Pages

4 March 2023

The Cyberwar Is Here

JIM GERAGHTY

On the menu today: For the second time in a few weeks, a federal law-enforcement agency suffered a serious cyberattack, and the U.S. Department of Health and Human Services warned that Russia-linked ransomware group Clop had reportedly taken responsibility for a mass attack on more than 130 organizations, including some in the health-care industry. Ransomware attacks are now as common as rainstorms, even though you only hear about them intermittently. Often, but not always, the trail leads back to Russia, China, North Korea, or Iran — another demonstration of how those faraway foreign-policy problems aren’t always quite so far away.

The Rising Concern of Cyberattacks

It’s a busy news cycle, but did you know that two federal law-enforcement agencies suffered serious cyberattacks this month?

CNN reported earlier this month that the FBI’s New York Field Office was investigating and working to contain a malicious cyber incident on part of its computer network in recent days, allegedly involving a computer system used in investigations of images of child sexual exploitation.

Then, NBC News reported late yesterday that the U.S. Marshals Service suffered a security breach over a week ago that compromised sensitive information:

In a statement Monday, U.S. Marshals Service spokesperson Drew Wade acknowledged the breach, telling NBC News: “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.”

Wade said the incident occurred Feb. 17, when the Marshals Service “discovered a ransomware and data exfiltration event affecting a stand-alone USMS system.”

So far, there is no indication that the two attacks are connected.

Ransomware, the cyber-hostage-taking that often strong-arms institutions into making hefty ransom payments to regain access to their computer systems, is now just a fact of life for large institutions in the U.S. and around the world. During the Colonial Pipeline hack and extortion in 2021, I wrote that, “Ransomware attacks are like the latest TikTok dance: rapidly growing in popularity and not easily understood by anyone over the age of 30.”

Last week, the U.S. Department of Health and Human Services warned that Russia-linked ransomware group Clop had reportedly taken responsibility for a mass attack on more than 130 organizations, including some in the health-care industry. The Lehigh Valley Health Network says its system has experienced a ransomware attack launched by a gang with ties to Russia, this one known as BlackCat. The Russia-based Killnet hacking collective claimed responsibility for recent DDoS attacks against NATO that disrupted a number of its operations, including a relief program assisting those impacted by the Turkish–Syrian earthquake.

In summer 2022, a team of Russian hackers known as Cold River targeted Argonne, Brookhaven, and Lawrence Livermore National Laboratories.

You probably noticed the common country of origin in the above list of cyberattacks. You probably also recall that in June 2021, President Biden met with Russian president Vladimir Putin and gave him a list of critical-infrastructure targets that must not be attacked; those 16 critical-infrastructure sectors included public health, emergency services, and energy:

I gave them a list, if I’m not mistaken — I don’t have it in front of me — 16 specific entities; 16 defined as critical infrastructure under U.S. policy, from the energy sector to our water systems. Of course, the principle is one thing. It has to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory.

And now everyone can see how seriously Putin took Biden’s demand. When the U.S. can’t deter Putin from invading Ukraine, it isn’t likely to be able to deter him from allowing allied or even state-directed and state-sponsored hackers from wreaking havoc on Russia’s enemies. (Whether or not we want to be considered Russia’s enemy, it is clear that Putin sees the U.S. as Russia’s enemy.)

About a month after Biden gave his list of warnings/targets to Putin, Jack Goldsmith of Lawfare fumed that the U.S. had been talking tough for at least five years about Russian hacking and cyberwarfare operations, with very little to show for it:

Amazingly, the United States is in exactly the place it was five years ago when the Russians interfered in the 2016 election. It still has not figured out how to impose costs on the Russians that outweigh the Russians’ perceived benefits from these cyber operations. Whatever combination of public and secret sanctions it has been imposing clearly is not doing the trick. The repeated warnings over a period that has been marked by damaging cyber operations only emphasize that reality.

Ransomware attacks have also hit Oregon City computer systems, the City of Oakland, and Nantucket Public Schools — and that’s just in the past few weeks.

A few months after the Colonial Pipeline ransom attack, John Sakellariadis, a Fulbright scholar researching ransomware and critical-infrastructure protection, wrote here at NR that:

Ransomware is driving the economics of cybercrime in a dangerous direction — and absent sustained policy attention, it will remain a problem for years to come. . . .

Most organizations present a viable target for cybercrime. The only requirement beyond a decent budget and a vulnerable IT network is that an organization rely on digital data, which most do. That is one reason why cybercrime has reached once unfamiliar victims, such as hospitals and school systems. . . .

Ransomware has introduced a high-volume, low-risk threat into a policy environment dominated by low-volume, high-risk thinking.”

Sakellariadis wanted the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to require entities to plan or rehearse service delivery in the event of ransomware deployment or other forms of data loss. If the reason companies and institutions pay the ransom is that they can’t operate without their computer systems, one potential answer is to find ways to become less dependent upon those systems, at least for a little while and in ways to preserve the most critical functions of the instruction.

Another of Sakellariadis’s recommendations was that, “The government should enhance international cooperation on cybercrime, provide capacity-building support to law-enforcement agencies in foreign countries, and leverage these relationships to apply steady pressure on local cybercrime actors.”

No doubt the Biden administration wants to do that, but “international cooperation” is hard to get in some corners of the world. Where are some of the world’s most shameless and ruthless hackers operating? Russia, China, North Korea, and Iran. Which countries does the U.S. have the least amount of leverage over? Russia, China, North Korea, and Iran.

Then again, the Biden administration has also sent its own mixed messages. Last year, FBI director Christopher Wray revealed that Iran plotted a cyberattack against the Boston Children’s Hospital as the Biden administration negotiated a return to the nuclear agreement with Tehran. Wray characterized it as “one of the most despicable cyberattacks” he’s ever seen. If you try to mess with a children’s hospital, we should be thinking up new and innovative ways to make your life miserable, not begging you to return to the negotiating table about your nuclear program.

And it’s fair to wonder why any of these regimes would act against hackers operating on their own soil, in the absence of major U.S. concessions in other realms or a serious threat of U.S. retaliation. In NR’s August 2021 issue, former national-security adviser John Bolton laid out the argument that cyberwarfare is just too advantageous, and minimally risky, for our adversaries to ever give it up as an option:

From the perspectives of Moscow and Beijing, this is precisely the kind of reality that plays to their strengths and against ours. They are patient, we are not. . . .

These and other cyberwarfare characteristics also demonstrate why calls for cyber “arms control” measures are even more futile and more dangerous than in other fields of weaponry. Our existing adversaries are just as likely to breach cyber commitments as they have been in previous arms-control agreements. Provisions for discovering or penalizing cyber breaches would alone require impossibly complex multilateral diplomacy.

It is hard to say that U.S. policies have had any serious deterrent effect against Russian hackers — or hackers from China or any other hostile state. No doubt we’ve shut some down, but it feels like whack-a-mole — take one down, but sooner or later, another one takes his place.

Over on the home page, the NR editors warn that the burgeoning Russia–China alliance means it’s time for a new, hard-headed, clear-eyed, tough-as-nails approach to U.S. foreign policy:

The only positive to come from a more lethal Sino-Russian alignment (which, of course, would complement the arrangements that Russia already has with Iran and North Korea) would be if it put an end once and for all to the pretense that we can be partners with China in some areas (climate, say) and rivals in others. We cannot. And behaving as if we can is more dangerous than a straightforward recognition of a new Cold War. Accepting that reality may be unpleasant, but it is a starting point for navigating our way through it realistically, prudently, and without beguiling illusion.

It’s a shame that the term “Axis of Evil” is taken and, in the eyes of those who still call former president George W. Bush “ChimpyMcHitlerHalliburton,” discredited. While Russia, China, North Korea, and Iran haven’t established a formal alliance, they’re growing more buddy-buddy as their interests align against the U.S. and the West and the established international order. Call them what you prefer — an axis of autocracies? An axis of hostile states? The Legion of Doom? — but for the next decade or so, we’re going to be dealing with Moscow and Beijing seeking to check our influence and harm our interests, with Tehran and Pyongyang in the role of supporting henchmen. And it’s likely that cyberwarfare will continue to be one of their favorite tools.

Way back in 2009, I wrote:

Cyberwarfare is, generally speaking, more controllable than a biological weapon, doesn’t run afoul of as many established treaties as a chemical weapon, is nowhere near as expensive and visible as a nuclear weapon, and is much harder to attribute than conventional terrorism. It is another asymmetrical tool that allows weaker countries and groups to play on the same field as the big boys.

One other update in the world of cyberwarfare: Almost nine months have passed since the explosion at a liquefied-natural-gas plant and export terminal on Quintana Island, near Houston, and there’s been no additional indication that Russian hackers or any other deliberate human action was the cause, as sources suggested to the Washington Examiner’s Tom Rogan at the time. The causes are much more mundane: “Subsequent investigations revealed a host of problems with Freeport LNG — which super-cools fracked gas and loads it onto seafaring tankers — from overworked staff to overlooked engineering reports, which contributed to circumstances that led highly-combustible methane to leak from a pipe and catch fire last June.”

No comments:

Post a Comment