Washington DC (Brussels Morning) The Biden Administration is taking over security and defence at a critical historical juncture. The borders between “real life” and online virtual reality have never been more blurred. Lives have been migrating online, caught up in a mix of work, school, play, parliamentary debates, comedy shows, and even espionage.
Cybersecurity is no longer a threat that concerns data-leaks or even an electoral result, as in 2016. The threat is now against a way of life, literally.
The Biden Administration takes office in the wake of one of the biggest cyberattacks by a foreign power in American history. To understand the nature of the challenges ahead we speak to Dr. Khatuna Mshvidobadze, a Professorial Lecturer of Cybersecurity at George Washington University. Her work informs the activities of intelligence agencies ( FBI, US Defense Intelligence Agency), as well as a number of government Departments ( Homeland Security, Defense, Justice) and a range of corporates.
Ambassador Tedo Japaridze (TJ). During the pandemic, we have seen how state-backed hacking groups and independent hackers have leveraged the coronavirus pandemic to spread different types of malware. Universities, hospitals, scientific facilities and others institutions are targeted to secure data, either for financial gain or to steal research. Is this activity more frequent or is it just that we pay more attention?
Khatuna Mscvidobadze (KM). Some of the attacks are unique to this period.
Indeed, malicious cyber activity weakened the ability of hospitals and other healthcare providers to deliver critical services during the COVID19 pandemic. These were multifaceted, multidirectional misinformation campaigns combined with cyber-attacks against government agencies, pharmaceutical companies, healthcare and academic research centres.
These cyber campaigns included registration of malicious domain names containing wording related to coronavirus or COVID-19, attacks against newly deployed remote access and teleworking infrastructures, creation of fake coronavirus tracking applications, theft of valuable research information, and use of ransomware for financial gain. In one instance, perpetrators used email phishing to mimic WHO and legitimate healthcare organizations of western countries.
Theft of intellectual property has also been prevalent.
Russian state-sponsored hacking crews advanced persistent threat (APT) attacks trying to steal information on coronavirus research from the American, British and Canadian governments, pharmaceutical companies and research institutes. State-sponsored groups from China and Iran targeted British universities and research departments to steal information on coronavirus research.
And propaganda was not far behind. The same countries seized upon the global Covid-19 pandemic as an opportunity to spread disinformation with the help of their conventional media, anonymous outlets and trolls. The narrative was the same—blaming the origin of the virus on the USA. Chinese state-controlled media outlets even disseminated propaganda that the spread of Covid-19 may have started in Italy before it was spread to China. It was an information warfare campaign with cyber components to attack and distract western states in the information space.
TJ. We have heard about the SolarWinds cyberattack, that alleged Russia-backed hackers broke into the IT management firm SolarWinds. Thousands of companies, government agencies and individuals that used its products were severely impacted by this hack. Some even call it a Cyber Pearl Harbor. Could you elaborate on what did really happen?
ΚΜ. This was a classic supply-chain attack. That is, attackers gained access to Solar Winds, a company that markets network management software called Orion, to gain access to clients downstream in the supply chain.
You have heard the idiom “hitting two birds with one stone” — well, this is like hitting thousands of birds with one stone: 18,000 companies, government agencies, military organizations and commercial companies, including Fortune 500 and high-tech companies, were infected by using Orion software.
The hackers embedded malicious code into routine updates that the clients unsuspectingly downloaded. The attack was advanced and persistent, meaning that it avoided detection for months. Consequently, the Solar Winds breach resulted in massive subsequent breaches. The apparent objective was cyber espionage, although further research may uncover more dastardly intentions.
US intelligence agencies have pointed the finger at APT29, a.k.a Cozy Bear, linked to the SVR, the Russian foreign intelligence service, and to the FSB, the Russian federal security service. This group has been active over a decade, and previously was involved during the 2016 U.S. presidential election attacks. It also targeted the Norwegian intelligence agency, PST, other Norwegian government agencies, and organisations in Germany, the Netherlands and many more.
The Russians have been mastering their supply chain attack skills for some time.
In 2016, they conducted another devastating supply chain attack. The Sandworm hacking group, a.k.a APT28, associated with the GRU, Russian military intelligence, launched the Not-Petya ransomware attack against financial institutions, government agencies and energy firms. The original infection vector was accounting software called M.E.DOC, which is used by almost every company operating in Ukraine. Not Petya affected multinational firms, including the Danish shipping giant, A.P. Møller-Maersk, FedEx through its European subsidiary, TNT Express, the pharmaceutical company Merck, Kyivenergo, Ukrenergo and others. The total damage from NotPetya amounted to US$10 billion.
Back to the SolarWinds—just recently some new light has been shed. It now appears that Russia was not alone. Allegedly, Chinese hackers also exploited a different vulnerability in SolarWinds products, hitting the US Department of Agriculture’s National Finance Center. In short, volumes of data have been stolen. And the full impact of this attack has yet to be discovered.
TJ. Cybersecurity is on the top of the news agenda around the world. Can we expect anything new in the Biden Administration?
ΚΜ. The investigation of the Solar Winds breach will no doubt become the hallmark of the new administration. President Biden did raise Solar Winds in his January 26 telephone conversation with Russian President Putin. There are no details of their exchange, although Putin no doubt denied Russian involvement. So, it will be a question of how tough Biden will be.
Will he order a takedown of Kremlin-backed hackers that interfere in American elections, as previous administration did in late 2018 against the Saint Petersburg Internet Research Agency? If — as seems likely — American intelligence agencies conclude that the FSB/SVR-sponsored APT29 group perpetrated the Solar Winds breach, will he send Putin a strong message via fiber-optic cable? It is impossible to predict. However, the people Biden is appointing to advise him on cybersecurity provide one early indication.
Anne Neuberger will be Deputy National Security Adviser for Cybersecurity. She brings over a decade of experience at the National Security Agency (NSA), including heading the Elections Security Group during that crucial late 2018 period. Senior Director for cyber at the National Security Council will be Michael Sulmeyer who has testified before Congress that Cyber Command must be prepared to act, if ordered.
And China is a concern greater than Russia. Expect a full-court press to rescind or relax Trump’s blacklisting of Chinese 5G giant Huawei. Allowing China, chief thief of American intellectual property, to reach into every corner of American life would endanger American security and undermine its credibility with allies. And the design of 5G does not allow half-measures.
In sum, President Biden is off to a promising start on cybersecurity, but—no surprise—how he deals with Russia and China will be the measure of his success.
TJ. How effective is our current legal and institutional toolkit in dealing with threats of this magnitude?
ΚΜ. If we are speaking of breaches like Solar Winds and other state-sponsored hacking from countries like Russia, China, Iran and North Korea then, frankly, not very effective at all.
Countries that are serious about cooperation on cybercrime have made significant progress— 2021 is the 20th anniversary of the European Convention on Cybercrime, otherwise known as the Budapest Convention. This treaty requires the 65 states parties to harmonize their cybercrime laws and cooperate with each other on border law enforcement. This has been a huge step forward, but the volume of Internet traffic and the advent of cloud computing point towards updating the Convention. A committee will soon present a proposed protocol to the Convention.