The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Congress looks towards new data breach laws as Russian hack scope remains unknown

Analysis by
Technology and cybersecurity policy researcher
February 24, 2021 at 8:06 a.m. EST

with Aaron Schaffer

Companies responding to a massive Russian hack urged Congress to update laws dictating how the private sector shares information about cybersecurity breaches with the government. 

“It is time not only to talk about, but to find a way to take action, to impose in an appropriate manner some kind of notification obligation on entities in the private sector," Microsoft president Brad Smith told members of the Senate Intelligence Committee. "I think it's the only way we're going to protect the country and I think it's the only way we're going to protect the world.” 

We are just finding out more government and private sector victims who were compromised as part of the months-long SolarWinds hacking campaign discovered in December. The full scope of the victims of the Russian hack is still unknown since private companies have no legal obligation to come forward with the information. 

As the White House readies sanctions against Russia for the attack and other malign cyberactivity, as Ellen Nakashima reported, committee members from both parties expressed interest in boosting reporting requirements, which have failed in the past due to aggressive industry lobbying and Republican wariness over regulation.

Here our top takeaways from the hearing: 

Companies want an easier way to report incidents to the government.

“There's got to be a way for folks who are responding to breaches to share data quickly to protect the nation, protect industries,” said FireEye CEO Kevin Mandia. He said notification requirements should fall on “first responders, or anyone responsible for figuring out the cause of unauthorized or unlawful access to their or another company's network. 

Congress passed the Cybersecurity Information Sharing Act in 2015 to make it easier for companies to share threats. But witnesses said that the law would need to allow industry to share more intelligence without fear of being punished for reporting. 

“Notification needs to be confidential or you don't give organizations the capability to prepare for those liabilities,” Mandia said. “You get speed from that if it's confidential because you can have threat data today[now] we're getting the intel three months to five months too late.” 

Congress wants answers from Amazon and could be looking at other software companies.

Intelligence Committee chair Mark Warner (D-Va.), vice chair Marco Rubio (R-Fla.) and other members criticized the tech giant for not sending a representative of Amazon Web Services to the hearing. 

“Apparently they were too busy to discuss that with us hear today and I hope they'll reconsider that in the future,” said Rubio, who noted that hackers used Amazons' infrastructure for some of the campaign. Amazon did not provide a statement by press time. (Amazon founder Jeff Bezos owns The Washington Post.)

If Amazon does not voluntarily cooperate, a subpoena could be on the table. “I think they have an obligation to cooperate with this inquiry, and I hope they will voluntarily do so,” Sen. Susan Collins (R-Maine). “If they don’t, I think we should look at next steps." 

Amazon is likely far from the only other software provider who has become embroiled in the massive Russian hacking campaign, which infiltrated at least nine federal agencies and 100 companies. Warner said the committee would be ensuring the participation of other I.T. and software services in its investigation.

Executives at the hearing said that their own investigations also strongly pointed to Russia.

“We’ve seen substantial evidence that points to the Russian foreign intelligence agency and we have found no evidence that leads us anywhere else,” said Smith.

Witnesses at yesterday's hearing did not fully rule out motives beyond espionage for the hackers. Although the operation was initially framed as an espionage operation, the White House has started to suggest a widened scope of indiscriminate and disruptive hacking could merit sanctions, Ellen reports.

"That would allow officials to claim that the Russian hacking was not equivalent to the kind of espionage the United States also conducts and to sanction those responsible for the operation," Ellen reports.

Smith concurred with the assessment. 

“This was an act of recklessness, in my opinion,” he said, because it infected thousands of systems that the Russians had no interest in to give them access to only a few. “It was done in a very indiscriminate way.”

Chat room

Ellen’s report prompted Rob Knake, a former cybersecurity policy director at the National Security Council, to discuss cyber norms:

Security engineer Chris Rohlf:

The keys

Biden will order a review of weak spots in the U.S. supply chain, amid a chip shortage

“Biden on Wednesday will formally order a 100-day government review of potential vulnerabilities in U.S. supply chains for critical items, including computer chips, medical gear, electric-vehicle batteries and specialized minerals," David Lynch reports. “The directive comes as U.S. automakers are grappling with a severe shortage of semiconductors, essential ingredients in the high-tech entertainment and navigation systems that fill modern passenger vehicles.” 

Biden will also meet with lawmakers about the chip shortage that is sparking economic and security concerns. The meeting follows an announcement by Senate Majority Leader Charles E. Schumer (D-N.Y.) that an upcoming bill will appropriate previously authorized funds for domestic semiconductor manufacturing alongside tech priorities such as artificial intelligence and quantum computing, Jeanne Whalen and Jeff Stein report

China is expected to lead the world in semiconductor manufacturing by 2030, and the United States imports 80 percent of its rare-earth metals from the country. Semiconductor industry members say funding is critical to the economy and national security, and a U.S. government funding push could help give the United States an edge in the emerging technology industry.

Members of Congress say they reintroduced a bill to make a State Department cyber office.

The bill is backed by a bipartisan group of members of Congress including House Foreign Affairs Committee Chairman Gregory W. Meeks (D-N.Y.) and the committee’s top Republican, Rep. Michael McCaul (R-Tex.). The Cyber Diplomacy Act of 2021 would create an international cyberspace policy bureau to oversee the economic and security dimensions of cyber policy within the department. The committee plans to hold a markup of the bill on Thursday.

The move comes less than a month after a government watchdog released a report outlining significant concerns with a cybersecurity bureau set up by the State Department in the final days that President Donald Trump was in office. Trump’s secretary of state, Mike Pompeo, created the bureau despite congressional pushback. Pompeo also blocked an attempt by Congress to pass the cyber diplomacy legislation after he refused to work with them.

Google’s former CEO warned Congress of the technological threat China poses — and war's cyber future.

“The sources of battlefield advantage will shift from traditional factors like force size and levels of armaments, to factors like superior data collection and assimilation, connectivity, computing power, algorithms, and system security,” Schmidt warned in written testimony.

The former Google CEO, who noted that China has been “testing and training AI algorithms in military games designed around real-world scenarios,” is the chair of the National Security Commission on Artificial Intelligence, which is preparing to release its final report next week.

“Because of the diffusion of the technology, you have to expect that anything that’s invented in the open source AI world will immediately be adopted by China,” Schmidt said. “So the threat is very, very real.”

Ransomware watch

Cybersecurity firms highlight growing ransomware concerns in their annual threat reports.

New reports from cybersecurity firms IBM Security X-Force, Dragos and Blackberry show that hackers got smarter in 2020 while organizations struggled to catch up. 

Hackers are following businesses as they move to the cloud.

Adversaries are essentially looking at this shift into cloud and how they can best capitalize on that, says Chris Sperry, who leads the threat hunt and discovery team at IBM Security X-Force

That includes a 40 percent increase in Linux-based malware that can more easily run in cloud environments, X-Force found.

Critical infrastructure also became more vulnerable to ransomware.

Dragos researchers also noticed an uptick in ransomware malware that can tell if it's in an industrial environment and act accordingly. 

“Ransomware uses a lot of stolen identities to shut things down to elevate privilege and all this stuff. In industrial control systems it's an architecture with a lot of systems where we have shared credentials,” Sergio Caltagirone, vice president of threat intelligence for Dragos said

Dragos found that abuse of valid credentials was the number one technique used against industrial control systems by hackers. Dragos reported an increase of three times as many threats against industry systems in 2020.

X-Force found that ransomware attacks made up 33 percent of attacks on operational technology in industries like manufacturing and energy.  Its researchers also noted a 49% year-over-year increase in ICS vulnerabilities in 2020.

More hackers are threatening to leak data if ransomware victims don't pay up.

Attackers have moved from merely threatening catastrophic data loss, to threatening to publish exfiltrated data and damage the victim’s brand, Blackberry researchers say. Threatening to publish stolen data results in a greater likelihood of ransomware payment.

X-Force data shows that fifty-nine percent of ransomware attacks it responded to used the strategy.

I think the most alarming trend that we've seen in 2020, says Sperry.

Cybersecurity firm Lookout, meanwhile, says that attackers are increasingly targeting government employees and tricking them into giving up login information.

More ransomware news:

Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jet (The Register)

Industry report

Former CrowdStrike CTO launched an organization to fund cyber and other policy solutions.

The Silverado Policy Accelerator, which was co-founded by Dmitri Alperovitch and Maureen Hinman, will “advance actionable policy solutions to pressing challenges” in cybersecurity, trade and industrial security, and at the intersection of ecological and economic security, the group said in a blog post. 

Alperovitch says that many policy proposals fall short of providing the specifics required to become policy initiatives. Silverado wants to fill that gap and use a venture capital approach to getting the best policy proposals developed and in front of lawmakers and other government officials. 

The nonprofit organization's strategic council will be co-chaired by former CIA director David Petraeus and former Australian prime minister Malcolm Turnbull; the council will be made up of a bipartisan swath of experts from former president Donald Trump’s homeland security adviser, Thomas Bossert, to Richard Danzig, former president Bill Clinton’s Navy secretary.

Daybook

  • The Senate Intelligence Committee holds a hearing on President Biden’s nomination of William J. Burns, a former U.S. ambassador to Russia and top State Department official, to lead the CIA today at 10 a.m.
  • Defense Counterintelligence and Security Agency director Bill Lietzau speaks at an event hosted by the Intelligence and National Security Alliance today at 4:30 p.m.
  • The House Foreign Affairs Committee marks up legislation including the Cyber Diplomacy Act, which would set up a State Department bureau to oversee the economic and security aspects of cybersecurity policy, on Thursday at 10 a.m.
  • The House Oversight and Homeland Security Committees hold a joint hearing on the cyberattack on SolarWinds and other companies on Friday at 9 a.m.
  • Former Secretary of Defense and CIA director Robert Gates speaks at a Washington Post Live event on Friday at 2 p.m.
  • The Center for Strategic and International Studies holds the second event in its series on the cyberattack on SolarWinds and other software on Friday at noon. 
  • House Armed Services Committee Chairman Adam Smith (D-Wash.) speaks at an event hosted by the Brookings Institution on March 5 at 11 a.m.
  • Duke University’s engineering school hosts a seminar on cybersecurity threats amid remote work on March 5 at noon.

Secure log off