If Russian cyberattacks on the United States seem to be becoming more frequent, it is because they do.
Although there are no conclusive statistics or any clear indications whether a particular attack was the work of a Russian government employee or a private hacker, in any case, in a mixed economy of cybercrime, the difference between national and private interests tends to become blurry. (This year’s Microsoft Exchange and Pulse Connect VPN hacking originated in China as well. Even calling this ecosystem “Russia” or “China” can be misleading: Russian-speaking actors, far away in Venezuela, often target Russian servers. )
To learn more about Russian cybercrime and how US President Joe Biden and his administration responded, Dark Reading sat down with Megkin, director of the Science and Technology Innovation Program at the Wilson Center, a non-partisan international policy think tank funded by Congress. Headquartered in Washington, DC King was a policy expert at the Pentagon, and later became a senior staff member of the House of Representatives Homeland Security Intelligence, Information Sharing, and Terrorism Risk Assessment Subcommittee, and then held senior leadership positions at the Wilson Center.
According to King, there is nothing particularly Russian in this Hobbesian cyber world.
“We are also seizing opportunities where we have opportunities,” she said, citing recent FBI cyber attacks that relied on Canadian technology distributors. “It’s not completely black and white in any country.”
Nonetheless, she said, “other countries have more flexible options”—for example, weak rule of law, or the intertwined tradition of industry and government. The weak rule of law in particular means that any US national cybersecurity strategy must be defensive in nature.
This is a frustrating prospect. But King is enthusiastic about the Biden administration’s efforts so far, even if the president’s focus on infrastructure has relegated security to secondary importance. She said that the first sign of Biden’s serious intentions was to nominate Chris Inglis as the national cyber director (Kim called him “amazing”) and Jan Eastley as the homeland and social security agency. Director of the Infrastructure Security Agency (CISA). She said that the strengthening of its ransomware task force by the Department of Justice (DOJ) is another reassuring step.
However, Kim is seeking the government to take more ambitious measures, especially in terms of compliance and supervision. On the one hand, the United States still lacks a comprehensive national data breach notification agreement. The company’s single standard list can not only clear some of the “fog of war” after the incident—whether we pay the ransom (no), whether we issue an alert to the government (yes), if so, who and when—but it will “make We fully understand what a system problem is.”
King hopes to see a similar unified network insurance agreement that provides clear guidelines for insurance companies and customers.
Jin said that at the individual business level, the Biden government should consider mandatory and regular updates of legacy systems, as well as penetration testing, two-factor authorization and employee training. On the other hand, she doubts whether any compulsory offensive strategy, such as a total ban on ransomware, can really become law.
King quickly emphasized that all this discussion of authorization and federal agreements makes cybersecurity policy sound completely top-down, but that is not the case: “Everyone I talked to felt overwhelmed,” she said. “If you have a scale problem, you can never solve it from the top down.”
Jin added, “Someone needs to lead the Ministry of Education to teach K-12 students about cybersecurity in the way they teach recycling. [in the 1990s],” pointed out that rebranding—from “cybersecurity” to the warmer-sounding “data protection”—can encourage more users and employees to learn about threats in a timely manner. This alone can have a significant impact: about 88% The violations boil down to errors according to a recent study by Tessian and Stanford University, in terms of individual users.
Nonetheless, King said, “You need to have security engineering on the front end. It can’t be entirely up to the user.”
Such agreements carry political risks: to legislators who like to keep a wide distance between government and business, they may seem unpleasant. But Kim is not worried, not only because there is no resistance so far, but also because it is generally believed that companies or governments can no longer negotiate a serious cyber policy.
“This should not be political,” she said.
Currently, it is not. Although Biden’s reforms are certainly not a mixed economy on the scale of the Russian cyber criminals, the hair of Russian dogs may be the secret of success.