Adversaries could exploit U.S. vulnerabilities in cyberattacks intended to harm the economy
The United States is highly vulnerable to foreign cyberattacks designed to damage the economy, and needs to do far more to defend against them, according to a think tank report out this morning.
The federal government has a “blind spot” for cyber-enabled economic warfare that could “cause a catastrophic strategic surprise” and destabilize U.S. critical infrastructure, the Foundation for Defense of Democracies concluded.
“We think that the United States government needs to do a lot more to understand, prevent and mitigate these types of attacks,” Samantha Ravich, chair of the foundation’s Center on Cyber and Technology Innovation, told reporters in advance of the report’s release.
Those steps include expanding the use of sanctions, improving intelligence collection and preparing for what happens if an attack causes major economic harm, the report states.
- The means of this kind of warfare — first mentioned in a government document in President Donald Trump’s 2017 cybersecurity strategy — vary from U.S. adversary to U.S. adversary, according to the report.
Moscow has proven its capabilities to use its surveillance dragnet to pick U.S. targets. It’s also proven adept at penetrating U.S. critical infrastructure.
The most prominent case of Russia’s ability to infiltrate U.S. targets is the SolarWinds hack, during which the attackers got into the IT supplier, enabling it to break into its customers, including nine federal agencies and more than 100 companies.
“Even if initially intended merely for espionage, gaining access to internal systems establishes a ‘beachhead’ that Russian actors can use to exert influence, sow disinformation, or even launch disruptive or destructive attacks against the American economy,” the report reads.
Beijing’s chief tool of cyber-enabled economic warfare (CEEW) against the United States has long been intellectual property theft, but it, too, has proven adept at penetrating U.S. networks. And it collects massive amounts of sensitive personal data on U.S. citizens.
In the political and economic spheres, China seeks control of information communications technology infrastructure and wants to become a world leader in producing it.
“To that end, Beijing combines state-directed support for national champions and barriers against foreign firms operating within its borders with illicit and hostile CEEW activities such as IP theft, cyber manipulation, and economic coercion,” the report states.
Pyongyang employs cybercrime as a way of bolstering its finances, using the money to pay for its nuclear program.
It relies on business email compromise, a kind of attack that costs the United States more than any other kind of cyber-related attack, as well as card-skimming to steal credit card information and especially, stealing hundreds of millions from cryptocurrency exchanges.
“They are positioning themselves to be able to take advantage of cryptocurrency-led financial orders. They’re stockpiling coins to use in this system,” Annie Fixler, deputy director of the foundation’s Center on Cyber and Technology Innovation, told reporters. “And they are also becoming very proficient at moving money around the system. So they’re looking at this long-term capability to be resilient against our use of economic sanctions to constrain their nuclear program and a number of other illicit activities that they engage in.”
Tehran hasn’t yet established that it’s as skilled as the others at striking at the United States’ economy, but it doesn’t appear to be for lack of trying.
When feuding with neighbors, Iran has used tactics like wiping data or infiltrating supply chain companies.
“Iran is generally considered to be a less capable adversary from a technical perspective, but they are also less risk averse,” Fixler said. “And this is a dangerous combination” because it might not hold back, she said.
Each nation gets their own set of recommendations. But generally, besides export controls, improved intelligence, sanctions and contingency of the economy plans, the United States needs to develop tools to fight hackers in the “gray zone” that’s just short of armed conflict, the report states.
“There is no shortage of steps Congress and the administration must take to enhance U.S. resilience and to thwart and deter cyberattacks,” the report states. “However, defense alone is insufficient. Similarly, deterrence is insufficient. The United States and its allies must actively prevent their adversaries from becoming more capable cyber actors whom they cannot combat or deter.”
TikTok faces Washington’s ire amid data privacy concerns
TikTok has been a massive test for the Biden administration in regulating an incredibly popular cultural phenomenon while navigating U.S.-China relations and grappling with an internet no longer dominated by U.S. firms, Drew Harwell and Elizabeth Dwoskin report in the third part of the Rise of TikTok series.
“The fight over TikTok has become one of the biggest standoffs of the modern internet: two global superpowers deadlocked over a multibillion-dollar powerhouse that could define culture and entertainment for a generation,” they write. “Yet the battle has often played out like a farce, loaded with an almost comical level of contortions and contradictions — even as China’s power over the company has grown.”
The U.S. government and TikTok have agreed on some initial terms like oversight from U.S. government specialists and data-security rules, but the deal isn’t close to a clear outcome, two officials who spoke on the condition of anonymity because of the matter’s sensitivity said. And Oracle, the company often mentioned as monitoring TikTok, disputes reports of its involvement, saying all it is doing on TikTok’s behalf is providing servers.
DHS unveils voluntary ‘cybersecurity performance goals’
The voluntary goals aim to set baseline important cybersecurity practices for critical organizations and come more than a year after President Biden signed a memorandum calling for the goals, CyberScoop’s Christian Vasquez reports. CISA Director Jen Easterly told reporters that the goals would be particularly helpful for small- and medium-sized businesses with few resources. The agency is also releasing a checklist prioritizing the goals based on complexity, cost and impact, she said.
“The baseline goals are just the first step,” Vasquez writes. “CISA is planning to develop more specific goals for each sector. CISA also released the goals on the development platform GitHub for additional comment and feedback.”
How Coffee County, Ga., became early target for claims of election fraud
The rural county in southern Georgia was at the center of a multistate effort by allies of former president Donald Trump to access voting machines to try to find evidence that the 2020 election was rigged, Emma Brown and Jon Swaine report. Local, state and federal officials — as well as computer science experts and judges, including those appointed by Trump — have repeatedly rejected claims of widespread voter fraud. But the claims have “nevertheless become an article of faith — or at least a professed belief — for many Republican voters, activists and politicians,” my colleagues write.
“In two instances, courts or state lawmakers granted Trump supporters access to the machines, which are considered by the federal government to be ‘critical infrastructure’ vital to national security and are usually closely guarded,” my colleagues write. “But in at least seven other counties in four states, including Coffee, local officials acting without a court order or subpoena allegedly gave outsiders access to the machines or their data, a Washington Post examination found.”
- Rob Silvers, the undersecretary for policy at DHS, discusses cybersecurity initiatives at a Center for Strategic and International Studies event today at 11 a.m.
Thanks for reading. See you next week.