The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Biden administration set to announce sanctions on Russia in response to massive hacking campaign

Analysis by
Technology and cybersecurity policy researcher
April 15, 2021 at 7:52 a.m. EDT

with Aaron Schaffer

The Biden administration will today announce sanctions against Russia in response to a months-long hacking campaign against the United States and Russia's efforts to influence the 2020 presidential election, Ellen Nakashima reports.

The package includes tough economic sanctions and other actions against six companies that support Russia's hacking campaigns. Some of the firms are linked to the SolarWinds breach, officials say. Additionally, the United States will expel 10 intelligence officers currently using diplomatic status in the United States.

The actions come in response to a months-long U.S. investigation into the Russian hacking campaign, often referred to as SolarWinds after a software used to infiltrate nine federal agencies and about 100 private companies. The breach continued for months before the private cybersecurity firm FireEye tipped off the software company and law enforcement. The Washington Post first reported that Russian foreign intelligence was believed to be behind the campaign.

“Our view is that no single action that we will take or could take in and of itself could directly alter Russia’s malign behavior,” Principal Deputy National Security Adviser Jonathan Finer told Ellen. “But this is going to be a process that is going to take place over time, and it will involve a mix of significant pressure and finding ways to work together.”

The U.S. sanctions set the stage for future efforts to deter Russian hacking.

The administration's response will include a more in-depth description of Russian spying tactics meant to “degrade the Russian intelligence services' cyber programs,” a White House official told Ellen. And the move bars the U.S. banks from buying government bonds from Russia's central bank after June 14.

The administration is also reserving its rights to expand the economic sanctions in response to any future cyber-intrusions under a new executive order, Ellen reports.

“This action signals that the Biden administration is not going to hold back,” Edward Fishman, a nonresident senior fellow at the Atlantic Council, told Ellen. “They're taking significant actions against the Russian economy and putting global markets on notice that Russian sanctions will increase if Russia's aggressive behavior continues.”

The administration also plans to push for a more unified approach from allies against hacking. European allies are expected to issue statements backing the White House response but not join in imposing new sanctions, Ellen reports.

The administration's robust response represents a dramatic reversal from Biden's predecessor, former president Donald Trump. Officials and lawmakers often criticized Trump for failing to call out Russian aggressions. Trump never commented on Russia's role in SolarWinds, deemed likely by intelligence officials at the time, and often undermined his own intelligence officials' assessments of election interference.

Biden has been clear his administration won't tolerate Russian hacking.

The “United States will act firmly in defense of its national interests in response to Russia’s actions, such as cyber intrusions and election interference, Biden said in a call with President Vladimir Putin earlier this week.

Some experts expressed doubts that sanctions will deter future attacks.

“Another sanction isn’t going to change Russian behavior, James Lewis, a cybersecurity expert at the Center for Strategic and International Studies and a former official at the State and Commerce department, told me earlier this year.

Both the Obama and Trump administrations imposed sanctions against Russia with little impact in deterring the recent cyber espionage and influence campaigns.

In the wake of the SolarWinds hack, experts and lawmakers have urged improvements to U.S. cyber defenses. Possible legislative solutions include mandatory cyber incident reporting, increased funding for the Cybersecurity and Infrastructure Security Agency and instituting a top cyber diplomat at the State Department to help shape global cyber norms.

The sanctions followed warnings from intelligence officials that Russia poses a top threat to U.S. national security.

In a hearing before the Senate Intelligence Committee yesterday, CIA Director William J. Burns called Russia's increased military buildup in Crimea a “serious concern.” The timing of the cyber sanctions have raised some concerns the United States could be heading for an escalated conflict with Russia over its military actions.

The keys

A small Australian hacking company unlocked the San Bernardino, Calif., terrorist’s iPhone.

Azimuth Security, which says it sells its cyber tools only to democratic governments, ended a standoff between Apple and the U.S. government when it built a solution for the FBI to get into Syed Rizwan Farook’s iPhone 5C, Ellen Nakashima and Reed Albergotti report. The development comes after five years of secrecy over the identity of the developer of the tool. 

Even Apple didn’t know what company the FBI used, Apple spokesman Todd Wilder said. But Apple attorneys inadvertently came close to learning of Azimuth’s role in a different court case last year. 

Ireland opened an investigation into a leak of Facebook user data.

The investigation by Ireland’s Data Protection Commission (DPC) comes less than two weeks after 533 million Facebook user records, which included personal information such as birth dates and biographical details, were shared online. The DPC, which said in a statement that it believes data laws “may have been and/or are being infringed,” noted that it opened the investigation after Facebook Ireland responded to its questions.

Phone numbers belonging to well-known Facebook users including CEO Mark Zuckerberg, U.S. Transportation Secretary Pete Buttigieg and European commissioner for data protection Didier Reynders reportedly were included in the leak.

Facebook told the Associated Press that it is “cooperating fully” with the investigation and that “these features are common to many apps and we look forward to explaining them and the protections we have put in place.”

Republican lawmakers want the Biden administration to limit the sale of chip-making software to China.

The letter by the top Republican on the House Foreign Affairs Committee, Rep. Michael McCaul (R-Tex.), and Sen. Tom Cotton (R-Ark.) comes less than a week after a Washington Post report on Chinese military systems that use American technology. The Biden administration quickly placed the firms under U.S. export controls, but the Republicans say that’s not enough.

“To ensure U.S. companies as well as those from partner and allied countries are not permitted to sell the communists the rope they will use to hang us all,” the lawmakers wrote, the Commerce Department should take more decisive steps, such as bulking up its export control regulations to require U.S. companies that produce the software to get licenses to export products to China.

Chat room

At yesterday's Senate Intelligence hearing, Sen. Ron Wyden’s (D-Ore.) raised concerns that the government would respond to the SolarWinds hack by throwing “a bunch more money at the same companies that sold the government insecure products that the hackers exploited.”

“And, really, what we're talking about with that approach is cyber pork,” he concluded.

The creation of the “cyber pork” term did not go unnoticed. Our colleague Shane Harris:

Security Management senior editor Megan Gates:

Shoshana Weissmann, the head of digital media for the R Street Institute:

Hill happenings

Wyden is proposing a ban on the sale of Americans’ data to “unfriendly” foreign governments.

Wyden's sweeping package would join a set of federal privacy proposals that would also restrict the sale of Americans’ personal data, Drew Harwell reports. It would regulate the personal data trade under export-control laws, according to a copy of the draft bill reviewed by The Washington Post.

Wyden circulated the draft bill to lawmakers for discussion today.

“Our country’s intelligence leaders have made it clear that putting Americans’ sensitive information in the hands of unfriendly foreign governments is a major risk to national security,” Wyden said in a statement. The new legislation, he said, would “ensure that countries that can’t be trusted with Americans’ private information don’t get it.”

Two top Republicans want to know how DHS and the Commerce Department will handle Chinese threats to the U.S. communications supply chain.

Rep. John Katko (R-N.Y.), ranking member of the House Committee on Homeland Security, and Rep. Andrew R. Garbarino (R-N.Y.), ranking member of the Homeland Security cybersecurity subcommittee expressed concerns the Chinese firm Xiaomi could be the next Huawei. 

“We share grave concerns that Xiaomi poses a significant threat to the privacy of any of its users through its lineup of smartphones, laptops, smartwatches, and other consumer-facing products, they wrote in a letter to  DHS Secretary Alejandro Mayorkas and Commerce Secretary Gina Raimondo. “In many ways, data has become the modern-day currency of homeland security and we must take threats to the data integrity of the free world seriously.”

The Trump administration banned the use of Huawei telecommunications equipment due to concerns the Chinese government could compel the company to aid it in spying on customers. Both Huawei and the Chinese government have denied the allegations.

The lawmakers are asking that they update the committee on the steps their  departments are taking to secure the supply chain and any relevant information about actions related to Xiaomi by May 14.

Xiaomi defended its privacy practices.

"Xiaomi is a consumer electronics company that offers a broad range of consumer products designed for civilian and commercial use. Xiaomi does not make any infrastructure or telecommunication equipment that are part of the ICT supply chain," said Jeffrey Birnbaum, a spokesperson for the company. "Xiaomi upholds high standards for protecting the privacy of user data. Although we have not sold any smartphones, laptops, or smart watches in the United States, for all other regions we conduct business, including Europe, Asia, Middle East, Africa, and Latin America, our data protection practice conforms to top standards and adheres to local rules. For instance, we have routinely passed third-party's audits to verify the effectiveness of security measures."

This item has been updated with a comment from Xiaomi.

Industry report

Microsoft says it will temporarily offer U.S. government agencies free technology to track their network activity after criticism by lawmakers. 

The company will offer all its clients in the federal government that use its Government Cloud software a one-year free trial to logging software Advanced Audit, Microsoft Federal President Rick Wagner said in a blog post. The move comes after blistering criticism from lawmakers including Wyden, who has called for the government to stop giving government contracts to companies including Microsoft, which disclosed a massive Chinese hacking operation earlier this year.

Microsoft President Brad Smith previously told Rep. Jim Langevin (D-R.I.), when pressed about the federal government paying additional fees for logging technology, that “we are a for-profit company” and “everything we do is designed to generate a return, other than our philanthropic work.”

Global cyberspace

At least six E.U. agencies were hit by a cyberattack on SolarWinds and other software.

European Commissioner Johannes Hahn said in a response to a question from a European lawmaker that the level of impact varied significantly, from “no impact to significant impact.” 

“In some cases, IT networks and systems have been significantly impacted, and at least some personal data breaches occurred,” Hahn wrote, adding that he could not provide additional information about the investigations.

Cyber insecurity

Cybercriminals are increasingly impersonating banks.

The banking sector replaced the retail sector in Check Point Research’s quarterly list of the most imitated brands for phishing. Microsoft and DHL were the most impersonated brands globally, the firm said, corresponding to 39 percent and 18 percent of global brand phishing attempts.

At least four hacking groups are exploiting tax season.

At least 800,000 malicious emails have been sent across 30 tax-themed campaigns by hackers, researchers from Proofpoint said. The emails, which attempt to take over email accounts or steal personal data, have exploited the pandemic and financial downturn, demonstrating that they are “agile and flexible and take current events into account in their campaign development,” the researchers said.

Daybook

  • U.S. intelligence chiefs testify before the House Intelligence Committee today at 9 a.m.
  • Kevin Walsh, the Government Accountability Office’s IT and cybersecurity director, and two government agencies’ chief information officers testify on IT acquisition before a House Oversight and Reform Committee panel on Friday at 9 a.m. 
  • Former Director of National Intelligence John Ratcliffe speaks at a Heritage Foundation event on April 19 at 11 a.m. 
  • CISA executive assistant director for cybersecurity Eric Goldstein speaks at the Industrial Control Systems Joint Working Group’s spring virtual meeting on April 20 at 8:30 a.m.
  • Rep. Michael McCaul (R-Texas); acting National Counterintelligence and Security Center director Mike Orlando; and Carl McCants, the technical director of NCSC’s supply chain and cyber directorate, speak at an Intelligence and National Security Alliance event on microelectronics supply chains on April 20 at noon.