Washington Tries to Add Some Teeth to Its Cyberdefenses

Washington has spent, depending how you count it, a few decades, a few years, or the last year defending against potential Russian cyberattacks, especially given the intensity of online conflict after the renewal of Russia’s war in Ukraine. But China recently gave Washington a stark reminder that it remains a highly capable adversary.

Beginning in mid-May, a Chinese-based hacking group infiltrated more than two dozen organizations, including some U.S. government agencies, such as the State and Commerce departments, as well as the email accounts of U.S. officials such as Commerce Secretary Gina Raimondo. The hackers had free rein for a month. All the while North Korea remains an advanced, persistent threat, hoovering up sensitive information and stealing cryptocurrency to fund its missile and nuclear programs.

All of those concerns made the rollout this month of the Biden administration’s long-awaited cybersecurity plan all the more timely, coming just days after public acknowledgement of the Chinese hack. The only problem is that the big implementation plan is long on aspirations—if notably less ambitious than the road map laid out this spring—and short on the very kinds of details that could make greater cybersecurity a reality during the administration’s remaining time in office.

The implementation plan, published this month, lays out concrete steps to protect U.S. pipelines, electrical grids, the water supply, and other key infrastructure from being ground to a halt by devastating cyberattacks and to prevent hackers from infiltrating the emails of senior U.S. government officials, as China has done.

That includes leaning more on the private sector companies that actually build and run those systems, such as Amazon and Microsoft, as well as working with allies around the world to take down bad actors more proactively. The implementation plan sets concrete timelines to achieve each goal of the cybersecurity strategy and assigns a host of agencies—including the Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security, and the FBI—with oversight and coordination of specific efforts.

However, several gaps still remain that could continue to leave U.S. government and private systems vulnerable to being attacked. “Many of the strategy’s most difficult and revolutionary goals … have been pared down or omitted entirely,” experts at the Atlantic Council’s Cyber Statecraft Initiative wrote in a report published last week, pointing to specific provisions around data privacy, digital identity, and cloud risk that were part of the initial strategy but found scant mention in the implementation plan.

Much of that may be down to political realism, Maia Hamin and Stewart Scott, associate directors at the Cyber Statecraft Initiative and two of the report’s co-authors, said in an interview. Big swings by the executive branch that look to overhaul technology regulation are unlikely to be passed by Congress and upheld by the Supreme Court, likely prompting the Biden administration to temper some of its targets.

“The difference in what the strategy talks about and what the implementation plan talks about says a lot about what they think is implementable in the near term,” Scott said. “There’s some more proactiveness there, but there’s a lot of the way to go on getting it done.”

Another potential wrinkle is that many of the implementation plan’s deadlines stretch into 2025—after next year’s presidential election—and it’s unclear whether a new administration would adopt the same cybersecurity priorities and plans.

One key vulnerability that the recent breach revelation exposed is the government’s increasing shift to cloud-based services for its technology needs. That shift in many ways is positive, necessary, and unavoidable, according to Hamin: Cloud providers such as Amazon, Google, and Microsoft have the technical capabilities and resources to better manage online systems, making them more efficient and cost-effective. But it also consolidates service providers and attack surfaces in a way that potentially opens a clearer infiltration pathway for adversaries such as China.

“The more you centralize high-value data and workloads in the cloud, the more it becomes a target for adversaries,” she said. “These are things that if you successfully hack or attack identity and access management, you can get the keys to the kingdom.”

China remains the most sophisticated adversary the United States faces on that front, with espionage dominating its priorities and modus operandi far more than the infrastructure-targeted ransomware attacks favored by Russian cyberwarriors or the cryptocurrency thefts perpetrated by their North Korean counterparts.

“[Chinese] cyberoperations are conducted at a considerably greater scale and with a wider targeting scope compared to all other state-backed activity” that the cybersecurity firm Recorded Future tracks, said Jonathan Condra, the firm’s director of strategic and persistent threats. China’s relative absence from attacks that take down U.S. infrastructure should be seen as a matter of preference rather than inability, he added. “It is far more likely that these tools, the associated vulnerabilities, and the malware have been kept in reserve for use in the case of direct military confrontation.”

It’s not just government targets that Washington needs to be concerned about. Much of Chinese cyber-espionage has focused on stealing intellectual property from U.S. companies, particularly those in the critical technology space, and those efforts in particular may get a fillip from the numerous trade barriers—including on semiconductors and technology investment—that Washington is imposing on China.

“As the rift between the two countries grows and additional retaliatory punitive measures are enacted, the political and economic incentives for China to utilize cyber-espionage as a means of accessing key technologies for strategic sectors will increase,” Condra said. “China undoubtedly poses the most significant threat.”