Bills against election meddling. Espionage, staging, sabotage, and war. SolarWinds and Exchange Server compromise updates.

Summary

By the CyberWire staff

At a glance.

Legislating against foreign election interference.
Espionage, staging, sabotage, and war.
Policy implications of the SolarWinds and Exchange Server compromises.

Legislating against foreign election interference.

The Hill summarizes the cybersecurity implications of the US House’s For the People Act. Should the Senate pass the bill, the following measures would come into effect:

States would implement voter-verified ballots, harden voter rolls, and check systems in advance of elections.
Funds would be set aside for audits and equipment updates.
A Senior Cyber Policy Advisor would be installed in the Election Assistance Commission.
The Director of National Intelligence would brief states and Congress on current cyber threats each election cycle.
Foreign-funded political social media posts would be flagged.
The President would craft a plan to protect institutions vital to democracy.

Comparable provisions previously stalled in the Senate.

Espionage, staging, sabotage, and war.

Brookings argues against calling Solorigate cyberwarfare, properly understood as “the use of computers to conduct an operation that is intended to have a kinetic effect” like damaging critical infrastructure. Accordingly, the article also advises against involving the military in any response, and cautions that boosting domestic surveillance would repeat the mistakes of the 1950 Internal Security Act, “which did little to prevent espionage and a great deal to enable domestic oppression.” Critics of the Act claim its data collection requirements depressed national security.

In contrast, Deccan Herald reviews what may have been, according to a Recorded Future report, something closer to an act of war. Chinese malware is implicated in last year’s Mumbai grid failure, an event that presented minimal occasion for espionage but tipped authorities off to possible staging efforts.

Ramifications of the SolarWinds and Exchange Server compromises.

SC Media reports that up to 100 thousand Microsoft Exchange Servers may have been compromised (some multiple times), while the Washington Post puts the current upper estimate at 250 thousand. Multiple groups—Chinese and Russian-language—are now apparently engaging in what one expert called a “free-for-all.” For the moment Federal agencies appear to be safe (though CNN warns defense contractors may not be), but smaller businesses along with local and state departments could be navigating the fallout for some time. Some worry the hack could lay the groundwork for a colossal ransomware campaign. The Biden Administration is urging patching and considering enlisting the Unified Coordination Group.

Wired observes that both the SolarWinds and Microsoft Exchange hacks are ongoing, and Microsoft’s patches could soon be reverse-engineered. The article tempers Cybersecurity and Infrastructure Security Agency Acting Director Wales’ comments that Solorigate could take the Government a year and a half to remedy with the reminder that cyberespionage is always with us.

A C4ISRNET opinion piece holds that international alliances, as opposed to a “splinternet” of segregated national networks with diverse regulations, pave the best path forward. Just a handful of countries have adequate cyber defense capabilities, but a norm-building, resource-sharing coalition could make the Internet a safer place.

OODA Loop maintains that the same cybersecurity recommendations have been circulating since the 1970 Ware Report and 1997 Commission on Critical Infrastructure Protection (e.g. info-sharing and public-private partnership), with a couple additions in the 2010 National Security Strategy (capacity and norms building). (Worth noting is the fact that OODA lumps all legal and policy proposals into the same category.) Meanwhile the US burns through ‘cyber czars’ like matches, expensive upgrades have questionable effect, and a modernized workforce is stymied by slow-moving institutions. The private sector is not incentivized to prioritize cybersecurity, and state and local organizations stumble along with limited resources.

OODA Loop considers three possible explanations: the advice is bad, it’s been delivered to the wrong audience, or it’s been poorly implemented. The article suggests the following remedies: build a cybersecurity research repository, make goals measurable, mandate and reward compliance, offer some liability protections while holding operators accountable, mind the margins of norms and diplomacy, and weed out other ineffective recommendations. In short, better policies.

Selected Reading

Russia-linked APT groups exploited Lithuanian infrastructure to launch attacks (Security Affairs) Russia-linked APT groups leveraged the Lithuanian nation’s technology infrastructure to launch cyber-attacks against targets worldwide. The annual national security threat assessment report released by Lithuania’s State Security Department states that Russia-linked APT groups conducted cyber-attacks against top Lithuanian officials and decision-makers last in 2020. APT29 state-sponsored hackers also exploited Lithuania’s information technology infrastructure to carry […]

Global Hack Breaches Thousands of Microsoft Business Accounts (Bloomberg) Number of victims of Chinese attack continues to grow rapidly. White House warns companies to take threat “very seriously.”

Chinese foreign minister takes firm tone, calls for 'non-interference' between China and the U.S. (CNBC) Chinese Foreign Minister Wang Yi said at a high-level press conference that the U.S. needs to stop interfering in what Beijing considers its domestic affairs.

Cyber threat looms large over German election (Deutsche Welle) Whether hacking attacks or disinformation campaigns, online meddling could sway public opinion and influence the outcome of the September vote, experts warn. Recent incidents suggest that the threat is real.

Huawei Gets a Respite in India from Bharti Airtel, Details (TelecomTalk) Huawei has just bagged a new contract from Bharti Airtel and it comes as a respite for the Chinese gear maker

US urges IT network firms to secure controls after cyberattack (Al Jazeera) White House official says threat to computer networks remains ‘active’ despite Microsoft software patch.

Preparing for Retaliation Against Russia, U.S. Confronts Hacking by China (New York Times) The proliferation of cyberattacks by rivals is presenting a challenge to the Biden administration as it seeks to deter intrusions on government and corporate systems.

The Cybersecurity 202: Biden faces fresh challenges from a massive hack of Microsoft email servers (Washington Post) A hacking campaign with Chinese ties and a growing victim count poses a fresh wave of cybersecurity challenges for the Biden administration.

Biden administration expected to form task force to deal with Microsoft hack linked to China (CNN) The Biden administration is expected to put together a task force to deal with major cyber intrusions that Microsoft said this week were linked to China, according to a US official.

Biden administration moving to address a global compromise by Chinese and other hackers of Microsoft email servers (Washington Post) The Biden administration is moving to address a global compromise by Chinese government-sponsored hackers of Microsoft email servers affecting at least 30,000 public and private entities in the United States alone, according to U.S. officials and people familiar with the matter.

Government briefed on rising Microsoft Exchange breach figures (SC Media) New details confirm earlier reports from SC Media that investigators were finding substantially more instances of breached Exchange servers.

Beijing dismisses alleged Chinese hacking of Indian vaccine makers (Reuters) China on Tuesday rejected an allegation by a cyber intelligence firm that a state-backed hacking group targeted the IT systems of two Indian coronavirus vaccine makers.

China’s Cyber-espionage Capabilities Are Growing, India Needs To Invest More In Fighting Back (Moneycontrol) Even though New Delhi has sought to expand both it's defensive and offensive capabilities over the years, though, progress has been patchy.

China’s intimidation of India via cyberspace (DT Next) As border skirmishing increased last year, malware began to flow into the Indian electric grid. It now looks like a Chinese warning

Did China just wake us up to cyberwar? (Deccan Herald) On February 28, Recorded Future, a Massachusetts-based company that studies how state actors use the internet, put out a report that the massive power outage in Mumbai on October 12 may have been the handiwork of a Chinese cyberwarfare campaign against India, meant to signal to New Delhi what China could do at a time when the Indian army was locked in a border standoff with the Chinese army.

About time India seriously considers dedicated cyber command: Rahul Gandhi (The Economic Times) In another tweet earlier, Gandhi demanded that farmers should be given Minimum Support Price for their produce.

When Does a Cyber Attack Become an ‘Act of War’? (TheQuint) As Chinese malware targets Indian power system, we question whether cyber attacks amount to an ‘act of war’

The danger in calling the SolarWinds breach an ‘act of war’ (Brookings) Describing the SolarWinds breach as an “act of war” risks leading U.S. policymakers toward the wrong response.

From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice (OODA Loop) While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet.

A ‘splinternet’ won’t solve global cyber defense problems (C4ISRNET) Countries will need to rely on each other more often for cyber defense and deterrence. Here's how one expert envisions that cooperation.

It’s Time for a Cybersecurity Quid Pro Quo (Nextgov) Require companies to disclose breaches to the government in exchange for legal liability limitations.

The fight against cyber threats requires a public-private partnership. Here’s how to get it done. (Security Magazine) In order to combat cybersecurity threats, the Biden administration and state governors across the country should immediately work to foster deeper relationships with the private sector. Tech and government certainly don’t always get along, but the threats we face now require a national effort that would rival the Space Race of the 1960s.

Five Reasons Not to Split Cyber Command from the NSA Any Time Soon – If Ever (War on the Rocks) In the waning days of President Donald Trump's administration, a group of outgoing political appointees unexpectedly pushed through the acting secretary

A Leading Critic of Big Tech Will Join the White House (New York Times) Tim Wu’s appointment to the National Economic Council signals a confrontational approach by the Biden administration.

‘This could be dangerous’: Why Tim Wu’s appointment has Big Tech rattled (Protocol) A leader in the trust-busting movement will advise Biden's 'whole government' approach to the tech industry.

More work needed to integrate cyber and information ops, former official says (C4ISRNET) The former leader suggests ways the DoD should shift its thinking to meld cyberspace and the information sphere to keep pace with adversaries.

U.S. Cyber Command holds 2021 Legal Conference (U.S. Cyber Command) The 2021 U.S. Cyber Command Legal Conference was held virtually Thursday morning, and livestreamed on the Defense Visual Information Distribution Service. This annual conference explores current law