Summary List Placement
At universities in China, former military officers teach students to hack into US defense contractors – and give them bounties. In Russia, military officers recruit criminals on the dark web to hack for the government – and allow them to keep stealing for personal gain.
In contrast, the US response can seem, frankly, wimpy to many Americans, as government officials hold long-winded hearings into just how bad intrusions into American computer networks actually are.
It would be easy to conclude that the US is losing a hacking war with its rivals, that President Joe Biden ought to give Vladimir Putin some kind of cyber-sock in the nose, and that America should take as much punitive action against Chinese telecom equipment manufacturer Huawei as the law allows. And it would also be wrong.
The recent, high-profile SolarWinds attacks by Russia and Microsoft Exchange hack by China might be infuriating, but America’s hands are tied when it comes to countering with comparable destructive cyberattacks.
Yet that restraint is required if the US wants to lead global action, like international economic sanctions, that trounce cyberattacks in overall impact. Indeed, a Biden administration official indicated to reporters that an official response to the SolarWinds attacks is “weeks, not months” away.
But experts do agree the US must do more. Cybersecurity agencies and companies must combine forces in new ways to fend off big hacks by Russia and China – and occasionally strike back in ways that are as stealthy as they are skilled, experts say. That doesn’t amount to a war, but it does mean the three biggest hacking teams in the world are squaring off.
“War is not the right word. It’s a competition for knowledge,” says David Brumley, a Carnegie Mellon University cybersecurity policy expert, and CEO of the startup ForAllSecure.
China and Russia are indeed engaging in cyberwars – but not against the US. China’s government hackers turned off the lights – and the stock market, and hospital ventilators – in India after a border skirmish, research from the cybersecurity company Recorded Future found. Russia’s military hackers turned off the heat in Ukraine when the temperature was 20 degrees Fahrenheit.
US politicians should be careful about throwing around terms like cyberwar, says the former head of the National Security Agency and the military’s top cybersecurity agency, US Cyber Command. That “might suggest that we plan to respond with military action,” retired General Keith Alexander told Insider.
Welcome to the new Cold War, where three cybersecurity rivals hack into each other with the most sophisticated espionage in human history – and three very different points of view. And while Russia’s sprawling SolarWinds supply-chain attacks and China’s vast intrusion into Microsoft email servers via a group called Hafnium may suggest America needs to hack back and reclaim its dignity with some righteous retaliation, experts say it’s not that simple.
And in the three nations, that competition for cybersecurity superiority varies dramatically. “It’s actually quite fascinating,” Brumley says.
The US is ‘fighting intentionally hamstrung’ to maintain a moral high ground
The US stands in stark contrast to its cybersecurity rivals in one frustrating regard: Ethics. Yet it is an advantage America can’t afford to sacrifice if it wants to harness the greatest weapon in the cybersecurity Cold War –international support and sanctions.
America doesn’t hit foreign businesses or infrastructure with cyberattacks. “Our issue is with the government there, not its people,” says Bryson Bort, CEO of the cybersecurity startup Scythe, a former US Army cybersecurity officer and former special advisor to the US Cybersecurity and Infrastructure Security Agency.
“We’re, in many regards, fighting intentionally hamstrung or intentionally with our hands tied because we are trying to maintain the moral high ground,” says David “Moose” Wolpoff, the chief technical officer and cofounder of Randori, and a former government contractor at US cybersecurity agencies. “It’s really easy for us to think, ‘I’m going to go hack the Russians and it’s going to make me safe.'” But that’s not the case, experts say.
And cybersecurity pros have more than they can handle without causing more trouble. The US is scrambling to find more cybersecurity talent while ransomware attacks hit institutions and phishing attacks pester remote workers. Overwhelmed cybersecurity staffs are turning to a high-tech fix, “extended detection and response” – known as XDR – to save time and helps understaff cybersecurity teams, as recent events show that the potential dangers are only growing.
Alexander, the former head of the NSA and Cyber Command, says US companies must work more closely with the government to counter nation-state threats, a sentiment that resounded throughout Congressional hearings on SolarWinds. And, Alexander says, “The White House should also publish a clear declaratory policy on different types of cyber threats – accompanied by a detailed menu of response options and capabilities.”
Coordination between government agencies and with businesses and other countries is vital in standing up to Russia and China, experts told Insider.
US “adversaries can traverse cyberspace at will,” Erica Borghard, senior director of the federal government’s intergovernmental US Cyberspace Solarium Commission, told Insider. But in the US, “government organizations and private entities can only monitor and act on the networks where they have authority to operate. Enhancing collaboration between government and the private sector is therefore essential.”
‘The Chinese government, as a cybersecurity employer, is bootstrapping’
The best way to view recently-disclosed Chinese hacking into Microsoft Exchange Server email software to spy on companies is “like taking advantage of poor locks on doors,” says Brumley, the Georgetown professor and startup CEO. It was a scrappy campaign by cybersecurity forces trying to make something happen. And the unsophisticated attack has veered erratically into cybercrime and other exploitation, creating a global issue China may not have even intended, experts say.
Kurt Baumgartner, a global analyst at the cybersecurity company Kaspersky, says “the exchange issue is a global problem, and we are seeing targeting and heavy amounts of activity around the world.” For this reason, “it can be argued that it falls outside the acceptable norms” of nation-state hacking, he says. This reflects a cybersecurity culture that is largely untrained, dominated by the government, and formed with the understanding that US intellectual property and computer systems are there to be exploited.
“The Chinese government, as a cybersecurity employer, is bootstrapping,” says Dakota Cary, a researcher at Georgetown’s Center for Security and Emerging Technology. Cary’s research shows there are 1.4 million open cybersecurity jobs in China – four times as many as in the US. “They’re doing a lot to focus on this jobs pipeline.”
More than half of all cybersecurity workers in China have less than five years’ experience, and 80% have less than 10 years’ experience. In contrast, the average American cybersecurity worker has nine years of experience. China’s cybersecurity workers make the equivalent of around $30,000-$60,000 a year – enough to pay for a comfortable, but modest, lifestyle in the country.
A large part of the race to fill jobs involves artificial intelligence, Cary found. At six Chinese universities, researchers are developing AI and machine learning programs to hack into other nations’ cybersecurity systems. Universities research password hacking and social engineering, the tricking of victims into providing information and access into systems.
Intellectual property theft from the West is a given. Government workers take information from US companies every day, experts say, as a way to compete. “Why do the research when you can steal it?” asks Bort.
And if you work in cybersecurity in China, you do work for the military. At any moment, a government official may barge into your office and dump data to be sorted into your lap. The government “tasks some companies to analyze bulk data collected from cyber espionage operations,” Cary found. “Rejecting the Party’s requests may be the death-knell for an organization.”
Russian hackers ‘may dabble in cybercrime because they don’t earn enough’
If the Microsoft hack reflects China’s bootstrapping cybersecurity force, Solarwinds shows that Russia is a fading, once-mighty cyber superpower long on experience – and short on revenue. Proud hackers who grew up in the tradition of Putin’s former employer the KGB slowly built the sprawling campaign of unprecedented craftsmanship.
Yet the talented hackers who built the supply-chain attacks – in which SolarWinds’ software updates were exploited to infiltrate 18,000 companies and nine major US agencies – were likely poorly paid, and augmenting their income with petty cybercrimes against the US at night.
“They’re very clever about how they penetrate networks – they’ve been known to compromise massive numbers of servers related to foreign affairs organizations” just to monitor them for espionage as “watering holes” that lure conversation, says Baumgartner, the Kaspersky analyst. “They’re considered very resourceful. They’re very disciplined at what they do.”
Even top military cybersecurity officers in Russia are known to engage in cybercrime to make ends meet. And while they are on the dark web engaging in credit-card scams, they recruit criminals to work for the government – where they will be allowed to continue scamming for personal profit.
“Many hackers are just trying to earn a living. Even if they work for the government, they may dabble in cybercrime because they don’t earn enough,” says Oleg Kolesnikov, vice president of threat research at the cybersecurity company Securonix, an adjunct professor at Northeastern University, and Ukraine native. “There are people who are very good at math, very good at programming. So there’s a lot of talent. But the pay for cybersecurity and tech jobs generally is not very good there.”
But don’t count America out
There is one other key aspect to keep in mind about US cyber engagement with other nations: The best campaigns are never discovered. “When you’re the best at this, no one sees your work,” says Bort, the former Army cybersecurity officer and CISA advisor.
Over the past two months, mysterious attacks have disrupted elite Russian hacking forums where the hackers who carry out government hacks often moonlight for most of their income.
“Mysterious Operators Usurp Elite Russian Hacker Forum,” the cybersecurity analyst firm Flashpoint reported three weeks ago. Two weeks later, another high-level Russian hacking forum was apparently hit. “Little is known at this time about the attackers,” Flashpoint wrote. Hacking elite hackers is not easy, and users of the forums suspect US law enforcement may have a hand. “Perhaps these suspicions are well-justified,” Flashpoint wrote in an analysis.
A source who asked not to be identified because of high security clearances in their past says the question is not why America is not responding forcefully where it hurts Russia and China the most. A better question, the source suggests: “How do you know we aren’t?”