Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Incident & Breach Response
Anne Neuberger on Why No Sanctions Issued Against China YetNSC Adviser Says Biden Administration Trying to Build Consensus Among Nations
The Biden administration is attempting to build an international consensus on how to react to China's aggressive cyber actions, which is one reason why the White House held off sanctioning the country over a series of attacks on vulnerable Microsoft Exchange servers earlier this year, says Anne Neuberger, the deputy national security adviser for cyber and emerging technology.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Speaking at the Aspen Security Forum on Wednesday, Neuberger defended the administration's response to cyberthreats posed by China and Russia as well as several high-profile ransomware attacks that have targeted U.S. critical infrastructure over the last several months.
Neuberger, who has shaped the White House's response to many of these cyber incidents over the last eight months, pointed not only to the administration calling out Russia over the SolarWinds supply chain attack and highlighting China's role in the attacks on vulnerable Exchange email servers, but also the executive order signed by President Joe Biden that looks to modernize the federal government's cybersecurity protections, including how software is purchased and used.
"You saw in the executive order a key component, in which we said that the U.S. government will only buy technology that is built in accordance with software security standards," Neuberger said. "And clearly that doesn't just benefit the federal government. … By having the federal government define the standards and saying we'll use the power of our procurement to move the market there, this will benefit small and large businesses and individuals alike."
China and Russia
When the Biden administration in July formally accused China's Ministry of State Security, aka MSS, of carrying out a series of attacks earlier this year against vulnerable on-premises Microsoft Exchange, several cybersecurity experts expressed concern that the U.S. did not impose sanctions (see: Can the US Curb China's Cyber Ambitions?).
One reason to hold off sanctions, however, is that the Biden administration is attempting to build a consensus among nations on how to confront China over its malicious cyber activity, Neuberger said. She noted that the Justice Department indicted four members of the MSS for their roles in other cyber campaigns.
"The Microsoft Exchange attack … emphasizes the Biden administration approach to not go at it alone, but instead to use a sequential, thoughtful approach and to bring partners along to establish those norms of accepted behavior in cyberspace," Neuberger said.
The administration had previously sanctioned Russia and the government's Foreign Intelligence Service, or SVR, for its role in the supply chain attack against SolarWinds, which led to follow-on attacks on about 100 companies and nine federal agencies. Neuberger said that Russia had a history of aggressive cyber behavior not only against the U.S. but other countries as well.
"This was not the first case of aggressive Russian cyber activity in the international space and we have seen a series of activities in Ukraine, Georgia, Germany and other parts of Europe as well," Neuberger noted. "And there's a broader consensus around the need to call out [Russia's] bad behavior."
When asked about the types of measures the Biden administration is taking in response to aggressive cyber campaigns, Neuberger pointed to the president directly confronting Russia and China over their behavior. She also pointed to new U.S. investments in cyber defenses for critical infrastructure to help ensure it can withstand attacks.
"The U.S. government is making efforts to modernize our defenses and to launch innovative critical infrastructure resilience efforts," Neuberger noted. "We have made a massive push to say that we must address our poor level of national cyber resilience. In no small part, this is underpinned by the fact that critical infrastructure is owned by the private sector and we must encourage, incentivize and move the private sector to make the investment needed to ensure that we as a country can guarantee those critical services."
Neuberger was less forthcoming on how the U.S. might use offensive cyber operations. She noted more aggressive steps can escalate quickly, especially considering the interconnectivity of many IT networks.
"One must always consider the interoperability of networks," Neuberger said. "Having a discrete impact, having confidence in that discrete impact, is often challenging, given how much networks are interconnected within countries and globally."
The Biden administration is also continuing to develop strategies to counter ransomware attacks, especially in the light of attacks on Colonial Pipeline and meat processor JBS.
Ransomware was the topic at the center of the June summit meeting between Biden and Russian President Vladimir Putin. Since then, two of the ransomware gangs believed responsible for some of these attacks - DarkSide and REvil - have gone quiet, although these groups may have started rebranding under new names (see: BlackMatter Ransomware Appears to Be Spawn of DarkSide).
In an interview this week with Dmitry Smilyanets, a threat intelligence analyst with Recorded Future, someone claiming to be an administrator with the new ransomware group BlackMatter said that the gang would not attack critical infrastructure, but other companies would be fair game.
Neuberger said she took that as a sign that the Biden administration's stance and the meeting with Putin might have had some effect on these gangs, although it's impossible to take the word of a supposed cybercriminal at face value. "The proof will be in the pudding," she said.
A more surefire way to disrupt ransomware is to attack the cybercriminals' business model, which includes disrupting their operations and adopting new cryptocurrency regulations, Neuberger said.
"If we want to disrupt ransomware ... we need to be able to rapidly trace and interdict [cryptocurrency payments] around the world, and there's a lot of lessons learned from physical know-your-customer and anti-money laundering global efforts that we're working to apply here," Neuberger noted.