'Reminiscent of the Obama administration': Cyberattackers ignore Biden's red lines


President Biden’s tough talk against cyberattacks from Russia has not stopped an onslaught of ransomware and hacks hitting the U.S., according to cybersecurity professionals.

Mr. Biden drew red lines around U.S. critical infrastructure as off-limits for Russia-based attackers and repeatedly admonished Russian President Vladimir Putin to take action against cyberattackers. The effort so far failed to yield an observable deterrent effect, said Michael Ellis, a former top lawyer at the National Security Agency who was appointed by former President Donald Trump.

“I think it was a little naive perhaps to think that just Biden telling off Putin would actually lead to anything in and of itself,” Mr. Ellis said. “One fault of the Biden administration’s policy so far: Their approach does appear to be again reminiscent of the Obama administration’s — that meeting after meeting to consider an issue but without making a decision. And when you don’t make a decision that amounts to a decision, in some ways, and that leads to bad results.”

Mr. Biden set his red lines with Mr. Putin at a June summit in Geneva. Mr. Biden declared 16 critical infrastructure sectors out of bounds for cyber-meddling, including communications, the defense industrial base, energy, financial services, health care, transportation, and food and agriculture.

“The bottom line is I told President Putin that we need to have some basic rules,” Mr. Biden said immediately following the summit. “This is the road that we can all abide by.”

The number of weekly attacks against several of the off-limits U.S. critical infrastructure sectors has continued to soar in 2021 over previous years, according to cybersecurity firm Check Point, which is headquartered in California and Israel.

Check Point observed an average of 406 attacks per week against the financial services industry, 790 average attacks per week against the healthcare industry, and 976 average attacks per week against the communications industry in June and July 2021.

Each of these industries has seen more than double the rate of average weekly attacks than at this time last year, with the communications sector experiencing more than four times as many attacks, per Check Point.

Check Point spokesperson Ekram Ahmed said his firm would not reveal the identity of the specific entities under attack given strict non-disclosure agreements that the firm is obligated to follow.

Determining which cyberattacks cross Mr. Biden’s red lines are difficult for observers to ascertain even when the victim is known and appears to fall within the full list of the 16 off-limits critical infrastructure sectors published on the Cybersecurity and Infrastructure Security Agency’s website.

For example, the REvil cyber gang hit a defense contractor HX5 last week, well after Mr. Biden’s June ultimatums to Mr. Putin. The defense contractor’s clients include the U.S. Army, Navy, and Air Force, arguably putting HX5 on the red-line list as part of the defense industrial base sector of critical infrastructure.

Whether the REvil attackers hitting HX5 are Russia-directed or even in Russia is unknown. Earlier this week, the REvil gang’s web presence diminished as the group either went into hiding, was knocked offline or experienced ordinary technical difficulties.

The number of REvil’s victims is large and recently multiplied through its ransomware attack on the software company Kaseya occurring over the Fourth of July holiday weekend. While Kaseya indicated that the attack affected fewer than 1,500 businesses downstream from 60 customers using Kaseya products, the victims reside in 17 different countries.

Among the victims of the Kaseya assault by REvil was the town of North Beach, Maryland, which proactively shut down the local government’s network server and workstations. North Beach was the first municipality to disclose getting hit through the ransomware attack on Kaseya, but it was the 41st local government entity in the U.S. to be hit by ransomware in 2021, according to Brett Callow, a threat analyst at the software company Emsisoft.

On Thursday, the State Department began offering a reward of up to $10 million for information leading to the identification of foreign government-directed cyberattackers who hit U.S. critical infrastructure.

In an interview before REvil’s digital fingerprints faded, Reuven Aronashvili, who previously served the Israel Defense Forces and founded the cybersecurity company CYE, said he had also not seen a change in cyberattackers’ behavior but sounded hopeful that such changes could still come.

“The change takes time and all the new requirements and all [that] coming from President Biden, those are good, I think, good steps going forward but the impact of those still is not there,” Mr. Aronashvili said. “You need to create some kind of revolution in the industry in order to rise above the, let’s say, the violent noise that we see today. Those attacks unfortunately are still too easy.”

Policymakers have increasingly pressed the Biden administration to take more aggressive action. Earlier this week, Rep. Jim Langevin, Rhode Island Democrat and chair of the Armed Services Committee’s cyber subcommittee, called for Mr. Biden to enact new tailored sanctions on Russia over the spate of ransomware attacks.

Instead of launching offensive cyber actions, Mr. Langevin told the Council on Foreign Relations that the Biden team ought to place better-targeted sanctions on Russia than those the administration applied in response to the Russian government hack of SolarWinds computer network management software, which impacted nine federal agencies.

“In fact, responding in cyberspace will be counter to our ultimate goal of promoting a domain that is regulated by strong norms and a well-understood standard of behavior,” Mr. Langevin said. “Trading shots in cyberspace perpetuates the idea that the domain is the Wild West and directly undermines our goal of stability.”

Other lawmakers want the government to consider expanding the cyber battleground to include private entities. Late last month, Sens. Sheldon Whitehouse, Rhode Island Democrat, and Steve Daines, Montana Republican, introduced a bill that would direct the Department of Homeland Security to study the benefits and risks of authorizing private entities to take offensive cyber actions.

On Thursday, the White House announced a new ransomware task force and the Homeland Security and Justice departments created a digital hub for information on ransomware, stopransomware.gov.

In comparing Mr. Biden’s approach to Mr. Trump’s record, Mr.Ellis noted that the former president authorized a more streamlined procedure for offensive cyber operations and that some of that was used against Russia.

Mr. Ellis, a visiting fellow for law and technology at the conservative Heritage Foundation, said the ongoing cyberattacks would still have existed if Mr. Trump were in office but he thought the attackers’ calculus would be different.

“I don’t think they would all instantly go away if Trump were still president but I do think that if Russia or these other countries that turn a blind eye to this activity, if they paid a price for it — and I think it’d be a great, a much greater likelihood of them paying a price if Trump were still president — that they would take some actions to start cracking down on these actors,” Mr. Ellis said.

Sign up for Daily Newsletters

View original post