Washington has spent, depending how you count it, a few decades, a few years, or the last year defending against potential Russian cyberattacks, especially given the intensity of online conflict after the renewal of Russia’s war in Ukraine. But China recently gave Washington a stark reminder that it remains a highly capable adversary.
Washington has spent, depending how you count it, a few decades, a few years, or the last year defending against potential Russian cyberattacks, especially given the intensity of online conflict after the renewal of Russia’s war in Ukraine. China sent a strong reminder to Washington that it is still a formidable adversary.
Beginning in mid-May, a Chinese-based hacking group infiltrated more than two dozen organizations, including some U.S. government agencies, such as the State and Commerce departments, as well as the email accounts of U.S. officials such as Commerce Secretary Gina Raimondo. Hackers were given free reign for one month. North Korea continues to be a persistent and advanced threat. It steals cryptocurrency and sensitive data in order to finance its nuclear and missile programs.
All of those concerns made the rollout this month of the Biden administration’s long-awaited cybersecurity plan all the more timely, coming just days after public acknowledgement of the Chinese hack. It’s just that this big plan, while full of aspirations – if not quite so ambitious as the roadmap outlined in the spring – is short on details. These are the kinds that can make cybersecurity a reality for the remainder of the Biden administration.
The implementation plan, published this month, lays out concrete steps to protect U.S. pipelines, electrical grids, the water supply, and other key infrastructure from being ground to a halt by devastating cyberattacks and to prevent hackers from infiltrating the emails of senior U.S. government officials, as China has done.
That includes leaning more on the private sector companies that actually build and run those systems, such as Amazon and Microsoft, as well as working with allies around the world to take down bad actors more proactively. The implementation plan sets concrete timelines to achieve each goal of the cybersecurity strategy and assigns a host of agencies–including the Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security, and the FBI–with oversight and coordination of specific efforts.
However, several gaps still remain that could continue to leave U.S. government and private systems vulnerable to being attacked. “Many of the strategy’s most difficult and revolutionary goals … have been pared down or omitted entirely,” experts at the Atlantic Council’s Cyber Statecraft Initiative wrote in a report published last week, pointing to specific provisions around data privacy, digital identity, and cloud risk that were part of the initial strategy but found scant mention in the implementation plan.
Much of that may be down to political realism, Maia Hamin and Stewart Scott, associate directors at the Cyber Statecraft Initiative and two of the report’s co-authors, said in an interview. The executive branch’s big swings to reform technology regulations are unlikely to pass through Congress or be upheld by Supreme Court. This may prompt the Biden Administration to moderate some of their targets.
“The difference in what the strategy talks about and what the implementation plan talks about says a lot about what they think is implementable in the near term,” Scott said. “There’s some more proactiveness there, but there’s a lot of the way to go on getting it done.”
Another potential wrinkle is that many of the implementation plan’s deadlines stretch into 2025–after next year’s presidential election–and it’s unclear whether a new administration would adopt the same cybersecurity priorities and plans.
One key vulnerability that the recent breach revelation exposed is the government’s increasing shift to cloud-based services for its technology needs. Hamin says that this shift is in many respects positive, unavoidable and necessary. Cloud service providers like Amazon, Google and Microsoft possess the resources and technical abilities to manage online systems more efficiently and effectively. But it also consolidates service providers and attack surfaces in a way that potentially opens a clearer infiltration pathway for adversaries such as China.
“The more you centralize high-value data and workloads in the cloud, the more it becomes a target for adversaries,” she said. “These are things that if you successfully hack or attack identity and access management, you can get the keys to the kingdom.”
China remains the most sophisticated adversary the United States faces on that front, with espionage dominating its priorities and modus operandi far more than the infrastructure-targeted ransomware attacks favored by Russian cyberwarriors or the cryptocurrency thefts perpetrated by their North Korean counterparts.
“[Chinese] cyberoperations are conducted at a considerably greater scale and with a wider targeting scope compared to all other state-backed activity” that the cybersecurity firm Recorded Future tracks, said Jonathan Condra, the firm’s director of strategic and persistent threats. He said that China’s absence in attacks against U.S. infrastructure is more a question of choice than an issue of ability. “It is far more likely that these tools, the associated vulnerabilities, and the malware have been kept in reserve for use in the case of direct military confrontation.”
It’s not just government targets that Washington needs to be concerned about. Much of Chinese cyber-espionage has focused on stealing intellectual property from U.S. companies, particularly those in the critical technology space, and those efforts in particular may get a fillip from the numerous trade barriers–including on semiconductors and technology investment–that Washington is imposing on China.
“As the rift between the two countries grows and additional retaliatory punitive measures are enacted, the political and economic incentives for China to utilize cyber-espionage as a means of accessing key technologies for strategic sectors will increase,” Condra said. “China undoubtedly poses the most significant threat.”
The post Washington Tries to Add Some Teeth to Its Cyberdefenses appeared first on Foreign Policy.