation received a proportionate response, far beyond what administrations have done in large nation-state cyber espionage cases previously,” said Scott Montgomery, chief technical officer at the Federal Resources Corporation.
Experts often criticized former president Donald Trump for undermining the findings of his own intelligence community about Russia’s election interference. In a December Network survey, a majority of our experts said Trump led the nation in the wrong direction on cybersecurity.
“The Biden administration‘s response was direct and well coordinated across the interagency, which was a significant departure from the last four years when dealing with Russia,” said Chris Cummiskey, CEO of Cummiskey Strategic Solutions.
“In contrast to President Trump, who actively avoided any effort to hold Russia accountable, the Biden administration‘s actions were a refreshing change and apparently the beginning of a larger plan of signaling, action and potential engagement with Moscow,” said Chris Painter, president of the Global Forum on Cyber Expertise Foundation and State cyber coordinator under ex-president Barack Obama. “It’s doubtful that anything will deter pure espionage, but it’s appropriate for the United States to demonstrate its displeasure and to reset expectations.”
Some experts cautioned that Biden’s response to Russia’s hacking campaign still leaves open questions about global cybersecurity norms.
Experts disagreed over whether Russia’s actions rose above the normal levels of cyber espionage that most nations — including the United States — engage in.
“While I believe a proportional response to cyberattacks is necessary to deter state- sponsored attacks on our critical infrastructure, we didn’t see a clear enough definition of what red line was crossed to warrant the response given,” said Katie Moussouris, the founder and CEO of Luta Security. “The United States and our partners conduct cyber espionage activities as well, and without a clear definition of what goes beyond espionage and is definitely an attack, we risk being held accountable to the same norms we deem unacceptable in this case,”
“Russia went beyond ‘conventional espionage’ in the SolarWinds attack, much the way crashing a commercial jet into the Pentagon goes beyond ‘conventional warfare,’” said John Pescatore, director of emerging security trends at the SANS Institute. “A response was required, especially since there had been no response to Russia’s meddling in the U.S. election. A diplomatic response was the appropriate starting point for establishing U.S. policy.”
Alongside the sanctions, the Biden administration outlined five vulnerabilities being exploited by Russian hackers. The administration sanctioned five Russian companies for supporting Russian hacking, offering a rare glimpse into the reach of the Kremlin’s operations.
“The administration was smart to focus not only on imposing consequences — and finding new ways to use our economic leverage — but also improving resilience against Russia’s malicious activities. Exposing the methods Russia uses forces them to develop new ones, raising their cost,” said Suzanne Spaulding, senior adviser for homeland security at the Center for Strategic and International Studies and a former top cybersecurity official at the Department of Homeland Security. “These actions raise Russia’s costs and reduce the benefits they can hope to derive from their malicious cyber activity, potentially reducing the frequency and severity of cyber incidents — which is the goal.”
The full extent of Biden’s response has yet to be seen, experts noted.
“We should be careful not to assume that we know all of the responses the Biden administration has taken in response to SolarWinds,” said Betsy Cooper, director at the Aspen Tech Policy Hub. “As with any cyber conflict, much will occur unseen.”
National security adviser Jake Sullivan told Bloomberg News in February the United States was considering “seen and unseen” responses to the attack. An executive order expected to include more than a dozen actions to improve information-sharing between the private sector and government, and shore up cybersecurity requirements for federal contractors will likely be released in the coming weeks. And the fallout of the sanctions goes beyond SolarWinds. In addition to the Treasury sanctions, the Justice Department is probing Russian technology firms more broadly to determine whether any pose a risk to U.S. information and communications technology.
“I don’t think we’re done seeing Biden’s response to SolarWinds,” said David Brumley, CEO and co-founder of ForAllSecure and a professor at Carnegie Mellon University. “SolarWinds is one of many incidents where Russia is using cyber, and Biden’s administration is looking at them holistically as part of a total national security policy.”
The 37 percent of experts who said the Biden administration has not done enough to respond to SolarWinds largely agreed it deserves some credit for its actions.
But they criticized the extent of recent sanctions.
“The Biden administration should impose tougher financial sanctions on Russia, not so much for SolarWinds, but more for harboring ransomware gangs and allowing them to operate with impunity,” said cybersecurity investor Niloofar Razi Howe. “This should not be done unilaterally, but preferably with a coalition of allies ready to take a stand against criminal activity in cyberspace.”
“Until Putin feels these activities are too costly, they’ll continue,” said Chris Finan, CEO and co-founder of Manifold Technology. “Sanctions are the only practical instrument to inflict real costs, but they’ll need to be economy-crippling in breadth to change Russian government behavior.”
“I suppose if you call that mess of an executive order (which is a travesty of prose and reflects the input of far too many lawyers) a response, I think the answer is that it’s not enough,” said Mark Weatherford, a general partner at Aspen Chartered and former deputy undersecretary for cybersecurity at the Department of Homeland Security in the Obama administration. “While I’m not an advocate of escalation, the response to an event like SolarWinds should be attention-getting and so painful that it makes future adversaries take pause to consider those actions. Chess, not checkers.”
The Network
More responses from our Network:
YES: “Barely. The measures are mostly the same kind of thing that’s been done before — sanctions. But they hit at some new targets, like Russian bonds and cyberespionage contractors. I don’t expect these new targets to cause great pain, but they can be expanded, and so they signal that the U.S. still has some ammo left. All in all, a mix of toughness and caution, with maybe too much of the latter and not enough of the former.” — Stewart Baker, former NSA general counsel
YES: “Placing too much emphasis on SolarWinds and other incidents after they happen is a trap that the Biden administration has avoided. It can achieve more by focusing on long-term cyber architecture, workforce and policy issues. They have to redesign the plane while keeping it flying, and produce acceptable worldwide norms for cybersecurity and for cyberspace in general. With the new team they have put in place, they appear to be doing just that.” — Lance Hoffman, founder and distinguished research professor at George Washington University’s Cyber Security and Privacy Research Institute
YES: “After four years of having a White House that refused to call out Russia for any issue, when clear facts from the intelligence community were provided on SolarWinds, the Biden-Harris administration took the first step and used a proportional response by issuing large-scale sanctions, expelling diplomats and assigning attribution to Russia. The inherent problem is the U.S. is digging itself out of a four-year deficit from taking appropriate actions and assigning costs to Russia for SolarWinds and a host of other unacceptable actions. Proportional response is key, but this is about much more than just SolarWinds. Clear costs need to be assigned to Russia’s actions across the board.” — Norma Krayem, vice president and chair of the cybersecurity and data privacy practice at the Van Scoyoc Associates law firm
NO: “It is a difficult balance, and I certainly appreciate the apparent thoughtfulness that went into the Biden response, but it was insufficiently punitive. The Russians made a wholesale assault on the integrity of supply chain, which followed an equally broad assault on our elections and of our social structure. We are still feeling the effects today. Unless and until Putin feels equivalent effects he will have every incentive to continue his aggressive actions.” — Paul Rosenzweig, senior fellow at the R Street Institute
NO: “The administration has done a lot — providing threat reports and technical guidance to the private sector — but not yet enough. The U.S. government’s own cybersecurity needs to be re-architected. Signature-based defenses are outmoded; we need a federal strategy for zero-trust architecture and much stronger defenses against supply-chain exploits.” — Sam Visner, MITRE tech fellow
NO: “The United States continues to lack a comprehensive cybersecurity strategy that both privileges operational security across government agencies and holds private corporations to account when their own products fail. While there will always be exploits and hacks — the sheer scale of the SolarWinds vulnerability points not just to a multitude of security failings, but also to egregiously poor operational security planning that created a single point of failure across numerous non-compartmentalized operations. Today, it is not clear that the Biden administration has fixed these core problems, ensuring that this story will repeat itself.” — Sascha Meinrath, Palmer chair in telecommunications at Penn State University and the founding director of X-Lab
The keys
Officials say Russian hackers are probably still inside U.S. government networks.
Deputy national security adviser Anne Neuberger did not deny that Russian hackers are still inside the networks, CNN’s Alex Marquardt, Zachary Cohen and Geneva Sands report. The Biden administration, meanwhile, is readying an executive order to shore up U.S. cyber defenses.
“To really shape a country’s use of cyber, you have to shape the calculus they use on the value and the cost,” deputy national security adviser Anne Neuberger said. “The SVR is a sophisticated, persistent actor. They play a role as part of Russia’s intelligence collection, as part of their malign influence mission. And we know that to shape that calculus is not going to be one action.”
Lawmakers are pushing for a $400 million boost for the Department of Homeland Security’s cybersecurity agency.
Reps. Jim Langevin (D-R.I.) and Mike Gallagher (R-Wis.), who are on the Cyberspace Solarium Commission, asked House appropriators to increase the Cybersecurity and Infrastructure Security Agency’s funding, according to excerpts of a letter shared first with The Cybersecurity 202.
The absence of the funding, the lawmakers wrote, would “delay implementation of key authorities Congress just passed to strengthen CISA and perpetuate gaps in federal network security that have been exposed by the rising threats in this new domain.”
CISA received $650 million in a coronavirus relief package that Congress passed last month. Acting CISA director Brandon Wales told Congress that the funding was a “down payment,” with CISA Executive Assistant Director of Cybersecurity Eric Goldstein describing it as an important but “incremental step,” while calling for additional funding.
The Pentagon gave a Florida company control of hundreds of millions of its computer addresses to identify vulnerabilities and cyberthreats.
Global Resource Systems LLC gained control of almost 6 percent of coveted Internet addresses in the months since Joe Biden’s inauguration, Craig Timberg and Paul Sonne report. The Pentagon’s pilot program could uncover whether hackers are trying to hijack dormant IP addresses, they write.
The project is one of the Pentagon’s “many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated,” Brett Goldstein, director of the Pentagon unit that handed over the addresses, told my colleagues.
A person familiar with the project, who agreed to speak on the condition of anonymity because the program isn’t public, said it’s critical for the Pentagon to have “visibility and transparency” into its IP addresses and other cyber resources.
“If you can’t see it, you can’t defend it,” the person said.
Hill happenings
Securing the ballot
An Arizona election audit is set to resume after concerns of inappropriate behavior.
An Arizona judge paused the recount on Friday but it’s set to resume after the state’s Democratic Party said it would not post a $1 million bond to cover the costs of a potential delay, Rosalind S. Helderman reports. Maricopa County Superior Court Judge Christopher Coury, however, notably expressed concern about the process when he heard that an Arizona Republic reporter tweeted that she saw audit workers using blue ink pens as the process got underway Friday morning.
State law requires that only pens with red ink be used in election reviews because scanners recognize blue and black ink. Coury ordered the state Senate and Cyber Ninjas, a private cybersecurity company, to file written documentation of their procedures and ordered audit workers to comply laws — including that they use only red ink.
Cyber insecurity
Mentions
Henry Young, a former Commerce Department official, is joining BSA | The Software Alliance as a cybersecurity-focused policy director.
Chat room
The cybersecurity community is mourning the loss of Dan Kaminsky, an industry giant who co-founded White Ops. Tarah Wheeler:
Dan Gillmor, a professor of practice at the Walter Cronkite School of Journalism and Mass Communication:
Technologist Meredith L. Patterson:
Daybook
- New Mexico Secretary of State Maggie Toulouse Oliver speaks at an American Association for the Advancement of Science event on election security today at 3 p.m.
- Sen. Todd C. Young (R-Ind.) discusses a bill aiming to boost U.S. technological competition against China at a Washington Post Live event on Tuesday at 9:15 a.m.
- A Senate Commerce Committee panel holds a hearing on coronavirus-related scams and identity theft on Tuesday at 10 a.m.
- Sir Nick Carter, the Chief of the UK Defense Staff, speaks at a Center for Strategic and International Studies event on the United Kingdom’s integrated review on Wednesday at 11 a.m.
- Senate Intelligence Committee Chairman Mark R. Warner (D-Va.) discusses cybersecurity legislation at a U.S. Chamber of Commerce event on Tuesday at 10 a.m.
- Secretary of Homeland Security Alejandro Mayorkas speaks at an Institute for Security and Technology event on hacks-for-ransom on Thursday at 1 p.m.