Cybersecurity
continued
James Andrew Lewis, the Senior Vice President and Director of the Technology and Public Policy Program at the of the Center for Strategic and International Studies, explains that “Russia is a haven for the most advanced cybercrime groups and no clear line delineates the criminal world from the government.”
“The Kremlin sees Russian cybercriminals as a strategic asset, and one of the most difficult problems for reducing cybercrime is that Russia, along with North Korea, will not cooperate with Western law enforcement,” he continued. “High-end cybercriminal groups in Russia have hacking capabilities that are better than most nations for both criminal and intelligence purposes.”
Unfortunately, Russia has just gotten better and better at hacking since Moonlight Maze, so much so that we now are engaged in an ongoing and unrelenting cyberconflict. In early 2020, as Americans were settling into COVID lockdowns and the U.S. cyber-defense agencies were obsessively focused on protecting the upcoming presidential election, Russian hackers known as APT29 and Cozy Bear – the pride of the Foreign Intelligence Service of the Russia Federation (SVR) – launched a massive cyber hack against the United States. Thousands of people, both inside and outside of the U.S. government, downloaded corrupted software, giving the Russians a pathway to create hidden back doors to access each user’s network.
This went way beyond spying, which most every country does to some degree. Instead, this was a global espionage supply chain attack that compromised U.S. intelligence agencies; nuclear laboratories; Fortune 500 companies; companies that monitor and protect critical domestic infrastructure; the National Institutes of Health; and the U.S. departments of State, Treasury, Commerce and Energy. The hack is believed to have reached at least 250 United States federal agencies and American corporations of all sizes, including Microsoft and Amazon.
The National Nuclear Security Administration, which oversees our nuclear stockpile, was breached, as was the Los Alamos National Laboratory, where most of our nuclear weapons are designed.
The Federal Energy Regulatory Commission (FERC) was compromised, which may not seem like a big deal until you find out that FERC is responsible for Black Start, the United States’ strategy for restoring power if we ever experience a disastrous national blackout. The Department of Homeland Security and Pentagon were also hit, which is ironic given they are the departments tasked with protecting our networks.
A large part of the 2020 Russian hack was facilitated by malware embedded in the updates of software called Orion. Orion was made by SolarWinds, a company that makes network monitoring software that at the time was used by at least 425 of the Fortune 500 companies, plus media companies and most of our governmental agencies. In the years leading to the attack, SolarWinds had been accused of having insufficient security for its products, but corporations and the U.S. government kept using them anyway.
SolarWinds is still in business – with a market capitalization of $2 billion – but was not let off the hook for the hack. In November 2022, the company agreed to settle a securities class action lawsuit with investors for $26 million for misleading them and the public about the effectiveness of its digital security products and failing to adhere to publicly stated internal security procedures.
On October 30, 2023, the U.S. Securities and Exchange Commission (SEC) charged SolarWinds and Timothy G. Brown, its former Chief Information Security Officer, with “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities” – the first ever SEC charges brought in connection with a cybersecurity case.
Another major threat to the American public is ransomware, a malware that encrypts, steals or deletes data on a computer, or locks the computer entirely. The criminal hackers then demand a ransom in exchange for decrypting the computer and/or data.
In early May 2021, Colonial Pipeline, a private company, announced it had been the victim of a ransomware attack. A Russian-speaking criminal extortion ring called DarkSide had taken control of a 5,500-mile pipeline operated by Colonial, then sent the company a ransom note that said, “Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data…you can restore everything by purchasing a special program from us” which “will restore all your network.” DarkSide also stole over 6 million pages of Colonial’s proprietary data, threatening that the information would be automatically published online if the ransom was not paid.
Colonial Pipeline provides 45 percent of the East Coast’s fuel supplies (gasoline, jet fuel and diesel), so the disruption the incident caused in the Northeast was massive. In the end, Colonial paid DarkSide $2.3 million Bitcoin ransom which, remarkably, the U.S. Department of Justice recovered within a month.
Three weeks later, multiple meat processing plants operated by JBS – the world’s largest meat supplier – were the target of a massive cyberattack, as was Kaseya, an IT company, a few weeks after that. U.S. intelligence officials confirmed the perpetrator of both attacks to be REvil, a cybercriminal, “ransom for service” organization based in Russia that allows other criminal groups to use its software for a fee.
The Annual Threat Assessment from the U.S. Director of National Intelligence, released on February 5, 2024, warns:
People’s Republic of China (PRC) remains the most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks. Beijing’s cyber espionage pursuits and its industry’s export of surveillance, information, and communications technologies increase the threats of aggressive cyber operations against the United States and the suppression of the free flow of information in cyberspace.
PRC operations discovered by the U.S. private sector probably were intended to pre-position cyber-attacks against infrastructure in Guam and to enable disrupting communications between the United States and Asia.
If Beijing believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure and military assets. Such a strike would be designed to deter U.S. military action by impeding U.S. decision-making, inducing societal panic, and interfering with the deployment of U.S. forces.
China leads the world in applying surveillance and censorship to monitor its population and repress dissent. Beijing conducts cyber intrusions targeted to affect U.S. and non-U.S. citizens beyond its borders – including journalists, dissidents, and individuals it views as threats – to counter views it considers critical of CCP narratives, policies, and actions.
The Cyberspace Solarium Commission (CSC) – a bicameral, bipartisan commission chaired by Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI) – includes four legislators and five nationally recognized experts from outside of government. Established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019, the mission of CSC is to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences.”
In March 2020, CSC released 82 recommendations to reform the U.S. Government’s Structure and Organization for Cyberspace; strengthen norms and non-military tools; promote national resilience; reshape the cyber ecosystem; operationalize cybersecurity collaboration with the private sector; and preserve and employ the military instrument of national power.
In its 2024 report, CSC reported that 80 percent of its original recommendations have been fully implemented, or are nearing implementation, and an additional 12 percent are on track to be fulfilled. Great work!