President Biden’s tough talk against cyberattacks from Russia has not stopped an onslaught of ransomware and hacks from hitting the U.S., cybersecurity professionals say.
Mr. Biden said U.S. critical infrastructure was off-limits for Russia-based attackers and repeatedly admonished Russian President Vladimir Putin to take action against cyberattackers. The effort has failed to yield an observable deterrent effect, said Michael Ellis, a former top lawyer at the National Security Agency appointed by President Trump.
“I think it was a little naive perhaps to think that just Biden telling off Putin would actually lead to anything in and of itself,” Mr. Ellis said. “One fault of the Biden administration’s policy so far: Their approach does appear to be again reminiscent of the Obama administration’s — that meeting after meeting to consider an issue but without making a decision. And when you don’t make a decision, that amounts to a decision, in some ways, and that leads to bad results.”
Mr. Biden set his red lines with Mr. Putin at a June summit in Geneva. Mr. Biden declared 16 critical infrastructure sectors out of bounds for cyberattacks, including communications, the defense industrial base, energy, financial services, health care, transportation, and food and agriculture.
“The bottom line is I told President Putin that we need to have some basic rules,” Mr. Biden said immediately after the summit. “This is the road that we can all abide by.”
The number of weekly attacks against several of the off-limits critical infrastructure sectors has continued to soar over previous years, according to cybersecurity firm Check Point, which has headquarters in California and Israel.
Check Point observed an average of 406 attacks per week against the financial services industry, 790 average attacks per week against the health care industry and 976 average attacks per week against the communications industry in June and July.
The average number of weekly attacks in each of these industries is more than double the rate at this time last year, Check Point reported. The communications sector is experiencing more than four times as many attacks.
Check Point spokesperson Ekram Ahmed said his firm would not reveal the identity of the specific entities under attack given strict nondisclosure agreements that the firm is obligated to follow.
Determining which cyberattacks cross Mr. Biden’s red lines is difficult to ascertain, even when the victim is known and appears to fall within the full list of the 16 off-limits critical infrastructure sectors published on the Cybersecurity and Infrastructure Security Agency’s website.
The REvil cybergang hit defense contractor HX5 last week, well after Mr. Biden’s ultimatums to Mr. Putin. The defense contractor’s clients include the Army, Navy and Air Force, arguably putting HX5 on the off-limits list as part of the defense industrial base.
Whether the REvil attackers hitting HX5 are Russia-directed or even in Russia is unknown. The REvil gang’s web presence diminished last week as the group either went into hiding, was knocked offline or experienced ordinary technical difficulties.
The number of REvil’s victims is large and recently multiplied through its ransomware attack on the software company Kaseya over the Fourth of July weekend. Although Kaseya indicated that the attack affected fewer than 1,500 businesses downstream from 60 customers using Kaseya products, the victims were in 17 different countries.
Among the victims of the Kaseya assault was the town of North Beach, Maryland, which proactively shut down the local government’s network server and workstations. North Beach was the first municipality to disclose the ransomware attack on Kaseya, but it was the 41st local government entity in the U.S. to be hit by ransomware this year, said Brett Callow, a threat analyst at the software company Emsisoft.
On Thursday, the State Department began offering a reward of up to $10 million for information leading to the identification of foreign government-directed cyberattackers who hit U.S. critical infrastructure.
In an interview before REvil’s digital fingerprints faded, Reuven Aronashvili, who previously served the Israel Defense Forces and founded the cybersecurity company CYE, said he had not seen a change in cyberattackers’ behavior but sounded hopeful that such changes could come.
“The change takes time, and all the new requirements and all [that] coming from President Biden, those are good, I think, good steps going forward, but the impact of those still is not there,” Mr. Aronashvili said. “You need to create some kind of revolution in the industry in order to rise above the, let’s say, the violent noise that we see today. Those attacks, unfortunately, are still too easy.”
Policymakers have increasingly pressed the Biden administration to take more aggressive action. Rep. Jim Langevin, Rhode Island Democrat and chair of the Armed Services Committee’s cyber subcommittee, called last week for Mr. Biden to enact tailored sanctions on Russia over the spate of ransomware attacks.
Instead of launching offensive actions, Mr. Langevin told the Council on Foreign Relations, the Biden team ought to place better-targeted sanctions on Russia than those the administration applied in response to the Russian government hack of SolarWinds computer network management software, which impacted nine federal agencies.
“In fact, responding in cyberspace will be counter to our ultimate goal of promoting a domain that is regulated by strong norms and a well-understood standard of behavior,” Mr. Langevin said. “Trading shots in cyberspace perpetuates the idea that the domain is the Wild West and directly undermines our goal of stability.”
Other lawmakers want the government to consider expanding the cyberwar battleground to include private entities. Late last month, Sens. Sheldon Whitehouse, Rhode Island Democrat, and Steve Daines, Montana Republican, introduced a bill that would direct the Department of Homeland Security to study the benefits and risks of authorizing private entities to take offensive actions.
On Thursday, the White House announced a ransomware task force and the Homeland Security and Justice departments created a digital hub for information on ransomware, StopRansomware.gov.
In comparing Mr. Biden’s approach to Mr. Trump’s record, Mr. Ellis noted that the former president authorized a more streamlined procedure for offensive cyberoperations and that some of it was used against Russia.
Mr. Ellis, a visiting fellow for law and technology at the conservative Heritage Foundation, said the cyberattacks would still have happened if Mr. Trump were in office. Still, he thought the attackers’ calculus would be different.
“I don’t think they would all instantly go away if Trump were still president, but I do think that if Russia or these other countries that turn a blind eye to this activity, if they paid a price for it — and I think it would be a great, a much greater likelihood of them paying a price if Trump were still president — that they would take some actions to start cracking down on these actors,” Mr. Ellis said.