The Cybersecurity 202: Biden administration launches probe into Russian technology companies that could pose a risk to U.S. security

The administration’s public unmasking of companies it says aided the Kremlin’s hacking efforts is a rare direct attack on the often murky world of private sector tools and talent standing behind Russia’s cyber operations. And more actions against Russian tech and security firms could be on the way.

In addition to the Treasury sanctions, the Justice Department announced it’s probing Russian technology firms more broadly to determine whether any pose a risk to U.S. information and communications technology. Technology determined to be a risk to the United States could be banned or otherwise limited. The investigation builds off a 2019 executive order largely focusing on scrutinizing the threat of Chinese technologies.

The administration announced its new executive order and a series of sanctions and diplomatic expulsions in response to a sweeping Russian hacking campaign that used a vulnerability in the U.S.-based company SolarWinds to infiltrate at least nine U.S. federal agencies and about 100 private companies. Yesterday was the first time the U.S. government formally attributed the hacking campaign to the Russian Foreign Intelligence Service. 

The five blacklisted firms provide a range of services to Russian government clients including research, development and technical support for malicious cyber operations, according to Treasury. One sanctioned firm, Positive Technologies, supports Russian government clients including FSB and hosts cybersecurity events used by Russian intelligence for recruiting. The company also provides hacking tools and operations to Russian intelligence, according to a U.S. intelligence report first reported by Patrick Howell O’Neil at MIT Tech Review.

“As a company, we deny the groundless accusations made by the U.S. Department of the Treasury,” Positive Technologies said in a statement. “In the almost 20 years we have been operating there has been no evidence of the results of Positive Technologies’ research being used in violation of the principles of business transparency and the ethical exchange of information with professional information security community.”

The Kremlin has rebuked the sanctions and  Kremlin spokesman Dmitry Peskov said it “would retaliate in kind,” Ellen Nakashima reports.

Treasury previously sanctioned five Russian firms in 2018 for aiding Russian intelligence in activity including malicious cyberactivity.

“The vulnerabilities in today’s release are part of the SVR’s tool kit to target networks across the government and private sectors. We need to make SVR’s job harder by taking them away,” Rob Joyce, NSA director of cybersecurity, said in a statement.

DOJ plans to share its findings with the Commerce Department in the next two to three months so the agency can decide whether to launch a formal investigation into a range of Russian companies that can pose a vulnerability to the U.S. supply chain, Assistant Attorney General John Demers said during a press call.

The investigation is drawing on FBI and the intelligence community more broadly, Demers said. The probe isn’t just about “looking at a company that’s behaved badly and punishing it,” Demers said. Rather, it’s “looking more broadly at, if a compromise did happen, would it be bad for U.S. security,” he said. Demers did not name any firms DOJ is specifically investigating.

The examination builds on the same executive order the Trump administration used to blacklist Chinese telecommunications firms, including Huawei, for allegedly helping the Chinese government spy on users (Huawei and the Chinese government deny this). It’s not a done deal that Russian firms considered a threat will be put on such a list, however.

“The backend of this is mitigation and mitigation can be anything from prohibiting a technology to maybe something like a licensing regime,” Demers said.

The U.S. government banned the use of Russian anti-virus firm Kaspersky by federal agencies in 2017. Any action stemming from the ongoing investigation would have implications beyond federal agencies.

In a statement of solidarity with U.S. actions against Russia, the European Union and member states expressed concerns with “the increasing number of malicious cyber activities, and are in particular alarmed by the recent increase in activities affecting the security and integrity of information and communication technology (ICT) products and services, which might have systemic effects and cause significant harm to our society, security and economy.”

Some experts criticized the Trump administration for moving unilaterally against Chinese telecommunications firms and have urged the Biden administration to take a more cooperative approach.

Efforts in Congress to introduce a top cyber diplomat at the State Department could help facilitate stronger global diplomacy on cybersecurity issues. Next week the House will vote on legislation creating such a post.

Rep. Jim Langevin (D-R.I.), chairman of the House Armed Services subcommittee on cyber, innovative technologies, and information systems and a co-sponsor of the legislation, says the legislation has strong bipartisan support.

Langevin praised the relatively short timeline in which the Biden administration attributed the SolarWinds attack to Russia and took action.

“The Biden administration is making it clear that the Trumpian era of giving Russia a pass on all of it’s bad actions it’s been taking over the years is over and we are going to hold Russia accountable when they’re out of line,” he said.

President Biden said yesterday he invited Russian President Vladimir Putin to a summit in Europe this summer to discuss cybersecurity and other security issues.

“My bottom line is this: Where it is in the interest of the United States to work with Russia, we should and we will. Where Russia seeks to violate the interests of the United States, we will respond,” Biden said in a news conference yesterday. “And we’ll always stand in defense of our country, our institutions, our people, and our allies.”

This article has been updated to include a comment from Positive Technologies.

Rep. John Katko (N.Y.), the top Republican on the House Homeland Security Committee, commended the sanctions in a statement, noting “we must continue the full-court press to ensure bad actors feel stiff consequences for their actions.” But other lawmakers were more blunt, with Rep. Jim Himes (D-Conn.) saying the United States needs to “change the game” and be more aggressive to deter cyberattacks.

Rep. Michael McCaul (R-Texas), the top Republican on the House Foreign Affairs Committee, called the sanctions “a necessary step” but said that he is “concerned they will ultimately fail to establish a credible deterrent.” Meanwhile, Rep. Patrick T. McHenry (N.C.), the top Republican on the House Financial Services Committee, and the top Republican on the committee’s national security panel, Rep. French Hill (Ark.), called the sanctions “significant” but criticized Russia’s continued access to International Monetary Fund reserves. 

Sen. James M. Inhofe (Okla.), the top Republican on the Senate Armed Services Committee, argued “sanctions and diplomacy alone, without a strong U.S. national defense, will not deter further aggression.” And Sen. James E. Risch (R-Idaho) called the identification of Russia as being behind the SolarWinds cyberattack a “half-step” and said a “comprehensive cyber strategy that keeps the U.S. ahead of its adversaries” is required.

Voting machine maker Dominion has criticized Cyber Ninas and three other firms as being “beyond biased,” Rosalind Helderman reports. Maricopa County’s nearly 2.1 million ballots from the November election are scheduled to be moved next week so they can be recounted and audited by order of the state’s Republican-led Senate.

The U.S. intelligence community has concluded that the 2020 election was the “most secure in American history,” and also has said that foreign governments did not try to change votes or election results.

“Dominion supports all forensic audits conducted by independent, federally-accredited Voting System Test Labs — but this is not that,” a Dominion representative said in a statement.

Cyber Ninjas is not accredited by the U.S. Election Assistance Commission to test voting systems. Its CEO, Doug Logan, who reportedly posted tweets endorsing theories that the November election was marred by fraud, said in a statement that his company is “hired by major companies and organizations to determine possible ways their systems could be infiltrated and compromised, and then help them figure out how to seal those holes.”

His spokesman declined to comment further while the audit is underway.

• Kevin Beaumont, a senior threat intelligence analyst at Microsoft’s threat intelligence division, announced on Twitter that he is leaving the company at the end of the month.
• Subject Matter registered to lobby for cybersecurity firm Fortinet effective March 22. The firm’s co-founder, Steve Elmendorf, is registered to lobby on the account along with Stacey Alexander, Whit Askew and Barry LaSala.
• Hogan Lovells registered to lobby for LookingGlass Cyber Solutions effective Jan. 4. Kolo Rathburn, a former Trump administration Commerce Department official who previously served as an aide to Sen. Roger Wicker, the top Republican on the Senate Commerce Committee and worked on the Senate Appropriations Committee, is the sole registered lobbyist on the account. He plans to lobby on Department of Homeland Security cybersecurity procurement.
• Greystone Global Strategies registered to lobby for Techmet, a mining investment firm that, according to Reuters, counts the U.S. government as its largest investor. Chris Beatty, the firm’s founder, is the sole registered lobbyist on the account and plans to lobby on “critical mineral supply chains.”

Debate over an FBI operation to remove “web shells” used by hackers continues to roil on Twitter. Experts have expressed concerns about the agency’s use of a court order to directly access Americans’ computers to go after the malicious cyberactivity. The American Civil Liberties Union’s Jennifer Granick and University of California at Berkeley law professor Orin Kerr:

Former National Security Agency general counsel Stewart Baker concluded that it’s “likely to be sustained if challenged.”

Even Edward Snowden weighed in:

• Kevin Walsh, the Government Accountability Office’s IT and cybersecurity director, and two government agencies’ chief information officers testify on IT acquisition before a House Oversight and Reform Committee panel today at 9 a.m. 
• Former Director of National Intelligence John Ratcliffe speaks at a Heritage Foundation event on April 19 at 11 a.m. 
• CISA executive assistant director for cybersecurity Eric Goldstein speaks at the Industrial Control Systems Joint Working Group’s spring virtual meeting on April 20 at 8:30 a.m.
• Rep. Michael McCaul (R-Texas); acting National Counterintelligence and Security Center director Mike Orlando; and Carl McCants, the technical director of NCSC’s supply chain and cyber directorate, speak at an Intelligence and National Security Alliance event on microelectronics supply chains on April 20 at noon.
• A House Energy and Commerce Committee panel holds a hearing on securing U.S. wireless network technology on April 21 at 10:30 a.m.
• The Senate Armed Services Committee holds two hearings on the military’s cyber workforce and technology on April 21 at 2:30 p.m.
• Former acting Defense Intelligence Agency director David Shedd and former Undersecretary of Defense for Intelligence Steve Cambone speak at a Heritage Foundation event on the intelligence community on April 23 at noon.