Now that the Western world has officially blamed China for the Microsoft Exchange cyberattack, which compromised more than 100,000 government and private-sector servers worldwide, private-sector security leaders expect the White House to take retaliatory action against Beijing beyond simply naming and shaming.
“It’s time for Cyber Command to take the gloves off and proportionately disrupt and degrade the infrastructure and capabilities associated with the attackers,” said Tom Kellermann, VMware’s head of cybersecurity strategy who also sits on the U.S. Secret Service Cyber Investigations Advisory Board.
In addition to shutting down the Chinese attackers’ infrastructure — along the lines of what the U.S. may or may not have done to make Russia’s REvil ransomware gang disappear from the internet — Kellermann also suggests non-cyber tactics as well.
“At the same time go after their assets through Alipay,” he said. “And at the same time, make them feel less comfortable traveling freely in Asia, particularly to neutral countries like Singapore, where they like to gamble.”
However, what U.S. retaliation will look like remains to be seen, and cybersecurity executives have differing views on how to respond to the growing threat of state-sponsored cyberattacks.
‘Pattern of Malicious Cyber Activity’Earlier this week the White House accused the Chinese government of illegally paying hackers for years to do its dirty work, including spying and stealing intellectual property.
In a statement, and joined by partners including the European Union, the United Kingdom, and NATO, the U.S. blamed China for a “pattern of malicious cyber activity.” It held cybercriminals associated with China’s Ministry of State Security (MSS) responsible for ransomware, extortion, cryptojacking, and cyber espionage — including the attacks that used the Microsoft Exchange server zero-day vulnerabilities.
At the same time, the U.S. Department of Justice announced criminal charges against four Chinese nationals tied to China’s MSS. The hackers, according to the DOJ, conducted a multi-year campaign targeting government and private-sector networks in an attempt to steal intellectual property, trade secrets, public health information, and other confidential data.
But instead of issuing a raft of sanctions against China as it did to Russia following the SolarWinds attack, the United States “exposed” the Chinese government’s “pattern of malicious cyber activity,” and said it would take further action, but didn’t specify that further action.
Moving Beyond ‘Naming and Shaming’The Information Technology and Innovation Foundation (ITIF), a tech policy think tank, was one of the organizations that called on the Biden administration to move beyond “naming and shaming” China following the cyberattacks.
“If China continues to brazenly back cyberattacks against its trading partners, the United States and its allies should escalate their response,” ITIF VP Daniel Castro said in a statement.
In a subsequent email exchange with SDxCentral, Castro said the U.S. has a couple problems in dealing with China.
“The first is plausible deniability,” Castro wrote. “As seen in China’s response to Biden, the Chinese government has claimed it isn’t responsible. The U.S. needs to be able to convince its allies that China is behind these cyberattacks, and it has made good progress on that front.”
Second, the U.S. doesn’t have an effective deterrent, he added. If naming and shaming was the first step, “the next step should be sanctions,” Castro wrote. “That is obviously a dicey scenario because of the threat of retaliation from China against U.S. companies. However, this is where a global alliance will help the U.S. make progress — there is strength in numbers. [Former President Barak] Obama had struck a deal with China on cybersecurity (under the threat of sanctions), but it fell apart during the [former President Donald] Trump administration. [President Joe] Biden’s job should be to get that back in place.”
Russia Cyber Policy vs. China Cyber PolicyIronNet Cybersecurity SVP Jamil Jaffer, a former associate White House counsel to former President George W. Bush, also says the U.S. government needs to get more aggressive toward China or any nation that supports cybercriminal groups.
“Assuming we are confident in that attribution, there is no reason we shouldn’t take action against both the country and the criminal actor,” he said. “Much stronger sanctions have to be the starting point,” Jaffer added, pointing to sanctions against Russia following its election interference and the SolarWinds hack.
“The same thing applies to China,” he continued. “In this circumstance where we are talking about theft, we need to start with much more aggressive sanctions including the kind that we’ve deployed elsewhere but we aren’t willing to try against China, because frankly we are worried about the economic consequences. But at some point we have to decide, this matters more, and we’re going to hold the line.”
Kellermann agrees that the United States’ and other Western nations’ close economic ties to China make sanctions a delicate balancing act. “There’s tremendous concerns over escalating the trade war, which is already hurting American companies and foreigners significantly,” he said. “That all being said, I don’t think that there should be such a disconnect between our Russian policy and our Chinese policy.”
Should the U.S. Hack Back?And at a minimum, the U.S. government should take “proportionate” cyber action against China in response to the Microsoft Exchange attack, Kellermann added.
“Let’s be clear: What occurred here was an example of cybercriminals and cyber spies collaborating to launch an island hop, through Microsoft, against some of the most important government agencies in the world as well as corporations. Given the recent changes in the NATO charter as it relates to cyberattacks, given the recent statements by the Biden administration, and progressive hiring of individuals who believe in proportionate response, I do think that the U.S. government should proportionately respond by disrupting and degrading the infrastructure associated with these individuals. What that looks like, I really leave that up into the hands of both the FBI and Cyber Command, but we want to degrade their infrastructure immediately.”
A massive cyberattack like SolarWinds or the Microsoft Exchange breach always raises the question of whether the U.S. government should take offensive actions — or “hack back” — in response.
Offensive actions in response to a cyberattack should only be conducted by government entities — never private companies or citizens — and should also accompany other policy measures, said Amit Yoran, CEO of Tenable and former founding director of US-CERT in the U.S. Department of Homeland Security.
“Offensive and counter-offensive activities in cyber are certainly options that the U.S. government has and should keep available in response to cyberattacks and as courses of action to consider. Along with other measures, they can help create deterrence and raise costs to adversaries,” Yoran said. “To be sure, they are a small but important subset of cyber and non-cyber tools available in response to cyberattacks. Other tools include indictments, prosecution, freezing of assets, sanctions, trade policies, and other retorts and countermeasures.”
Seize the WalletsKellermann also advocates for a multi-pronged approach that includes cyber measures as well as more traditional law enforcement actions.
“First and foremost, greater asset seizure and forfeiture associated with AliPay or WePay accounts of these individuals should be pursued,” he said. “Those accounts should be frozen and seized, and they should use the principles of the Financial Action Task Force, of which China is a signatory, to pursue that.”
Finally, Kellermann suggests that Chinese hackers should be arrested if they travel to Singapore.
“Singapore considers itself Switzerland, Singapore is also signatory status, and Singapore is also the hub for Interpol in Asia,” he said. “They should be banned from traveling to Singapore, or they should be arrested when they appear in a bar to gamble.”
The private-sector led Ransomware Task Force, in its April report, recommended several actions that the 60-plus-member group said the Biden administration should take to curb future attacks. Recommendations include putting pressure — such as sanctions — on countries that harbor cyber criminals, requiring that cryptocurrency companies follow “know-your-customer” and anti-money laundering laws, and boosting international law enforcement and intelligence sharing efforts.
Cyber Code of ConductThese, and all of the group’s 48 recommendations, can help define acceptable behavior on the internet, which has to happen in order to prevent cyberattacks, said Cisco Talos’ Director of Outreach Craig Williams. Cisco is also a Ransomware Task Force member.
“You’ve got to define acceptable behavior on the internet, you’ve got to define how to enforce that, and you’ve also got to define which countries aren’t playing well with others on the internet,” he said. “These situations are hard to solve, and there’s not an instant answer on how to do it.”
Cybercrime, like physical crime, doesn’t have a quick fix, Williams added. “You’ve got to have constant correction and consequences for bad behavior to combat crime, and it’s the same thing when it comes to cybercrime. We’ve got to have consistent consequences for people who aren’t behaving on the internet, and we need to make the behavior more costly.”
The private sector has a role to play as well, Williams said, and that involves working with customers to help them improve their security posture and prevent attacks, as well as working with other security companies and law enforcement to share threat information and, on occasion, take down criminal groups and their infrastructure.
“We’re actually to a point where all security companies, broadly, are working together,” Williams said. “We’re sharing data and telemetry through things like the Cyber Threat Alliance. We’re all publishing indicators of compromise for free on public sites, and we’re coordinating activities. And thanks to the Biden administration's executive order, we’re now collaborating with government even more closely in sharing data, and I hope that’s going to make it effective in the future.”